Add GitLab release check/fetch/deploy helpers

Add utilities to query and deploy GitLab releases: get_latest_gitlab_release, check_for_gl_release, and fetch_and_deploy_gl_release. Features include support for GITLAB_TOKEN, HTTP error handling and retries, jq/curl-based JSON parsing, detection/migration of legacy version files, and setting CHECK_UPDATE_RELEASE when updates are available. fetch_and_deploy_gl_release supports multiple modes (tarball/source, binary, prebuild, singlefile), asset pattern matching, architecture-aware .deb selection, installation via apt/dpkg, archive extraction, and optional clean installs. Helpful messages are emitted for auth/rate-limit/network errors and required dependencies (jq, unzip) are ensured when needed.

.github/workflows/close_issue_in_dev.yaml

@@ -62,10 +62,10 @@ jobs:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
         run: |
           issues=$(gh issue list --repo community-scripts/ProxmoxVED --json number,title --jq '.[] | {number, title}')
-          
+
           best_match_score=0
           best_match_number=0
-          
+
           for issue in $(echo "$issues" | jq -r '. | @base64'); do
             _jq() {
               echo ${issue} | base64 --decode | jq -r ${1}
@@ -113,7 +113,8 @@ jobs:
             const http = require('http');
             const url = require('url');
 
-            function request(fullUrl, opts) {
+            function request(fullUrl, opts, redirectsLeft) {
+              if (redirectsLeft === undefined) redirectsLeft = 5;
               return new Promise(function(resolve, reject) {
                 const u = url.parse(fullUrl);
                 const isHttps = u.protocol === 'https:';
@@ -128,6 +129,19 @@ jobs:
                 if (body) options.headers['Content-Length'] = Buffer.byteLength(body);
                 const lib = isHttps ? https : http;
                 const req = lib.request(options, function(res) {
+                  // Follow redirects (301/302/307/308)
+                  if ([301, 302, 307, 308].indexOf(res.statusCode) !== -1 && res.headers.location && redirectsLeft > 0) {
+                    res.resume();
+                    const nextUrl = url.resolve(fullUrl, res.headers.location);
+                    // For 301/302, browsers historically downgrade to GET; preserve method for 307/308.
+                    const nextOpts = Object.assign({}, opts);
+                    if (res.statusCode === 301 || res.statusCode === 302) {
+                      nextOpts.method = 'GET';
+                      delete nextOpts.body;
+                    }
+                    resolve(request(nextUrl, nextOpts, redirectsLeft - 1));
+                    return;
+                  }
                   let data = '';
                   res.on('data', function(chunk) { data += chunk; });
                   res.on('end', function() {

.github/workflows/pocketbase-bot.yml

@@ -7,7 +7,7 @@ on:
 permissions:
   issues: write
   pull-requests: write
-  contents: read
+  contents: write
 
 jobs:
   pocketbase-bot:
@@ -95,6 +95,149 @@ jobs:
               return request('https://api.github.com' + path, { method: method || 'GET', headers, body: bodyStr });
             }
 
+            function encodeContentPath(filePath) {
+              return filePath.split('/').map(encodeURIComponent).join('/');
+            }
+
+            function decodeGitHubContent(content) {
+              return Buffer.from((content || '').replace(/\n/g, ''), 'base64').toString('utf8');
+            }
+
+            function sanitizeBranchPart(value) {
+              return (value || '')
+                .toLowerCase()
+                .replace(/[^a-z0-9._/-]+/g, '-')
+                .replace(/\/+/g, '/')
+                .replace(/^-+|-+$/g, '');
+            }
+
+            function applyCtDefaultChanges(scriptText, varChanges) {
+              let nextText = scriptText;
+              const updatedVars = [];
+              const unchangedVars = [];
+              for (const [varName, rawValue] of Object.entries(varChanges)) {
+                const newValue = String(rawValue);
+                const pattern = new RegExp('(^\\s*' + varName + '="\\$\\{' + varName + ':-)([^"}]*)(\\}"\\s*$)', 'm');
+                const match = nextText.match(pattern);
+                if (!match) continue;
+                if (match[2] === newValue) {
+                  unchangedVars.push(varName);
+                  continue;
+                }
+                nextText = nextText.replace(pattern, '$1' + newValue + '$3');
+                updatedVars.push(varName);
+              }
+              return { nextText, updatedVars, unchangedVars };
+            }
+
+            async function ensureBranch(defaultBranch, branchName) {
+              const branchRefRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/ref/heads/' + encodeURIComponent(branchName));
+              if (branchRefRes.ok) return;
+
+              const defaultRefRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/ref/heads/' + encodeURIComponent(defaultBranch));
+              if (!defaultRefRes.ok) {
+                throw new Error('Could not read default branch ref: ' + defaultRefRes.body);
+              }
+              const defaultRef = JSON.parse(defaultRefRes.body);
+              const createBranchRes = await ghRequest('/repos/' + owner + '/' + repo + '/git/refs', 'POST', {
+                ref: 'refs/heads/' + branchName,
+                sha: defaultRef.object.sha
+              });
+              if (!createBranchRes.ok) {
+                throw new Error('Could not create branch: ' + createBranchRes.body);
+              }
+            }
+
+            async function upsertCtDefaultsPr(slugValue, varChanges) {
+              const wantedEntries = Object.entries(varChanges || {}).filter(function ([, v]) {
+                return v !== undefined && v !== null && String(v) !== '';
+              });
+              if (wantedEntries.length === 0) {
+                return { status: 'skipped', reason: 'No mapped CT defaults changed.' };
+              }
+
+              const repoRes = await ghRequest('/repos/' + owner + '/' + repo);
+              if (!repoRes.ok) {
+                throw new Error('Could not read repository metadata: ' + repoRes.body);
+              }
+              const repoInfo = JSON.parse(repoRes.body);
+              const defaultBranch = repoInfo.default_branch;
+
+              const ctPath = 'ct/' + slugValue + '.sh';
+              const encodedCtPath = encodeContentPath(ctPath);
+              const defaultFileRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath + '?ref=' + encodeURIComponent(defaultBranch));
+              if (defaultFileRes.statusCode === 404) {
+                return { status: 'skipped', reason: 'No matching CT file found at `' + ctPath + '`.' };
+              }
+              if (!defaultFileRes.ok) {
+                throw new Error('Could not read CT file from default branch: ' + defaultFileRes.body);
+              }
+
+              const branchName = 'pocketbase-sync/' + sanitizeBranchPart(slugValue || 'unknown');
+              await ensureBranch(defaultBranch, branchName);
+
+              const branchFileRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath + '?ref=' + encodeURIComponent(branchName));
+              if (!branchFileRes.ok) {
+                throw new Error('Could not read CT file from sync branch: ' + branchFileRes.body);
+              }
+              const branchFile = JSON.parse(branchFileRes.body);
+              const currentBranchText = decodeGitHubContent(branchFile.content);
+
+              const updateResult = applyCtDefaultChanges(currentBranchText, Object.fromEntries(wantedEntries));
+              if (updateResult.updatedVars.length === 0) {
+                return { status: 'skipped', reason: 'CT defaults already up to date.', unchangedVars: updateResult.unchangedVars };
+              }
+
+              const commitMessage = 'chore(ct): sync ' + slugValue + ' defaults from PocketBase';
+              const putRes = await ghRequest('/repos/' + owner + '/' + repo + '/contents/' + encodedCtPath, 'PUT', {
+                message: commitMessage,
+                content: Buffer.from(updateResult.nextText, 'utf8').toString('base64'),
+                sha: branchFile.sha,
+                branch: branchName
+              });
+              if (!putRes.ok) {
+                throw new Error('Could not update CT file: ' + putRes.body);
+              }
+
+              const openPrRes = await ghRequest(
+                '/repos/' + owner + '/' + repo + '/pulls?state=open&head=' + encodeURIComponent(owner + ':' + branchName) + '&base=' + encodeURIComponent(defaultBranch)
+              );
+              if (!openPrRes.ok) {
+                throw new Error('Could not query existing PRs: ' + openPrRes.body);
+              }
+              const openPrs = JSON.parse(openPrRes.body);
+              if (openPrs.length > 0) {
+                return { status: 'updated', prUrl: openPrs[0].html_url, updatedVars: updateResult.updatedVars };
+              }
+
+              const prTitle = 'chore(ct): sync ' + slugValue + ' defaults with PocketBase';
+              const prBody =
+                '## Summary\n' +
+                '- Sync default CT variables for `' + slugValue + '` after `/pocketbase` update.\n' +
+                '- Updated vars: `' + updateResult.updatedVars.join('`, `') + '`.\n\n' +
+                '## Source\n' +
+                '- Triggered by @' + actor + ' via PocketBase bot.\n';
+              const createPrRes = await ghRequest('/repos/' + owner + '/' + repo + '/pulls', 'POST', {
+                title: prTitle,
+                body: prBody,
+                head: branchName,
+                base: defaultBranch
+              });
+              if (!createPrRes.ok) {
+                throw new Error('Could not create PR: ' + createPrRes.body);
+              }
+              const pr = JSON.parse(createPrRes.body);
+              return { status: 'created', prUrl: pr.html_url, updatedVars: updateResult.updatedVars };
+            }
+
+            function formatCtSyncResult(syncResult) {
+              if (!syncResult) return '';
+              if (syncResult.status === 'created') return '\n\n**CT sync PR:** ' + syncResult.prUrl;
+              if (syncResult.status === 'updated') return '\n\n**CT sync PR updated:** ' + syncResult.prUrl;
+              if (syncResult.status === 'skipped') return '\n\n**CT sync skipped:** ' + syncResult.reason;
+              return '';
+            }
+
             async function addReaction(content) {
               try {
                 await ghRequest(
@@ -510,6 +653,7 @@ jobs:
               const RESOURCE_KEYS = { cpu: 'number', ram: 'number', hdd: 'number', os: 'string', version: 'string' };
               const METHOD_KEYS   = { config_path: 'string', script: 'string' };
               const ALL_METHOD_KEYS = Object.assign({}, RESOURCE_KEYS, METHOD_KEYS);
+              const RESOURCE_TO_CT_VAR = { cpu: 'var_cpu', ram: 'var_ram', hdd: 'var_disk', os: 'var_os', version: 'var_version' };
 
               function applyMethodChanges(method, parsed) {
                 if (!method.resources) method.resources = {};
@@ -550,6 +694,7 @@ jobs:
                 if (addMatch) {
                   // ── METHOD ADD ───────────────────────────────────────────────
                   const newType = addMatch[1];
+                  const parsed = addMatch[2] ? parseKVPairs(addMatch[2]) : {};
                   if (methodsArr.some(function (im) { return (im.type || '').toLowerCase() === newType.toLowerCase(); })) {
                     await addReaction('-1');
                     await postComment('❌ **PocketBase Bot**: Install method `' + newType + '` already exists for `' + slug + '`.\n\nUse `/pocketbase ' + slug + ' method list` to see all methods.');
@@ -557,7 +702,6 @@ jobs:
                   }
                   const newMethod = { type: newType, resources: { cpu: 1, ram: 512, hdd: 4, os: 'debian', version: '13' } };
                   if (addMatch[2]) {
-                    const parsed = parseKVPairs(addMatch[2]);
                     const unknown = Object.keys(parsed).filter(function (k) { return !ALL_METHOD_KEYS[k]; });
                     if (unknown.length > 0) {
                       await addReaction('-1');
@@ -569,10 +713,21 @@ jobs:
                   methodsArr.push(newMethod);
                   await patchMethods(methodsArr);
                   await revalidate(slug);
+                  const addCtChanges = {};
+                  for (const [k, v] of Object.entries(parsed)) {
+                    if (RESOURCE_TO_CT_VAR[k]) addCtChanges[RESOURCE_TO_CT_VAR[k]] = v;
+                  }
+                  let addCtSync = null;
+                  try {
+                    addCtSync = await upsertCtDefaultsPr(slug, addCtChanges);
+                  } catch (e) {
+                    addCtSync = { status: 'skipped', reason: 'CT sync failed: ' + e.message };
+                  }
                   await addReaction('+1');
                   await postComment(
                     '✅ **PocketBase Bot**: Added install method **`' + newType + '`** to **`' + slug + '`**\n\n' +
                     formatMethodsList([newMethod]) + '\n\n' +
+                    formatCtSyncResult(addCtSync) + '\n\n' +
                     '*Executed by @' + actor + '*'
                   );
 
@@ -640,6 +795,16 @@ jobs:
                   applyMethodChanges(methodsArr[idx], parsed);
                   await patchMethods(methodsArr);
                   await revalidate(slug);
+                  const editCtChanges = {};
+                  for (const [k, v] of Object.entries(parsed)) {
+                    if (RESOURCE_TO_CT_VAR[k]) editCtChanges[RESOURCE_TO_CT_VAR[k]] = v;
+                  }
+                  let editCtSync = null;
+                  try {
+                    editCtSync = await upsertCtDefaultsPr(slug, editCtChanges);
+                  } catch (e) {
+                    editCtSync = { status: 'skipped', reason: 'CT sync failed: ' + e.message };
+                  }
 
                   const changesLines = Object.entries(parsed)
                     .map(function ([k, v]) {
@@ -650,6 +815,7 @@ jobs:
                   await postComment(
                     '✅ **PocketBase Bot**: Updated install method **`' + methodsArr[idx].type + '`** for **`' + slug + '`**\n\n' +
                     '**Changes applied:**\n' + changesLines + '\n\n' +
+                    formatCtSyncResult(editCtSync) + '\n\n' +
                     '*Executed by @' + actor + '*'
                   );
                 }
@@ -712,9 +878,11 @@ jobs:
                 project_url:      'string',
                 github:           'string',
                 config_path:      'string',
+                tags:             'string',
                 port:             'number',
                 default_user:     'nullable_string',
                 default_passwd:   'nullable_string',
+                unprivileged:     'number',
                 updateable:       'boolean',
                 privileged:       'boolean',
                 has_arm:          'boolean',
@@ -781,6 +949,17 @@ jobs:
                 process.exit(1);
               }
               await revalidate(slug);
+              const FIELD_TO_CT_VAR = { tags: 'var_tags', unprivileged: 'var_unprivileged' };
+              const fieldCtChanges = {};
+              for (const [k, v] of Object.entries(payload)) {
+                if (FIELD_TO_CT_VAR[k]) fieldCtChanges[FIELD_TO_CT_VAR[k]] = v;
+              }
+              let fieldCtSync = null;
+              try {
+                fieldCtSync = await upsertCtDefaultsPr(slug, fieldCtChanges);
+              } catch (e) {
+                fieldCtSync = { status: 'skipped', reason: 'CT sync failed: ' + e.message };
+              }
               await addReaction('+1');
               const changesLines = Object.entries(payload)
                 .map(function ([k, v]) { return '- `' + k + '` → `' + JSON.stringify(v) + '`'; })
@@ -788,6 +967,7 @@ jobs:
               await postComment(
                 '✅ **PocketBase Bot**: Updated **`' + slug + '`** successfully!\n\n' +
                 '**Changes applied:**\n' + changesLines + '\n\n' +
+                formatCtSyncResult(fieldCtSync) + '\n\n' +
                 '*Executed by @' + actor + '*'
               );
             }

CHANGELOG.md

@@ -448,8 +448,105 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-04-30
+
+### 🆕 New Scripts
+
+  - Neko ([#14121](https://github.com/community-scripts/ProxmoxVE/pull/14121))
+
+### 💾 Core
+
+  - #### 🔧 Refactor
+
+    - tools.func: Manage minor versions for MongoDB 8.x [@tremor021](https://github.com/tremor021) ([#14131](https://github.com/community-scripts/ProxmoxVE/pull/14131))
+
+## 2026-04-29
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - GrayLog: MongoDB update to 8.2.x [@tremor021](https://github.com/tremor021) ([#14114](https://github.com/community-scripts/ProxmoxVE/pull/14114))
+    - Graylog: Better information in the log file [@tremor021](https://github.com/tremor021) ([#14110](https://github.com/community-scripts/ProxmoxVE/pull/14110))
+
+  - #### 🔧 Refactor
+
+    - Refactor: checkMK [@MickLesk](https://github.com/MickLesk) ([#14105](https://github.com/community-scripts/ProxmoxVE/pull/14105))
+    - PatchMon: Unpin release [@tremor021](https://github.com/tremor021) ([#14097](https://github.com/community-scripts/ProxmoxVE/pull/14097))
+
+### 💾 Core
+
+  - #### 🔧 Refactor
+
+    - core: add guidance when storage lacks rootdir support [@MickLesk](https://github.com/MickLesk) ([#14108](https://github.com/community-scripts/ProxmoxVE/pull/14108))
+
+## 2026-04-28
+
+### 🆕 New Scripts
+
+  - StoryBook ([#14081](https://github.com/community-scripts/ProxmoxVE/pull/14081))
+- CoreDNS ([#14082](https://github.com/community-scripts/ProxmoxVE/pull/14082))
+
+### 🚀 Updated Scripts
+
+  - Fix Dawarich Install/Update [@Jerry1098](https://github.com/Jerry1098) ([#14078](https://github.com/community-scripts/ProxmoxVE/pull/14078))
+
+  - #### ✨ New Features
+
+    - PatchMon Version 2.0.2 Script update [@9technologygroup](https://github.com/9technologygroup) ([#14095](https://github.com/community-scripts/ProxmoxVE/pull/14095))
+
+## 2026-04-27
+
+### 🚀 Updated Scripts
+
+  - Add pamUsername column to userOrgs table [@JVKeller](https://github.com/JVKeller) ([#14075](https://github.com/community-scripts/ProxmoxVE/pull/14075))
+
+  - #### 🐞 Bug Fixes
+
+    - Dawarich: run db:migrate before assets:precompile [@MickLesk](https://github.com/MickLesk) ([#14051](https://github.com/community-scripts/ProxmoxVE/pull/14051))
+    - TechnitiumDNS: always install .NET 10 if not already present [@MickLesk](https://github.com/MickLesk) ([#14049](https://github.com/community-scripts/ProxmoxVE/pull/14049))
+
+  - #### 💥 Breaking Changes
+
+    - PatchMon: v2.0.0 migration [@vhsdream](https://github.com/vhsdream) ([#14015](https://github.com/community-scripts/ProxmoxVE/pull/14015))
+
+### 💾 Core
+
+  - #### 🔧 Refactor
+
+    - Update build.func - fixed spelling mistake [@m1ckywill](https://github.com/m1ckywill) ([#14047](https://github.com/community-scripts/ProxmoxVE/pull/14047))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - update-lxcs/apps: avoid pct exec on containers mid-shutdown [@MickLesk](https://github.com/MickLesk) ([#14050](https://github.com/community-scripts/ProxmoxVE/pull/14050))
+
+  - #### ✨ New Features
+
+    - Add patchmon-agent report execution in update script [@heinemannj](https://github.com/heinemannj) ([#14054](https://github.com/community-scripts/ProxmoxVE/pull/14054))
+
 ## 2026-04-26
 
+### 🆕 New Scripts
+
+  - TREK ([#14017](https://github.com/community-scripts/ProxmoxVE/pull/14017))
+
+### 🚀 Updated Scripts
+
+  - fix(2fauth): handle stale backup directory on update [@omertahaoztop](https://github.com/omertahaoztop) ([#14018](https://github.com/community-scripts/ProxmoxVE/pull/14018))
+
+  - #### 🐞 Bug Fixes
+
+    -  Increase Frigate default CPU cores from 4 to 8 [@MickLesk](https://github.com/MickLesk) ([#14039](https://github.com/community-scripts/ProxmoxVE/pull/14039))
+    - Technitium DNS: Ensure directories exist before running service [@tremor021](https://github.com/tremor021) ([#14030](https://github.com/community-scripts/ProxmoxVE/pull/14030))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - core: Correct deb822 repository flat path detection [@MickLesk](https://github.com/MickLesk) ([#14037](https://github.com/community-scripts/ProxmoxVE/pull/14037))
+
 ## 2026-04-25
 
 ### 🚀 Updated Scripts

ct/2fauth.sh

@@ -24,7 +24,7 @@ function update_script() {
   check_container_storage
   check_container_resources
 
-  if [[ ! -d "/opt/2fauth" ]]; then
+  if [[ ! -d /opt/2fauth ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi
@@ -34,7 +34,8 @@ function update_script() {
     $STD apt -y upgrade
 
     msg_info "Creating Backup"
-    mv "/opt/2fauth" "/opt/2fauth-backup"
+    rm -rf /opt/2fauth-backup
+    mv /opt/2fauth /opt/2fauth-backup
     if ! dpkg -l | grep -q 'php8.4'; then
       cp /etc/nginx/conf.d/2fauth.conf /etc/nginx/conf.d/2fauth.conf.bak
     fi
@@ -46,15 +47,17 @@ function update_script() {
     fi
     fetch_and_deploy_gh_release "2fauth" "Bubka/2FAuth" "tarball"
     setup_composer
-    mv "/opt/2fauth-backup/.env" "/opt/2fauth/.env"
-    mv "/opt/2fauth-backup/storage" "/opt/2fauth/storage"
-    cd "/opt/2fauth" || return
-    chown -R www-data: "/opt/2fauth"
-    chmod -R 755 "/opt/2fauth"
+    cp /opt/2fauth-backup/.env /opt/2fauth/.env
+    cp -r /opt/2fauth-backup/storage /opt/2fauth/storage
+    cd /opt/2fauth || return
     export COMPOSER_ALLOW_SUPERUSER=1
     $STD composer install --no-dev --prefer-dist
     php artisan 2fauth:install
+    chown -R www-data: /opt/2fauth
+    chmod -R 755 /opt/2fauth
+    $STD systemctl restart php8.4-fpm
     $STD systemctl restart nginx
+    rm -rf /opt/2fauth-backup
     msg_ok "Updated successfully!"
   fi
   exit

ct/checkmk.sh

@@ -23,26 +23,25 @@ function update_script() {
   header_info
   check_container_storage
   check_container_resources
-  if [[ ! -f /opt/checkmk_version.txt ]]; then
+  if ! command -v omd &>/dev/null; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi
 
-  RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
+  RELEASE=$(curl_with_retry "https://api.github.com/repos/checkmk/checkmk/tags" "-" | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
   RELEASE="${RELEASE%%+*}"
-  msg_info "Updating ${APP} to v${RELEASE}"
+  msg_info "Updating checkmk"
   $STD omd stop monitoring
   $STD omd cp monitoring monitoringbackup
-  curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
-  $STD apt-get install -y /opt/checkmk.deb
+  curl_with_retry "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-community-${RELEASE}_0.$(get_os_info codename)_amd64.deb" "/opt/checkmk.deb"
+  $STD apt install -y /opt/checkmk.deb
   $STD omd --force -V ${RELEASE}.cre update --conflict=install monitoring
   $STD omd start monitoring
   $STD omd -f rm monitoringbackup
   $STD omd cleanup
   rm -rf /opt/checkmk.deb
-  msg_ok "Updated ${APP}"
+  msg_ok "Updated checkmk"
   msg_ok "Updated successfully!"
-
   exit
 }
 

ct/coredns.sh

@@ -0,0 +1,56 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/coredns/coredns
+
+APP="CoreDNS"
+var_tags="${var_tags:-dns;network}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-256}"
+var_disk="${var_disk:-1}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /usr/local/bin/coredns ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "coredns" "coredns/coredns"; then
+    msg_info "Stopping Service"
+    systemctl stop coredns
+    msg_ok "Stopped Service"
+
+    fetch_and_deploy_gh_release "coredns" "coredns/coredns" "prebuild" "latest" "/usr/local/bin" \
+      "coredns_*_linux_$(dpkg --print-architecture).tgz"
+    chmod +x /usr/local/bin/coredns
+
+    msg_info "Starting Service"
+    systemctl start coredns
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} CoreDNS is listening on port 53 (DNS)${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}dns://${IP}${CL}"

ct/dawarich.sh

@@ -53,6 +53,18 @@ function update_script() {
     export PATH="/root/.rbenv/shims:/root/.rbenv/bin:$PATH"
     eval "$(/root/.rbenv/bin/rbenv init - bash)"
 
+    if ! grep -q "OTP_ENCRYPTION_PRIMARY_KEY" /opt/dawarich/.env; then
+      echo "OTP_ENCRYPTION_PRIMARY_KEY=$(openssl rand -hex 64)" >>/opt/dawarich/.env
+    fi
+
+    if ! grep -q "OTP_ENCRYPTION_DETERMINISTIC_KEY" /opt/dawarich/.env; then
+      echo "OTP_ENCRYPTION_DETERMINISTIC_KEY=$(openssl rand -hex 64)" >>/opt/dawarich/.env
+    fi
+
+    if ! grep -q "OTP_ENCRYPTION_KEY_DERIVATION_SALT" /opt/dawarich/.env; then
+      echo "OTP_ENCRYPTION_KEY_DERIVATION_SALT=$(openssl rand -hex 64)" >>/opt/dawarich/.env
+    fi
+
     set -a && source /opt/dawarich/.env && set +a
 
     $STD bundle config set --local deployment 'true'
@@ -67,8 +79,8 @@ function update_script() {
       $STD npm install
     fi
 
-    $STD bundle exec rake assets:precompile
     $STD bundle exec rails db:migrate
+    $STD bundle exec rake assets:precompile
     $STD bundle exec rake data:migrate
     msg_ok "Ran Migrations"
 

ct/frigate.sh

@@ -7,7 +7,7 @@ source <(curl -fsSL https://git.community-scripts.org/community-scripts/ProxmoxV
 
 APP="Frigate"
 var_tags="${var_tags:-nvr}"
-var_cpu="${var_cpu:-4}"
+var_cpu="${var_cpu:-8}"
 var_ram="${var_ram:-4096}"
 var_disk="${var_disk:-20}"
 var_os="${var_os:-debian}"

ct/graylog.sh

@@ -37,7 +37,7 @@ function update_script() {
   CURRENT_VERSION=$(apt list --installed 2>/dev/null | grep graylog-server | grep -oP '\d+\.\d+\.\d+')
 
   if dpkg --compare-versions "$CURRENT_VERSION" lt "6.3"; then
-    MONGO_VERSION="8.0" setup_mongodb
+    MONGO_VERSION="8.2" setup_mongodb
 
     msg_info "Updating Graylog"
     $STD apt update

ct/headers/coredns

@@ -0,0 +1,6 @@
+   ______                ____  _   _______
+  / ____/___  ________  / __ \/ | / / ___/
+ / /   / __ \/ ___/ _ \/ / / /  |/ /\__ \ 
+/ /___/ /_/ / /  /  __/ /_/ / /|  /___/ / 
+\____/\____/_/   \___/_____/_/ |_//____/  
+                                          

ct/headers/neko

@@ -0,0 +1,6 @@
+    _   __     __       
+   / | / /__  / /______ 
+  /  |/ / _ \/ //_/ __ \
+ / /|  /  __/ ,< / /_/ /
+/_/ |_/\___/_/|_|\____/ 
+                        

ct/headers/storybook

@@ -0,0 +1,6 @@
+   _____ __                   __                __  
+  / ___// /_____  _______  __/ /_  ____  ____  / /__
+  \__ \/ __/ __ \/ ___/ / / / __ \/ __ \/ __ \/ //_/
+ ___/ / /_/ /_/ / /  / /_/ / /_/ / /_/ / /_/ / ,<   
+/____/\__/\____/_/   \__, /_.___/\____/\____/_/|_|  
+                    /____/                          

ct/headers/trek

@@ -0,0 +1,6 @@
+  __________  ________ __
+ /_  __/ __ \/ ____/ //_/
+  / / / /_/ / __/ / ,<   
+ / / / _, _/ /___/ /| |  
+/_/ /_/ |_/_____/_/ |_|  
+                         

ct/neko.sh

@@ -0,0 +1,78 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CanbiZ (MickLesk)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://neko.m1k1o.net/
+
+APP="Neko"
+var_tags="${var_tags:-virtual-browser;webrtc;streaming}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-4096}"
+var_disk="${var_disk:-12}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-12}"
+var_unprivileged="${var_unprivileged:-1}"
+var_gpu="${var_gpu:-yes}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/neko ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "neko" "m1k1o/neko"; then
+    msg_info "Stopping Service"
+    systemctl stop neko
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    cp /etc/neko/neko.yaml /opt/neko.yaml.bak
+    msg_ok "Backed up Data"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "neko" "m1k1o/neko" "tarball"
+
+    msg_info "Building Client"
+    cd /opt/neko/client
+    $STD npm install
+    $STD npm run build
+    cp -r /opt/neko/client/dist/* /var/www/
+    msg_ok "Built Client"
+
+    msg_info "Building Server"
+    cd /opt/neko/server
+    $STD ./build
+    cp /opt/neko/server/bin/neko /usr/bin/neko
+    cp -r /opt/neko/server/bin/plugins/* /etc/neko/plugins/ 2>/dev/null || true
+    msg_ok "Built Server"
+
+    msg_info "Restoring Data"
+    cp /opt/neko.yaml.bak /etc/neko/neko.yaml
+    rm -f /opt/neko.yaml.bak
+    msg_ok "Restored Data"
+
+    msg_info "Starting Service"
+    systemctl start neko
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/pangolin.sh

@@ -76,6 +76,7 @@ function update_script() {
     if [[ -f "$DB" ]]; then
       sqlite3 "$DB" "ALTER TABLE 'orgs' ADD COLUMN 'settingsLogRetentionDaysConnection' integer DEFAULT 0 NOT NULL;" 2>/dev/null || true
       sqlite3 "$DB" "ALTER TABLE 'clientSitesAssociationsCache' ADD COLUMN 'isJitMode' integer DEFAULT 0 NOT NULL;" 2>/dev/null || true
+      sqlite3 "$DB" "ALTER TABLE 'userOrgs' ADD COLUMN 'pamUsername' text;" 2>/dev/null || true
 
       # Create new role-mapping tables and migrate data before drizzle-kit
       # drops the roleId columns from userOrgs and userInvites.

ct/patchmon.sh

@@ -3,7 +3,7 @@ source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxV
 # Copyright (c) 2021-2026 community-scripts ORG
 # Author: vhsdream
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-# Source: https://github.com/PatcMmon/PatchMon
+# Source: https://github.com/PatchMon/PatchMon
 
 APP="PatchMon"
 var_tags="${var_tags:-monitoring}"
@@ -29,63 +29,75 @@ function update_script() {
     exit
   fi
 
-  if ! grep -q "PORT=3001" /opt/patchmon/backend/.env; then
-    msg_warn "⚠️ The next PatchMon update will include breaking changes (port changes)."
-    msg_warn "See details here: https://github.com/community-scripts/ProxmoxVE/pull/11888"
-    msg_warn "Press Enter to continue with the update, or Ctrl+C to abort..."
-    read -r
-  fi
-
-  RELEASE="v1.4.2"
-  NODE_VERSION="24" setup_nodejs
-  if check_for_gh_release "PatchMon" "PatchMon/PatchMon" "${RELEASE}"; then
+  if check_for_gh_release "PatchMon" "PatchMon/PatchMon"; then
     msg_info "Stopping Service"
     systemctl stop patchmon-server
     msg_ok "Stopped Service"
 
-    msg_info "Creating Backup"
-    cp /opt/patchmon/backend/.env /opt/backend.env
-    cp /opt/patchmon/frontend/.env /opt/frontend.env
-    msg_ok "Backup Created"
-
-    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "PatchMon" "PatchMon/PatchMon" "tarball" "${RELEASE}" "/opt/patchmon"
-
-    msg_info "Updating PatchMon"
-    VERSION=$(get_latest_github_release "PatchMon/PatchMon")
-    SERVER_PORT="$(sed -n '/SERVER_PORT/s/[^=]*=//p' /opt/backend.env)"
-    sed -i 's/PORT=3399/PORT=3001/' /opt/backend.env
-    sed -i -e "s/VERSION=.*/VERSION=$VERSION/" \
-      -e '/^VITE_API_URL/d' /opt/frontend.env
-    export NODE_ENV=production
-    cd /opt/patchmon
-    $STD npm install --no-audit --no-fund --no-save --ignore-scripts
-    cd /opt/patchmon/frontend
-    mv /opt/frontend.env /opt/patchmon/frontend/.env
-    $STD npm install --no-audit --no-fund --no-save --ignore-scripts --include=dev
-    $STD npm run build
-    cd /opt/patchmon/backend
-    mv /opt/backend.env /opt/patchmon/backend/.env
-    $STD npm run db:generate
-    $STD npx prisma migrate deploy
-    cp /opt/patchmon/docker/nginx.conf.template /etc/nginx/sites-available/patchmon.conf
-    sed -i -e 's|proxy_pass .*|proxy_pass http://127.0.0.1:3001;|' \
-      -e '\|try_files |i\        root /opt/patchmon/frontend/dist;' \
-      -e 's|alias.*|alias /opt/patchmon/frontend/dist/assets;|' \
-      -e '\|expires 1y|i\        root /opt/patchmon/frontend/dist;' /etc/nginx/sites-available/patchmon.conf
-    if [[ -n "$SERVER_PORT" ]] && [[ "$SERVER_PORT" != "443" ]]; then
-      sed -i "s/listen [[:digit:]].*/listen ${SERVER_PORT};/" /etc/nginx/sites-available/patchmon.conf
+    if [[ -d /opt/patchmon/backend ]]; then
+      msg_info "Legacy install detected - creating full backup, please wait..."
+      $STD tar czf ~/patchmon_legacy.tar.gz /opt/patchmon
+      cp /opt/patchmon/backend/.env /opt/legacy.env
+      msg_ok "Full backup saved in /root"
+      msg_info "Starting migration to PatchMon v2.x.x"
+      systemctl disable -q --now nginx
+      $STD npm cache clean --force
+      $STD apt autoremove --purge -y {nginx,nodejs}
+      if [[ -f /etc/apt/sources.list.d/nodesource.sources ]]; then
+        cp /etc/apt/sources.list.d/nodesource.sources /etc/apt/sources.list.d/nodesource.sources.bak
+        rm -f /etc/apt/sources.list.d/nodesource.sources
+      elif [[ -f /etc/apt/sources.list.d/nodesource.list ]]; then
+        cp /etc/apt/sources.list.d/nodesource.list /etc/apt/sources.list.d/nodesource.list.bak
+        rm -f /etc/apt/sources.list.d/nodesource.list
+      fi
+      rm -rf /opt/patchmon
+      mkdir -p /opt/patchmon/agents
+      cp /opt/legacy.env /opt/patchmon/.env
+      sed -i -e 's/^PORT=.*/PORT=3000/' \
+        -e 's/^NODE_/APP_/' \
+        -e '/^SERVER_*/d' \
+        -e '/^# API*/,+2d' /opt/patchmon/.env
+      {
+        echo ""
+        echo "SESSION_SECRET=$(openssl rand -hex 64)"
+        echo "AI_ENCRYPTION_KEY=$(openssl rand -hex 64)"
+        echo "AGENT_BINARIES_DIR=/opt/patchmon/agents"
+      } >>/opt/patchmon/.env
+      sed -i -e '\|Directory|s|/backend||' \
+        -e 's|^ExecStart=.*|ExecStart=/opt/patchmon/patchmon-server|' \
+        -e 's|^Environment=NODE_.*|EnvironmentFile=/opt/patchmon/.env|' \
+        /etc/systemd/system/patchmon-server.service
+      systemctl daemon-reload
+      rm /opt/legacy.env
+      msg_ok "Migration complete!"
     fi
-    ln -sf /etc/nginx/sites-available/patchmon.conf /etc/nginx/sites-enabled/
-    rm -f /etc/nginx/sites-enabled/default
-    $STD nginx -t
-    systemctl restart nginx
-    msg_ok "Updated PatchMon"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "PatchMon" "PatchMon/PatchMon" "singlefile" "latest" "/opt/patchmon" "patchmon-server-linux-amd64"
+    mv /opt/patchmon/PatchMon /opt/patchmon/patchmon-server
+
+    msg_info "Fetching PatchMon agent binaries"
+    RELEASE=$(get_latest_github_release "PatchMon/PatchMon")
+    [[ ! -d /opt/patchmon/agents ]] && mkdir -p /opt/patchmon/agents
+    FILE_URL="https://github.com/PatchMon/PatchMon/releases/download/v${RELEASE}/patchmon-agent-"
+    AGENT_NAME=(
+      "linux-amd64"
+      "linux-arm64"
+      "linux-arm"
+      "linux-386"
+      "freebsd-amd64"
+      "freebsd-arm64"
+      "freebsd-arm"
+      "freebsd-386"
+      "windows-amd64.exe"
+      "windows-arm64.exe"
+    )
+    for arch in "${AGENT_NAME[@]}"; do
+      curl_with_retry "${FILE_URL}${arch}" "/opt/patchmon/agents/patchmon-agent-${arch}"
+      [[ "${arch}" != *.exe ]] && chmod 755 "/opt/patchmon/agents/patchmon-agent-${arch}"
+    done
+    msg_ok "Fetched PatchMon agent binaries"
 
     msg_info "Starting Service"
-    if grep -q '/usr/bin/node' /etc/systemd/system/patchmon-server.service; then
-      sed -i 's|ExecStart=.*|ExecStart=/usr/bin/npm run start|' /etc/systemd/system/patchmon-server.service
-      systemctl daemon-reload
-    fi
     systemctl start patchmon-server
     msg_ok "Started Service"
     msg_ok "Updated successfully!"

ct/storybook.sh

@@ -0,0 +1,54 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/storybookjs/storybook
+
+APP="Storybook"
+var_tags="${var_tags:-dev-tools;frontend;ui}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /opt/storybook/.projectpath ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  PROJECT_PATH=$(cat /opt/storybook/.projectpath)
+
+  if [[ ! -d "$PROJECT_PATH" ]]; then
+    msg_error "Project directory not found: $PROJECT_PATH"
+    exit
+  fi
+
+  msg_info "Updating Storybook"
+  cd "$PROJECT_PATH"
+  $STD npx storybook@latest upgrade --yes
+  msg_ok "Updated Storybook"
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:6006${CL}"

ct/technitiumdns.sh

@@ -32,8 +32,8 @@ function update_script() {
     systemctl daemon-reload
     systemctl enable -q --now technitium
   fi
-  if is_package_installed "aspnetcore-runtime-8.0" || is_package_installed "aspnetcore-runtime-9.0"; then
-    $STD apt remove -y aspnetcore-runtime-*
+  if ! is_package_installed "aspnetcore-runtime-10.0"; then
+    $STD apt remove -y aspnetcore-runtime-8.0 aspnetcore-runtime-9.0 2>/dev/null || true
     [ -f /etc/apt/sources.list.d/microsoft-prod.list ] && rm -f /etc/apt/sources.list.d/microsoft-prod.list
     [ -f /usr/share/keyrings/microsoft-prod.gpg ] && rm -f /usr/share/keyrings/microsoft-prod.gpg
     setup_deb822_repo \

ct/trek.sh

@@ -0,0 +1,84 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/mauriceboe/TREK
+
+APP="TREK"
+var_tags="${var_tags:-travel;planning;collaboration}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/trek ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "trek" "mauriceboe/TREK"; then
+    msg_info "Stopping Service"
+    systemctl stop trek
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    cp /opt/trek/server/.env /opt/trek.env.bak
+    mv /opt/trek/data /opt/trek-data.bak
+    mv /opt/trek/uploads /opt/trek-uploads.bak
+    msg_ok "Backed up Data"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "trek" "mauriceboe/TREK" "tarball"
+
+    msg_info "Building Client"
+    cd /opt/trek/client
+    $STD npm ci
+    $STD npm run build
+    mkdir -p /opt/trek/server/public
+    cp -r /opt/trek/client/dist/* /opt/trek/server/public/
+    cp -r /opt/trek/client/public/fonts /opt/trek/server/public/fonts 2>/dev/null || true
+    msg_ok "Built Client"
+
+    msg_info "Installing Server Dependencies"
+    cd /opt/trek/server
+    $STD npm ci
+    msg_ok "Installed Server Dependencies"
+
+    msg_info "Restoring Data"
+    mv /opt/trek-data.bak /opt/trek/data
+    mv /opt/trek-uploads.bak /opt/trek/uploads
+    rm -rf /opt/trek/server/data /opt/trek/server/uploads
+    ln -s /opt/trek/data /opt/trek/server/data
+    ln -s /opt/trek/uploads /opt/trek/server/uploads
+    cp /opt/trek.env.bak /opt/trek/server/.env
+    rm -f /opt/trek.env.bak
+    msg_ok "Restored Data"
+
+    msg_info "Starting Service"
+    systemctl start trek
+    msg_ok "Started Service"
+    msg_ok "Updated Successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"

install/checkmk-install.sh

@@ -14,10 +14,10 @@ network_check
 update_os
 
 msg_info "Install Checkmk"
-RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
+RELEASE=$(curl_with_retry "https://api.github.com/repos/checkmk/checkmk/tags" "-" | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
 RELEASE="${RELEASE%%+*}"
-curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
-$STD apt-get install -y /opt/checkmk.deb
+curl_with_retry "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-community-${RELEASE}_0.$(get_os_info codename)_amd64.deb" "/opt/checkmk.deb"
+$STD apt install -y /opt/checkmk.deb
 rm -rf /opt/checkmk.deb
 echo "${RELEASE}" >"/opt/checkmk_version.txt"
 msg_ok "Installed Checkmk"
@@ -29,14 +29,12 @@ MKPASSWORD=$(openssl rand -base64 18 | tr -d '/+=' | cut -c1-16)
 
 echo -e "$MKPASSWORD\n$MKPASSWORD" | su - "$SITE_NAME" -c "cmk-passwd cmkadmin --stdin"
 $STD omd start "$SITE_NAME"
-
 {
   echo "Application-Credentials"
   echo "Username: cmkadmin"
   echo "Password: $MKPASSWORD"
   echo "Site: $SITE_NAME"
 } >>~/checkmk.creds
-
 msg_ok "Created Service"
 
 cleanup_lxc

install/coredns-install.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/coredns/coredns
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+fetch_and_deploy_gh_release "coredns" "coredns/coredns" "prebuild" "latest" "/usr/local/bin" \
+  "coredns_*_linux_$(dpkg --print-architecture).tgz"
+chmod +x /usr/local/bin/coredns
+
+msg_info "Configuring CoreDNS"
+mkdir -p /etc/coredns
+cat <<EOF >/etc/coredns/Corefile
+. {
+    forward . 1.1.1.1 1.0.0.1
+    cache 30
+    log
+    errors
+    health :8080
+    ready :8181
+}
+EOF
+msg_ok "Configured CoreDNS"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/coredns.service
+[Unit]
+Description=CoreDNS DNS Server
+After=network.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/coredns -conf /etc/coredns/Corefile
+Restart=on-failure
+RestartSec=5
+LimitNOFILE=1048576
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now coredns
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/dawarich-install.sh

@@ -46,10 +46,16 @@ msg_ok "Set up Directories"
 
 msg_info "Configuring Environment"
 SECRET_KEY_BASE=$(openssl rand -hex 64)
+OTP_ENCRYPTION_PRIMARY_KEY=$(openssl rand -hex 64)
+OTP_ENCRYPTION_DETERMINISTIC_KEY=$(openssl rand -hex 64)
+OTP_ENCRYPTION_KEY_DERIVATION_SALT=$(openssl rand -hex 64)
 RELEASE=$(get_latest_github_release "Freika/dawarich")
 cat <<EOF >/opt/dawarich/.env
 RAILS_ENV=production
 SECRET_KEY_BASE=${SECRET_KEY_BASE}
+OTP_ENCRYPTION_PRIMARY_KEY=${OTP_ENCRYPTION_PRIMARY_KEY}
+OTP_ENCRYPTION_DETERMINISTIC_KEY=${OTP_ENCRYPTION_DETERMINISTIC_KEY}
+OTP_ENCRYPTION_KEY_DERIVATION_SALT=${OTP_ENCRYPTION_KEY_DERIVATION_SALT}
 DATABASE_HOST=localhost
 DATABASE_USERNAME=${PG_DB_USER}
 DATABASE_PASSWORD=${PG_DB_PASS}

install/graylog-install.sh

@@ -13,7 +13,7 @@ setting_up_container
 network_check
 update_os
 
-MONGO_VERSION="8.0" setup_mongodb
+MONGO_VERSION="8.2" setup_mongodb
 
 msg_info "Setup Graylog Data Node"
 PASSWORD_SECRET=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c16)
@@ -38,6 +38,8 @@ sed -i "s/password_secret =/password_secret = $PASSWORD_SECRET/g" /etc/graylog/s
 sed -i "s/root_password_sha2 =/root_password_sha2 = $ROOT_PASSWORD/g" /etc/graylog/server/server.conf
 sed -i 's/#http_bind_address = 127.0.0.1.*/http_bind_address = 0.0.0.0:9000/g' /etc/graylog/server/server.conf
 systemctl enable -q --now graylog-server
+sleep 5
+sed -i "s/0\.0\.0\.0:9000/$LOCAL_IP:9000/g" /var/log/graylog-server/server.log
 msg_ok "Setup ${APPLICATION}"
 
 motd_ssh

install/neko-install.sh

@@ -0,0 +1,255 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: CanbiZ (MickLesk)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://neko.m1k1o.net/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  supervisor \
+  pulseaudio \
+  dbus-x11 \
+  xserver-xorg-video-dummy \
+  xdotool \
+  xclip \
+  libgtk-3-0 \
+  gstreamer1.0-plugins-base \
+  gstreamer1.0-plugins-good \
+  gstreamer1.0-plugins-bad \
+  gstreamer1.0-plugins-ugly \
+  gstreamer1.0-pulseaudio \
+  openbox \
+  firefox-esr \
+  fonts-noto-color-emoji \
+  fonts-wqy-zenhei
+msg_ok "Installed Dependencies"
+systemctl disable -q --now supervisor
+
+msg_info "Installing Build Dependencies"
+$STD apt install -y \
+  build-essential \
+  pkg-config \
+  libx11-dev \
+  libxrandr-dev \
+  libxtst-dev \
+  libgtk-3-dev \
+  libxcvt-dev \
+  libgstreamer1.0-dev \
+  libgstreamer-plugins-base1.0-dev
+msg_ok "Installed Build Dependencies"
+
+NODE_VERSION="22" setup_nodejs
+setup_go
+
+fetch_and_deploy_gh_release "neko" "m1k1o/neko" "tarball"
+
+msg_info "Building Client"
+cd /opt/neko/client
+$STD npm install
+$STD npm run build
+mkdir -p /var/www
+cp -r /opt/neko/client/dist/* /var/www/
+msg_ok "Built Client"
+
+msg_info "Building Server"
+cd /opt/neko/server
+$STD ./build
+cp /opt/neko/server/bin/neko /usr/bin/neko
+mkdir -p /etc/neko/plugins
+cp -r /opt/neko/server/bin/plugins/* /etc/neko/plugins/ 2>/dev/null || true
+msg_ok "Built Server"
+
+msg_info "Setting up Runtime"
+useradd -m -s /bin/bash neko
+usermod -aG audio,video neko
+
+mkdir -p /etc/neko/supervisord /var/www /var/log/neko /tmp/.X11-unix /tmp/runtime-neko /home/neko/.config/pulse /home/neko/.local/share/xorg
+chmod 1777 /tmp/.X11-unix
+chmod 1777 /var/log/neko
+chmod 0700 /tmp/runtime-neko
+chown neko /tmp/.X11-unix /var/log/neko /tmp/runtime-neko
+chown -R neko:neko /home/neko
+
+cp /opt/neko/runtime/xorg.conf /etc/neko/xorg.conf
+# Remove the dummy_touchscreen InputDevice section (requires custom "neko" Xorg driver not available bare-metal)
+sed -i '/Section "InputDevice"/{N;/dummy_touchscreen/{:l;N;/EndSection/!bl;d}}' /etc/neko/xorg.conf
+sed -i '/dummy_touchscreen/d' /etc/neko/xorg.conf
+sed -i 's/InputDevice  "dummy_mouse"/InputDevice  "dummy_mouse" "CorePointer"/' /etc/neko/xorg.conf
+cp /opt/neko/runtime/default.pa /etc/pulse/default.pa
+
+cat <<EOF >/etc/neko/supervisord.conf
+[supervisord]
+nodaemon=true
+user=root
+pidfile=/var/run/supervisord.pid
+logfile=/dev/null
+logfile_maxbytes=0
+loglevel=debug
+
+[include]
+files=/etc/neko/supervisord/*.conf
+
+[program:x-server]
+environment=HOME="/home/neko",USER="neko"
+command=/usr/bin/X :99.0 -config /etc/neko/xorg.conf -noreset -nolisten tcp
+autorestart=true
+priority=300
+user=neko
+stdout_logfile=/var/log/neko/xorg.log
+stdout_logfile_maxbytes=100MB
+stdout_logfile_backups=10
+redirect_stderr=true
+
+[program:pulseaudio]
+environment=HOME="/home/neko",USER="neko",DISPLAY=":99.0"
+command=/usr/bin/pulseaudio --log-level=error --disallow-module-loading --disallow-exit --exit-idle-time=-1
+autorestart=true
+priority=300
+user=neko
+stdout_logfile=/var/log/neko/pulseaudio.log
+stdout_logfile_maxbytes=100MB
+stdout_logfile_backups=10
+redirect_stderr=true
+
+[program:neko]
+environment=HOME="/home/neko",USER="neko",DISPLAY=":99.0"
+command=/usr/bin/neko serve --server.static "/var/www"
+stopsignal=INT
+stopwaitsecs=3
+autorestart=true
+priority=800
+user=neko
+stdout_logfile=/var/log/neko/neko.log
+stdout_logfile_maxbytes=100MB
+stdout_logfile_backups=10
+redirect_stderr=true
+
+[unix_http_server]
+file=/var/run/supervisor.sock
+chmod=0770
+chown=root:neko
+
+[supervisorctl]
+serverurl=unix:///var/run/supervisor.sock
+
+[rpcinterface:supervisor]
+supervisor.rpcinterface_factory = supervisor.rpcinterface:make_main_rpcinterface
+EOF
+
+cat <<EOF >/etc/neko/supervisord/firefox.conf
+[program:firefox]
+environment=HOME="/home/neko",USER="neko",DISPLAY=":99.0"
+command=/usr/bin/firefox-esr --no-remote --display=:99.0 -width 1280 -height 720
+stopsignal=INT
+autorestart=true
+priority=800
+user=neko
+stdout_logfile=/var/log/neko/firefox.log
+stdout_logfile_maxbytes=100MB
+stdout_logfile_backups=10
+redirect_stderr=true
+
+[program:openbox]
+environment=HOME="/home/neko",USER="neko",DISPLAY=":99.0"
+command=/usr/bin/openbox --config-file /etc/neko/openbox.xml
+autorestart=true
+priority=300
+user=neko
+stdout_logfile=/var/log/neko/openbox.log
+stdout_logfile_maxbytes=100MB
+stdout_logfile_backups=10
+redirect_stderr=true
+EOF
+
+cat <<'EOF' >/etc/neko/openbox.xml
+<?xml version="1.0" encoding="UTF-8"?>
+<openbox_config xmlns="http://openbox.org/3.4/rc" xmlns:xi="http://www.w3.org/2001/XInclude">
+<applications>
+    <application class="firefox" name="Navigator" role="browser">
+      <decor>no</decor>
+      <maximized>true</maximized>
+      <focus>yes</focus>
+      <layer>normal</layer>
+    </application>
+</applications>
+<focus>
+  <focusNew>yes</focusNew>
+  <followMouse>no</followMouse>
+  <focusLast>yes</focusLast>
+  <underMouse>no</underMouse>
+  <focusDelay>200</focusDelay>
+  <raiseOnFocus>no</raiseOnFocus>
+</focus>
+<placement>
+  <policy>Smart</policy>
+  <center>yes</center>
+</placement>
+<desktops>
+  <number>1</number>
+  <firstdesk>1</firstdesk>
+  <popupTime>0</popupTime>
+</desktops>
+</openbox_config>
+EOF
+
+cat <<EOF >/etc/neko/neko.yaml
+server:
+  bind: "0.0.0.0:8080"
+  static: "/var/www"
+session:
+  cookie:
+    enabled: false
+webrtc:
+  icelite: true
+  nat1to1:
+    - "${LOCAL_IP}"
+  epr: "59000-59100"
+desktop:
+  input:
+    enabled: false
+member:
+  provider: "multiuser"
+  multiuser:
+    admin_password: "admin"
+    user_password: "neko"
+EOF
+msg_ok "Set up Runtime"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/neko.service
+[Unit]
+Description=Neko Virtual Browser
+After=network.target
+
+[Service]
+Type=simple
+User=root
+Environment=USER=neko
+Environment=DISPLAY=:99.0
+Environment=PULSE_SERVER=unix:/tmp/pulseaudio.socket
+Environment=XDG_RUNTIME_DIR=/tmp/runtime-neko
+Environment=NEKO_PLUGINS_ENABLED=true
+Environment=NEKO_PLUGINS_DIR=/etc/neko/plugins/
+Environment=NEKO_CONFIG=/etc/neko/neko.yaml
+ExecStart=/usr/bin/supervisord -c /etc/neko/supervisord.conf -n
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now neko
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/patchmon-install.sh

@@ -14,74 +14,91 @@ network_check
 update_os
 
 msg_info "Installing Dependencies"
-$STD apt install -y \
-  build-essential \
-  nginx \
-  redis-server
+$STD apt install -y redis-server
 msg_ok "Installed Dependencies"
 
-NODE_VERSION="24" setup_nodejs
 PG_VERSION="17" setup_postgresql
 PG_DB_NAME="patchmon_db" PG_DB_USER="patchmon_usr" setup_postgresql_db
 
-fetch_and_deploy_gh_release "PatchMon" "PatchMon/PatchMon" "tarball" "v1.4.2" "/opt/patchmon"
+RELEASE="v2.0.2"
+fetch_and_deploy_gh_release "PatchMon" "PatchMon/PatchMon" "singlefile" "latest" "/opt/patchmon" "patchmon-server-linux-amd64"
+mv /opt/patchmon/PatchMon /opt/patchmon/patchmon-server
 
 msg_info "Configuring PatchMon"
-VERSION=$(get_latest_github_release "PatchMon/PatchMon")
-export NODE_ENV=production
-cd /opt/patchmon
-$STD npm install --no-audit --no-fund --no-save --ignore-scripts
-
-cd /opt/patchmon/frontend
-cat <<EOF >./.env
-VITE_APP_NAME=PatchMon
-VITE_APP_VERSION=${VERSION}
-EOF
-$STD npm install --no-audit --no-fund --no-save --ignore-scripts --include=dev
-$STD npm run build
-
+cat <<EOF >/opt/patchmon/.env
+DATABASE_URL="postgresql://$PG_DB_USER:$PG_DB_PASS@localhost:5432/$PG_DB_NAME"
 JWT_SECRET="$(openssl rand -hex 64)"
-mv /opt/patchmon/backend/env.example /opt/patchmon/backend/.env
-sed -i -e "s|DATABASE_URL=.*|DATABASE_URL=\"postgresql://$PG_DB_USER:$PG_DB_PASS@localhost:5432/$PG_DB_NAME\"|" \
-  -e "/JWT_SECRET/s/[=$].*/=$JWT_SECRET/" \
-  -e "\|CORS_ORIGIN|s|localhost|$LOCAL_IP|" \
-  -e "/PORT=3001/aSERVER_PROTOCOL=http \\
-  SERVER_HOST=$LOCAL_IP \\
-  SERVER_PORT=3000" \
-  -e '/_ENV=production/aTRUST_PROXY=1' \
-  -e '/REDIS_USER=.*/,+1d' /opt/patchmon/backend/.env
+SESSION_SECRET="$(openssl rand -hex 64)"
+AI_ENCRYPTION_KEY="$(openssl rand -hex 64)"
+CORS_ORIGIN=http://${LOCAL_IP}:3000
+PORT=3000
+APP_ENV=production
 
-cd /opt/patchmon/backend
-$STD npm run db:generate
-$STD npx prisma migrate deploy
+# Redis
+REDIS_HOST=localhost
+REDIS_PORT=6379
+
+## OIDC / SSO (when OIDC_ENABLED=true, issuer/client/secret/redirect required)
+# OIDC_ENABLED=false
+# OIDC_ISSUER_URL=
+# OIDC_CLIENT_ID=
+# OIDC_CLIENT_SECRET=
+# OIDC_REDIRECT_URI=
+# OIDC_SCOPES=openid email profile groups
+# OIDC_AUTO_CREATE_USERS=false
+# OIDC_DEFAULT_ROLE=user
+# OIDC_DISABLE_LOCAL_AUTH=false
+# OIDC_BUTTON_TEXT=Login with SSO
+# OIDC_SESSION_TTL=600
+# OIDC_POST_LOGOUT_URI=
+# OIDC_SYNC_ROLES=false
+# OIDC_ADMIN_GROUP=
+# OIDC_SUPERADMIN_GROUP=
+# OIDC_HOST_MANAGER_GROUP=
+# OIDC_READONLY_GROUP=
+# OIDC_USER_GROUP=
+# OIDC_ENFORCE_HTTPS=true
+
+AGENT_BINARIES_DIR=/opt/patchmon/agents
+EOF
 msg_ok "Configured PatchMon"
 
-msg_info "Configuring Nginx"
-cp /opt/patchmon/docker/nginx.conf.template /etc/nginx/sites-available/patchmon.conf
-sed -i -e 's|proxy_pass .*|proxy_pass http://127.0.0.1:3001;|' \
-  -e '\|try_files |i\        root /opt/patchmon/frontend/dist;' \
-  -e 's|alias.*|alias /opt/patchmon/frontend/dist/assets;|' \
-  -e '\|expires 1y|i\        root /opt/patchmon/frontend/dist;' /etc/nginx/sites-available/patchmon.conf
-ln -sf /etc/nginx/sites-available/patchmon.conf /etc/nginx/sites-enabled/
-rm -f /etc/nginx/sites-enabled/default
-$STD nginx -t
-systemctl restart nginx
-msg_ok "Configured Nginx"
+msg_info "Fetching PatchMon agent binaries"
+RELEASE=$(get_latest_github_release "PatchMon/PatchMon")
+mkdir -p /opt/patchmon/agents
+FILE_URL="https://github.com/PatchMon/PatchMon/releases/download/v${RELEASE}/patchmon-agent-"
+AGENT_NAME=(
+  "linux-amd64"
+  "linux-arm64"
+  "linux-arm"
+  "linux-386"
+  "freebsd-amd64"
+  "freebsd-arm64"
+  "freebsd-arm"
+  "freebsd-386"
+  "windows-amd64.exe"
+  "windows-arm64.exe"
+)
+for arch in "${AGENT_NAME[@]}"; do
+  curl_with_retry "${FILE_URL}${arch}" "/opt/patchmon/agents/patchmon-agent-${arch}"
+  [[ "${arch}" != *.exe ]] && chmod 755 "/opt/patchmon/agents/patchmon-agent-${arch}"
+done
+msg_ok "Fetched PatchMon agent binaries"
 
 msg_info "Creating service"
 cat <<EOF >/etc/systemd/system/patchmon-server.service
 [Unit]
-Description=PatchMon Service
+Description=PatchMon Server
 After=network.target postgresql.service
 
 [Service]
 Type=simple
-WorkingDirectory=/opt/patchmon/backend
-ExecStart=/usr/bin/npm run start
+WorkingDirectory=/opt/patchmon
+ExecStart=/opt/patchmon/patchmon-server
 Restart=always
 RestartSec=10
-Environment=NODE_ENV=production
 Environment=PATH=/usr/bin:/usr/local/bin
+EnvironmentFile=/opt/patchmon/.env
 NoNewPrivileges=true
 PrivateTmp=true
 ProtectSystem=strict

install/storybook-install.sh

@@ -0,0 +1,55 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/storybookjs/storybook
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs
+
+msg_info "Preparing Storybook"
+mkdir -p /opt/storybook
+cd /opt/storybook
+msg_ok "Important: Interactive configuration will start now."
+
+npx -y storybook@latest init --yes --no-dev
+PROJECT_PATH=$(find /opt/storybook -maxdepth 2 -name ".storybook" -type d 2>/dev/null | head -n1 | xargs dirname)
+
+if [[ -z "$PROJECT_PATH" ]]; then
+  PROJECT_PATH="/opt/storybook"
+fi
+
+cd "$PROJECT_PATH"
+echo "$PROJECT_PATH" >/opt/storybook/.projectpath
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/storybook.service
+[Unit]
+Description=Storybook Dev Server
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=${PROJECT_PATH}
+ExecStart=/usr/bin/npx storybook dev --host 0.0.0.0 --port 6006 --no-open
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now storybook
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/technitiumdns-install.sh

@@ -28,6 +28,7 @@ fetch_and_deploy_from_url "https://download.technitium.com/dns/DnsServerPortable
 echo "${RELEASE}" >~/.technitium
 
 msg_info "Creating service"
+mkdir -p /etc/dns /var/log/technitium/dns
 sed -i '/^User=/d;/^Group=/d' /opt/technitium/dns/systemd.service
 cp /opt/technitium/dns/systemd.service /etc/systemd/system/technitium.service
 systemctl enable -q --now technitium

install/trek-install.sh

@@ -0,0 +1,79 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/mauriceboe/TREK
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y build-essential
+msg_ok "Installed Dependencies"
+
+NODE_VERSION="22" setup_nodejs
+fetch_and_deploy_gh_release "trek" "mauriceboe/TREK" "tarball"
+
+msg_info "Building Client"
+cd /opt/trek/client
+$STD npm ci
+$STD npm run build
+msg_ok "Built Client"
+
+msg_info "Setting up Server"
+cd /opt/trek/server
+$STD npm ci
+mkdir -p /opt/trek/server/public
+cp -r /opt/trek/client/dist/* /opt/trek/server/public/
+cp -r /opt/trek/client/public/fonts /opt/trek/server/public/fonts 2>/dev/null || true
+mkdir -p /opt/trek/{data/logs,uploads/{files,covers,avatars,photos}}
+rm -rf /opt/trek/server/data /opt/trek/server/uploads
+ln -s /opt/trek/data /opt/trek/server/data
+ln -s /opt/trek/uploads /opt/trek/server/uploads
+ENCRYPTION_KEY=$(openssl rand -hex 32)
+ADMIN_EMAIL="admin@trek.local"
+ADMIN_PASSWORD=$(openssl rand -base64 18 | tr -dc 'A-Za-z0-9' | head -c 16)
+cat <<EOF >/opt/trek/server/.env
+NODE_ENV=production
+PORT=3000
+ENCRYPTION_KEY=${ENCRYPTION_KEY}
+ADMIN_EMAIL=${ADMIN_EMAIL}
+ADMIN_PASSWORD=${ADMIN_PASSWORD}
+COOKIE_SECURE=false
+FORCE_HTTPS=false
+LOG_LEVEL=info
+TZ=UTC
+EOF
+chmod 600 /opt/trek/server/.env
+msg_ok "Set up Server"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/trek.service
+[Unit]
+Description=TREK Travel Planner
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/trek/server
+EnvironmentFile=/opt/trek/server/.env
+ExecStart=/usr/bin/node --import tsx src/index.ts
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now trek
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

misc/build.func

@@ -5456,14 +5456,14 @@ create_lxc_container() {
     local _has_fallback_option=false
     if [[ "$do_retry" == "yes" ]] && has_previous_os_version_template; then
       _has_fallback_option=true
-      echo "  [1] Run host upgrade now (recommended). WARNING: this runs apt upgrade and updates all Packeages on your host!"
+      echo "  [1] Run host upgrade now (recommended). WARNING: this runs apt upgrade and updates all Packages on your host!"
       echo "  [2] Use an older ${PCT_OSTYPE} template instead (may not work with all scripts)"
       echo "  [3] Ignore"
       echo "  [4] Cancel"
       echo
       read -rp "Select option [1/2/3/4]: " _ans </dev/tty
     else
-      echo "  [1] Run host upgrade now (recommended). WARNING: this runs apt upgrade and updates all Packeages on your host!"
+      echo "  [1] Run host upgrade now (recommended). WARNING: this runs apt upgrade and updates all Packages on your host!"
       echo "  [2] Ignore"
       echo "  [3] Cancel"
       echo
@@ -5678,6 +5678,10 @@ create_lxc_container() {
 
   if ! pvesm status -content rootdir 2>/dev/null | awk 'NR>1{print $1}' | grep -qx "$CONTAINER_STORAGE"; then
     msg_error "Storage '$CONTAINER_STORAGE' ($STORAGE_TYPE) does not support 'rootdir' content."
+    msg_custom "💡" "${YW}" "Enable 'Disk image' (rootdir) for storage '${CONTAINER_STORAGE}' in:"
+    msg_custom "   " "${YW}" "Datacenter → Storage → ${CONTAINER_STORAGE} → Edit → Content"
+    msg_custom "📖" "${YW}" "See: https://pve.proxmox.com/wiki/Storage"
+    msg_custom "🔗" "${YW}" "Help: https://github.com/community-scripts/ProxmoxVE/discussions"
     exit 213
   fi
   msg_ok "Storage '$CONTAINER_STORAGE' ($STORAGE_TYPE) validated"

misc/tools.func

@@ -1924,8 +1924,8 @@ setup_deb822_repo() {
     echo "Types: deb"
     echo "URIs: $repo_url"
     echo "Suites: $suite"
-    # Flat repositories (suite="./" or absolute path) must not have Components
-    if [[ "$suite" != "./" && -n "$component" ]]; then
+    # Flat repositories (suite ending with "/" or "./") must not have Components
+    if [[ "$suite" != *"/" && -n "$component" ]]; then
       echo "Components: $component"
     fi
     [[ -n "$architectures" ]] && echo "Architectures: $architectures"
@@ -5964,14 +5964,14 @@ function setup_mariadb_db() {
 }
 
 # ------------------------------------------------------------------------------
-# Installs or updates MongoDB to specified major version.
+# Installs or updates MongoDB to specified version.
 #
 # Description:
 #   - Preserves data across installations
 #   - Adds official MongoDB repo
 #
 # Variables:
-#   MONGO_VERSION  - MongoDB major version to install (e.g. 7.0, 8.0)
+#   MONGO_VERSION  - MongoDB version to install (e.g. 7.0, 8.2)
 # ------------------------------------------------------------------------------
 
 function setup_mongodb() {
@@ -6044,8 +6044,11 @@ function setup_mongodb() {
   }
 
   # Setup repository
+  # MongoDB 8.x versions beyond 8.0 reuse the server-8.0.asc PGP key
+  local MONGO_KEY_VERSION="${MONGO_VERSION}"
+  [[ "${MONGO_VERSION}" == 8.[1-9]* ]] && MONGO_KEY_VERSION="8.0"
   manage_tool_repository "mongodb" "$MONGO_VERSION" "$MONGO_BASE_URL" \
-    "https://www.mongodb.org/static/pgp/server-${MONGO_VERSION}.asc" || {
+    "https://www.mongodb.org/static/pgp/server-${MONGO_KEY_VERSION}.asc" || {
     msg_error "Failed to setup MongoDB repository"
     return 100
   }
@@ -8662,3 +8665,655 @@ EOF
   $STD apt update
   return 0
 }
+
+# ------------------------------------------------------------------------------
+# Get latest GitLab release version.
+# Usage: get_latest_gitlab_release "owner/repo" [strip_v]
+# ------------------------------------------------------------------------------
+get_latest_gitlab_release() {
+  local repo="$1"
+  local strip_v="${2:-true}"
+
+  local repo_encoded
+  repo_encoded=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$repo" 2>/dev/null ||
+    echo "$repo" | sed 's|/|%2F|g')
+
+  local header=()
+  [[ -n "${GITLAB_TOKEN:-}" ]] && header=(-H "PRIVATE-TOKEN: $GITLAB_TOKEN")
+
+  local temp_file
+  temp_file=$(mktemp)
+
+  local http_code
+  http_code=$(curl --connect-timeout 10 --max-time 30 -sSL \
+    -w "%{http_code}" -o "$temp_file" \
+    "${header[@]}" \
+    "https://gitlab.com/api/v4/projects/$repo_encoded/releases?per_page=1&order_by=released_at&sort=desc" 2>/dev/null) || true
+
+  if [[ "$http_code" != "200" ]]; then
+    rm -f "$temp_file"
+    msg_warn "GitLab API call failed for ${repo} (HTTP ${http_code})"
+    return 22
+  fi
+
+  local version
+  version=$(jq -r '.[0].tag_name // empty' "$temp_file")
+  rm -f "$temp_file"
+
+  if [[ -z "$version" ]]; then
+    msg_error "Could not determine latest version for ${repo}"
+    return 250
+  fi
+
+  if [[ "$strip_v" == "true" ]]; then
+    [[ "$version" =~ ^v[0-9] ]] && version="${version:1}"
+  fi
+
+  echo "$version"
+}
+
+# ------------------------------------------------------------------------------
+# Checks for new GitLab release (latest tag).
+#
+# Description:
+#   - Queries the GitLab API for the latest release tag
+#   - Compares it to a local cached version (~/.<app>)
+#   - If newer, sets global CHECK_UPDATE_RELEASE and returns 0
+#
+# Usage:
+#     if check_for_gl_release "myapp" "owner/repo" [optional] "v1.2.3"; then
+#       # trigger update...
+#     fi
+#     exit 0
+#     } (end of update_script not from the function)
+#
+# Notes:
+#   - Requires `jq` (auto-installed if missing)
+#   - Supports GITLAB_TOKEN env var for private/rate-limited repos
+#   - Does not modify anything, only checks version state
+# ------------------------------------------------------------------------------
+check_for_gl_release() {
+  local app="$1"
+  local source="$2"
+  local pinned_version_in="${3:-}" # optional
+  local pin_reason="${4:-}"        # optional reason shown to user
+  local app_lc="${app,,}"
+  local current_file="$HOME/.${app_lc}"
+
+  msg_info "Checking for update: ${app}"
+
+  # DNS check
+  if ! getent hosts gitlab.com >/dev/null 2>&1; then
+    msg_error "Network error: cannot resolve gitlab.com"
+    return 6
+  fi
+
+  ensure_dependencies jq
+
+  local repo_encoded
+  repo_encoded=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$source" 2>/dev/null ||
+    echo "$source" | sed 's|/|%2F|g')
+
+  local header=()
+  [[ -n "${GITLAB_TOKEN:-}" ]] && header=(-H "PRIVATE-TOKEN: $GITLAB_TOKEN")
+
+  local releases_json="" http_code=""
+
+  # For pinned versions, try to fetch the specific release tag first
+  if [[ -n "$pinned_version_in" ]]; then
+    local pinned_encoded="${pinned_version_in//\//%2F}"
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gl_check.json \
+      "${header[@]}" \
+      "https://gitlab.com/api/v4/projects/$repo_encoded/releases/$pinned_encoded" 2>/dev/null) || true
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gl_check.json ]]; then
+      releases_json="[$(</tmp/gl_check.json)]"
+    fi
+    rm -f /tmp/gl_check.json
+  fi
+
+  # Fetch full releases list if needed
+  if [[ -z "$releases_json" ]]; then
+    http_code=$(curl -sSL --max-time 20 -w "%{http_code}" -o /tmp/gl_check.json \
+      "${header[@]}" \
+      "https://gitlab.com/api/v4/projects/$repo_encoded/releases?per_page=100&order_by=released_at&sort=desc" 2>/dev/null) || true
+
+    if [[ "$http_code" == "200" ]] && [[ -s /tmp/gl_check.json ]]; then
+      releases_json=$(</tmp/gl_check.json)
+    elif [[ "$http_code" == "401" ]]; then
+      msg_error "GitLab API authentication failed (HTTP 401)."
+      if [[ -n "${GITLAB_TOKEN:-}" ]]; then
+        msg_error "Your GITLAB_TOKEN appears to be invalid or expired."
+      else
+        msg_error "The repository may require authentication. Try: export GITLAB_TOKEN=\"glpat-your_token\""
+      fi
+      rm -f /tmp/gl_check.json
+      return 22
+    elif [[ "$http_code" == "404" ]]; then
+      msg_error "GitLab project not found (HTTP 404). Ensure '${source}' is correct and publicly accessible."
+      rm -f /tmp/gl_check.json
+      return 22
+    elif [[ "$http_code" == "429" ]]; then
+      msg_error "GitLab API rate limit exceeded (HTTP 429)."
+      msg_error "To increase the limit, export a GitLab token: export GITLAB_TOKEN=\"glpat-your_token_here\""
+      rm -f /tmp/gl_check.json
+      return 22
+    elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
+      msg_error "GitLab API connection failed (no response)."
+      msg_error "Check your network/DNS: curl -sSL https://gitlab.com/api/v4/version"
+      rm -f /tmp/gl_check.json
+      return 7
+    else
+      msg_error "Unable to fetch releases for ${app} (HTTP ${http_code})"
+      rm -f /tmp/gl_check.json
+      return 22
+    fi
+    rm -f /tmp/gl_check.json
+  fi
+
+  mapfile -t raw_tags < <(jq -r '.[] | .tag_name' <<<"$releases_json")
+  if ((${#raw_tags[@]} == 0)); then
+    msg_error "No releases found for ${app} on GitLab"
+    return 250
+  fi
+
+  local clean_tags=()
+  for t in "${raw_tags[@]}"; do
+    # Only strip leading 'v' when followed by a digit (e.g. v1.2.3)
+    if [[ "$t" =~ ^v[0-9] ]]; then
+      clean_tags+=("${t:1}")
+    else
+      clean_tags+=("$t")
+    fi
+  done
+
+  local latest_raw="${raw_tags[0]}"
+  local latest_clean="${clean_tags[0]}"
+
+  # current installed (stored without v)
+  local current=""
+  if [[ -f "$current_file" ]]; then
+    current="$(<"$current_file")"
+  else
+    # Migration: search for any /opt/*_version.txt
+    local legacy_files
+    mapfile -t legacy_files < <(find /opt -maxdepth 1 -type f -name "*_version.txt" 2>/dev/null)
+    if ((${#legacy_files[@]} == 1)); then
+      current="$(<"${legacy_files[0]}")"
+      echo "${current#v}" >"$current_file"
+      rm -f "${legacy_files[0]}"
+    fi
+  fi
+  if [[ "$current" =~ ^v[0-9] ]]; then
+    current="${current:1}"
+  fi
+
+  # Pinned version handling
+  if [[ -n "$pinned_version_in" ]]; then
+    local pin_clean
+    if [[ "$pinned_version_in" =~ ^v[0-9] ]]; then
+      pin_clean="${pinned_version_in:1}"
+    else
+      pin_clean="$pinned_version_in"
+    fi
+    local match_raw=""
+    for i in "${!clean_tags[@]}"; do
+      if [[ "${clean_tags[$i]}" == "$pin_clean" ]]; then
+        match_raw="${raw_tags[$i]}"
+        break
+      fi
+    done
+
+    if [[ -z "$match_raw" ]]; then
+      msg_error "Pinned version ${pinned_version_in} not found upstream"
+      return 250
+    fi
+
+    if [[ "$current" != "$pin_clean" ]]; then
+      CHECK_UPDATE_RELEASE="$match_raw"
+      msg_ok "Update available: ${app} ${current:-not installed} → ${pin_clean}"
+      return 0
+    fi
+
+    if [[ -n "$pin_reason" ]]; then
+      msg_ok "No update available: ${app} (${current}) - update held back: ${pin_reason}"
+    else
+      msg_ok "No update available: ${app} (${current}) - update temporarily held back due to issues with newer releases"
+    fi
+    return 1
+  fi
+
+  # No pinning → use latest
+  if [[ -z "$current" || "$current" != "$latest_clean" ]]; then
+    CHECK_UPDATE_RELEASE="$latest_raw"
+    msg_ok "Update available: ${app} ${current:-not installed} → ${latest_clean}"
+    return 0
+  fi
+
+  msg_ok "No update available: ${app} (${latest_clean})"
+  return 1
+}
+
+function fetch_and_deploy_gl_release() {
+  local app="$1"
+  local repo="$2"
+  local mode="${3:-tarball}"
+  local version="${var_appversion:-${4:-latest}}"
+  local target="${5:-/opt/$app}"
+  local asset_pattern="${6:-}"
+
+  if [[ -z "$app" ]]; then
+    app="${repo##*/}"
+    if [[ -z "$app" ]]; then
+      msg_error "fetch_and_deploy_gl_release requires app name or valid repo"
+      return 1
+    fi
+  fi
+
+  local app_lc=$(echo "${app,,}" | tr -d ' ')
+  local version_file="$HOME/.${app_lc}"
+
+  local api_timeout="--connect-timeout 10 --max-time 60"
+  local download_timeout="--connect-timeout 15 --max-time 900"
+
+  local current_version=""
+  [[ -f "$version_file" ]] && current_version=$(<"$version_file")
+
+  ensure_dependencies jq
+
+  local repo_encoded
+  repo_encoded=$(python3 -c "import urllib.parse, sys; print(urllib.parse.quote(sys.argv[1], safe=''))" "$repo" 2>/dev/null ||
+    echo "$repo" | sed 's|/|%2F|g')
+
+  local api_base="https://gitlab.com/api/v4/projects/$repo_encoded/releases"
+  local api_url
+  if [[ "$version" != "latest" ]]; then
+    api_url="$api_base/$version"
+  else
+    api_url="$api_base?per_page=1&order_by=released_at&sort=desc"
+  fi
+
+  local header=()
+  [[ -n "${GITLAB_TOKEN:-}" ]] && header=(-H "PRIVATE-TOKEN: $GITLAB_TOKEN")
+
+  local max_retries=3 retry_delay=2 attempt=1 success=false http_code
+
+  while ((attempt <= max_retries)); do
+    http_code=$(curl $api_timeout -sSL -w "%{http_code}" -o /tmp/gl_rel.json "${header[@]}" "$api_url" 2>/dev/null) || true
+    if [[ "$http_code" == "200" ]]; then
+      success=true
+      break
+    elif [[ "$http_code" == "429" ]]; then
+      if ((attempt < max_retries)); then
+        msg_warn "GitLab API rate limit hit, retrying in ${retry_delay}s... (attempt $attempt/$max_retries)"
+        sleep "$retry_delay"
+        retry_delay=$((retry_delay * 2))
+      fi
+    else
+      sleep "$retry_delay"
+    fi
+    ((attempt++))
+  done
+
+  if ! $success; then
+    if [[ "$http_code" == "401" ]]; then
+      msg_error "GitLab API authentication failed (HTTP 401)."
+      if [[ -n "${GITLAB_TOKEN:-}" ]]; then
+        msg_error "Your GITLAB_TOKEN appears to be invalid or expired."
+      else
+        msg_error "The repository may require authentication. Try: export GITLAB_TOKEN=\"glpat-your_token\""
+      fi
+    elif [[ "$http_code" == "404" ]]; then
+      msg_error "GitLab project or release not found (HTTP 404)."
+      msg_error "Ensure '$repo' is correct and the project is accessible."
+    elif [[ "$http_code" == "429" ]]; then
+      msg_error "GitLab API rate limit exceeded (HTTP 429)."
+      msg_error "To increase the limit, export a GitLab token before running the script:"
+      msg_error "  export GITLAB_TOKEN=\"glpat-your_token_here\""
+    elif [[ "$http_code" == "000" || -z "$http_code" ]]; then
+      msg_error "GitLab API connection failed (no response)."
+      msg_error "Check your network/DNS: curl -sSL https://gitlab.com/api/v4/version"
+    else
+      msg_error "Failed to fetch release metadata (HTTP $http_code)"
+    fi
+    return 1
+  fi
+
+  local json tag_name
+  json=$(</tmp/gl_rel.json)
+
+  if [[ "$version" == "latest" ]]; then
+    json=$(echo "$json" | jq '.[0] // empty')
+    if [[ -z "$json" || "$json" == "null" ]]; then
+      msg_error "No releases found for $repo on GitLab"
+      return 1
+    fi
+  fi
+
+  tag_name=$(echo "$json" | jq -r '.tag_name // empty')
+  if [[ -z "$tag_name" ]]; then
+    msg_error "Could not determine tag name from release metadata"
+    return 1
+  fi
+  [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
+  local version_safe="${version//\//-}"
+
+  if [[ "$current_version" == "$version" ]]; then
+    $STD msg_ok "$app is already up-to-date (v$version)"
+    return 0
+  fi
+
+  local tmpdir
+  tmpdir=$(mktemp -d) || return 1
+  local filename=""
+
+  msg_info "Fetching GitLab release: $app ($version)"
+
+  _gl_asset_urls() {
+    local release_json="$1"
+    echo "$release_json" | jq -r '
+      (.assets.links // [])[] | .direct_asset_url // .url
+    '
+  }
+
+  ### Tarball Mode ###
+  if [[ "$mode" == "tarball" || "$mode" == "source" ]]; then
+    local direct_tarball_url="https://gitlab.com/$repo/-/archive/$tag_name/${app_lc}-${version_safe}.tar.gz"
+    filename="${app_lc}-${version_safe}.tar.gz"
+
+    curl $download_timeout -fsSL "${header[@]}" -o "$tmpdir/$filename" "$direct_tarball_url" || {
+      msg_error "Download failed: $direct_tarball_url"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    mkdir -p "$target"
+    if [[ "${CLEAN_INSTALL:-0}" == "1" ]]; then
+      rm -rf "${target:?}/"*
+    fi
+
+    tar --no-same-owner -xzf "$tmpdir/$filename" -C "$tmpdir" || {
+      msg_error "Failed to extract tarball"
+      rm -rf "$tmpdir"
+      return 1
+    }
+    local unpack_dir
+    unpack_dir=$(find "$tmpdir" -mindepth 1 -maxdepth 1 -type d | head -n1)
+
+    shopt -s dotglob nullglob
+    cp -r "$unpack_dir"/* "$target/"
+    shopt -u dotglob nullglob
+
+  ### Binary Mode ###
+  elif [[ "$mode" == "binary" ]]; then
+    local arch
+    arch=$(dpkg --print-architecture 2>/dev/null || uname -m)
+    [[ "$arch" == "x86_64" ]] && arch="amd64"
+    [[ "$arch" == "aarch64" ]] && arch="arm64"
+
+    local assets url_match=""
+    assets=$(_gl_asset_urls "$json")
+
+    if [[ -n "$asset_pattern" ]]; then
+      for u in $assets; do
+        case "${u##*/}" in
+        $asset_pattern)
+          url_match="$u"
+          break
+          ;;
+        esac
+      done
+    fi
+
+    if [[ -z "$url_match" ]]; then
+      for u in $assets; do
+        if [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]]; then
+          url_match="$u"
+          break
+        fi
+      done
+    fi
+
+    if [[ -z "$url_match" ]]; then
+      for u in $assets; do
+        [[ "$u" =~ \.deb$ ]] && url_match="$u" && break
+      done
+    fi
+
+    if [[ -z "$url_match" ]]; then
+      local fallback_json
+      if fallback_json=$(_gl_scan_older_releases "$repo" "$repo_encoded" "https://gitlab.com" "binary" "$asset_pattern" "$tag_name"); then
+        json="$fallback_json"
+        tag_name=$(echo "$json" | jq -r '.tag_name // empty')
+        [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
+        msg_info "Fetching GitLab release: $app ($version)"
+        assets=$(_gl_asset_urls "$json")
+        if [[ -n "$asset_pattern" ]]; then
+          for u in $assets; do
+            case "${u##*/}" in $asset_pattern)
+              url_match="$u"
+              break
+              ;;
+            esac
+          done
+        fi
+        if [[ -z "$url_match" ]]; then
+          for u in $assets; do
+            [[ "$u" =~ ($arch|amd64|x86_64|aarch64|arm64).*\.deb$ ]] && url_match="$u" && break
+          done
+        fi
+        if [[ -z "$url_match" ]]; then
+          for u in $assets; do
+            [[ "$u" =~ \.deb$ ]] && url_match="$u" && break
+          done
+        fi
+      fi
+    fi
+
+    if [[ -z "$url_match" ]]; then
+      msg_error "No suitable .deb asset found for $app"
+      rm -rf "$tmpdir"
+      return 1
+    fi
+
+    filename="${url_match##*/}"
+    curl $download_timeout -fsSL "${header[@]}" -o "$tmpdir/$filename" "$url_match" || {
+      msg_error "Download failed: $url_match"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    chmod 644 "$tmpdir/$filename"
+    local dpkg_opts=""
+    [[ "${DPKG_FORCE_CONFOLD:-}" == "1" ]] && dpkg_opts="-o Dpkg::Options::=--force-confold"
+    [[ "${DPKG_FORCE_CONFNEW:-}" == "1" ]] && dpkg_opts="-o Dpkg::Options::=--force-confnew"
+    DEBIAN_FRONTEND=noninteractive SYSTEMD_OFFLINE=1 $STD apt install -y $dpkg_opts "$tmpdir/$filename" || {
+      SYSTEMD_OFFLINE=1 $STD dpkg -i "$tmpdir/$filename" || {
+        msg_error "Both apt and dpkg installation failed"
+        rm -rf "$tmpdir"
+        return 1
+      }
+    }
+
+  ### Prebuild Mode ###
+  elif [[ "$mode" == "prebuild" ]]; then
+    local pattern="${6%\"}"
+    pattern="${pattern#\"}"
+    [[ -z "$pattern" ]] && {
+      msg_error "Mode 'prebuild' requires 6th parameter (asset filename pattern)"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    local asset_url=""
+    for u in $(_gl_asset_urls "$json"); do
+      filename_candidate="${u##*/}"
+      case "$filename_candidate" in
+      $pattern)
+        asset_url="$u"
+        break
+        ;;
+      esac
+    done
+
+    if [[ -z "$asset_url" ]]; then
+      local fallback_json
+      if fallback_json=$(_gl_scan_older_releases "$repo" "$repo_encoded" "https://gitlab.com" "prebuild" "$pattern" "$tag_name"); then
+        json="$fallback_json"
+        tag_name=$(echo "$json" | jq -r '.tag_name // empty')
+        [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
+        msg_info "Fetching GitLab release: $app ($version)"
+        for u in $(_gl_asset_urls "$json"); do
+          filename_candidate="${u##*/}"
+          case "$filename_candidate" in $pattern)
+            asset_url="$u"
+            break
+            ;;
+          esac
+        done
+      fi
+    fi
+
+    [[ -z "$asset_url" ]] && {
+      msg_error "No asset matching '$pattern' found"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    filename="${asset_url##*/}"
+    curl $download_timeout -fsSL "${header[@]}" -o "$tmpdir/$filename" "$asset_url" || {
+      msg_error "Download failed: $asset_url"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    local unpack_tmp
+    unpack_tmp=$(mktemp -d)
+    mkdir -p "$target"
+    if [[ "${CLEAN_INSTALL:-0}" == "1" ]]; then
+      rm -rf "${target:?}/"*
+    fi
+
+    if [[ "$filename" == *.zip ]]; then
+      ensure_dependencies unzip
+      unzip -q "$tmpdir/$filename" -d "$unpack_tmp" || {
+        msg_error "Failed to extract ZIP archive"
+        rm -rf "$tmpdir" "$unpack_tmp"
+        return 1
+      }
+    elif [[ "$filename" == *.tar.* || "$filename" == *.tgz || "$filename" == *.txz ]]; then
+      tar --no-same-owner -xf "$tmpdir/$filename" -C "$unpack_tmp" || {
+        msg_error "Failed to extract TAR archive"
+        rm -rf "$tmpdir" "$unpack_tmp"
+        return 1
+      }
+    else
+      msg_error "Unsupported archive format: $filename"
+      rm -rf "$tmpdir" "$unpack_tmp"
+      return 1
+    fi
+
+    local top_entries inner_dir
+    top_entries=$(find "$unpack_tmp" -mindepth 1 -maxdepth 1)
+    if [[ "$(echo "$top_entries" | wc -l)" -eq 1 && -d "$top_entries" ]]; then
+      inner_dir="$top_entries"
+      shopt -s dotglob nullglob
+      if compgen -G "$inner_dir/*" >/dev/null; then
+        cp -r "$inner_dir"/* "$target/" || {
+          msg_error "Failed to copy contents from $inner_dir to $target"
+          rm -rf "$tmpdir" "$unpack_tmp"
+          return 1
+        }
+      else
+        msg_error "Inner directory is empty: $inner_dir"
+        rm -rf "$tmpdir" "$unpack_tmp"
+        return 1
+      fi
+      shopt -u dotglob nullglob
+    else
+      shopt -s dotglob nullglob
+      if compgen -G "$unpack_tmp/*" >/dev/null; then
+        cp -r "$unpack_tmp"/* "$target/" || {
+          msg_error "Failed to copy contents to $target"
+          rm -rf "$tmpdir" "$unpack_tmp"
+          return 1
+        }
+      else
+        msg_error "Unpacked archive is empty"
+        rm -rf "$tmpdir" "$unpack_tmp"
+        return 1
+      fi
+      shopt -u dotglob nullglob
+    fi
+
+  ### Singlefile Mode ###
+  elif [[ "$mode" == "singlefile" ]]; then
+    local pattern="${6%\"}"
+    pattern="${pattern#\"}"
+    [[ -z "$pattern" ]] && {
+      msg_error "Mode 'singlefile' requires 6th parameter (asset filename pattern)"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    local asset_url=""
+    for u in $(_gl_asset_urls "$json"); do
+      filename_candidate="${u##*/}"
+      case "$filename_candidate" in
+      $pattern)
+        asset_url="$u"
+        break
+        ;;
+      esac
+    done
+
+    if [[ -z "$asset_url" ]]; then
+      local fallback_json
+      if fallback_json=$(_gl_scan_older_releases "$repo" "$repo_encoded" "https://gitlab.com" "singlefile" "$pattern" "$tag_name"); then
+        json="$fallback_json"
+        tag_name=$(echo "$json" | jq -r '.tag_name // empty')
+        [[ "$tag_name" =~ ^v[0-9] ]] && version="${tag_name:1}" || version="$tag_name"
+        msg_info "Fetching GitLab release: $app ($version)"
+        for u in $(_gl_asset_urls "$json"); do
+          filename_candidate="${u##*/}"
+          case "$filename_candidate" in $pattern)
+            asset_url="$u"
+            break
+            ;;
+          esac
+        done
+      fi
+    fi
+
+    [[ -z "$asset_url" ]] && {
+      msg_error "No asset matching '$pattern' found"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    filename="${asset_url##*/}"
+    mkdir -p "$target"
+
+    local use_filename="${USE_ORIGINAL_FILENAME:-false}"
+    local target_file="$app"
+    [[ "$use_filename" == "true" ]] && target_file="$filename"
+
+    curl $download_timeout -fsSL "${header[@]}" -o "$target/$target_file" "$asset_url" || {
+      msg_error "Download failed: $asset_url"
+      rm -rf "$tmpdir"
+      return 1
+    }
+
+    if [[ "$target_file" != *.jar && -f "$target/$target_file" ]]; then
+      chmod +x "$target/$target_file"
+    fi
+
+  else
+    msg_error "Unknown mode: $mode"
+    rm -rf "$tmpdir"
+    return 1
+  fi
+
+  echo "$version" >"$version_file"
+  msg_ok "Deployed: $app ($version)"
+  rm -rf "$tmpdir"
+}

tools/pve/update-apps.sh

@@ -405,11 +405,6 @@ for container in $CHOICE; do
   esac
   exit_code=$?
 
-  if [ "$template" == "false" ] && [ "$status" == "status: stopped" ]; then
-    echo -e "${BL}[Info]${GN} Shutting down${BL} $container ${CL} \n"
-    pct shutdown $container &
-  fi
-
   #5) if build resources are different than run resources, then:
   if [ "$UPDATE_BUILD_RESOURCES" -eq "1" ]; then
     pct set "$container" --cores "$run_cpu" --memory "$run_ram"
@@ -421,6 +416,11 @@ for container in $CHOICE; do
     containers_needing_reboot+=("$container ($container_hostname)")
   fi
 
+  if [ "$template" == "false" ] && [ "$status" == "status: stopped" ]; then
+    echo -e "${BL}[Info]${GN} Shutting down${BL} $container ${CL} \n"
+    pct shutdown $container &>/dev/null &
+  fi
+
   if [ $exit_code -eq 0 ]; then
     msg_ok "Updated container $container"
   elif [ $exit_code -eq 75 ]; then

tools/pve/update-lxcs-cron.sh

@@ -66,10 +66,20 @@ for container in $(pct list | awk '{if(NR>1) print $1}'); do
       pct start "$container"
       sleep 5
       update_container "$container" || echo " [Error] Update failed for $container"
+      # check if patchmon agent is present in container and run a report if found
+      if pct exec "$container" -- [ -e "/usr/local/bin/patchmon-agent" ]; then
+        echo -e "${BL}[Info]${GN} patchmon-agent found in ${BL} $container ${CL}, triggering report. \n"
+        pct exec "$container" -- "/usr/local/bin/patchmon-agent" "report"
+      fi
       echo -e "[Info] Shutting down $container"
       pct shutdown "$container" --timeout 60 &
     elif [ "$status" == "status: running" ]; then
       update_container "$container" || echo " [Error] Update failed for $container"
+      # check if patchmon agent is present in container and run a report if found
+      if pct exec "$container" -- [ -e "/usr/local/bin/patchmon-agent" ]; then
+        echo -e "${BL}[Info]${GN} patchmon-agent found in ${BL} $container ${CL}, triggering report. \n"
+        pct exec "$container" -- "/usr/local/bin/patchmon-agent" "report"
+      fi
     fi
   fi
 done

tools/pve/update-lxcs.sh

@@ -110,15 +110,17 @@ for container in $(pct list | awk '{if(NR>1) print $1}'); do
     elif [ "$status" == "status: running" ]; then
       update_container $container
     fi
-    if pct exec "$container" -- [ -e "/var/run/reboot-required" ]; then
-      # Get the container's hostname and add it to the list
-      container_hostname=$(pct exec "$container" hostname)
-      containers_needing_reboot+=("$container ($container_hostname)")
-    fi
-    # check if patchmon agent is present in container and run a report if found
-    if pct exec "$container" -- [ -e "/usr/local/bin/patchmon-agent" ]; then
-      echo -e "${BL}[Info]${GN} patchmon-agent found in ${BL} $container ${CL}, triggering report. \n"
-      pct exec "$container" -- "/usr/local/bin/patchmon-agent" "report"
+    if [ "$status" == "status: running" ]; then
+      if pct exec "$container" -- [ -e "/var/run/reboot-required" ]; then
+        # Get the container's hostname and add it to the list
+        container_hostname=$(pct exec "$container" hostname)
+        containers_needing_reboot+=("$container ($container_hostname)")
+      fi
+      # check if patchmon agent is present in container and run a report if found
+      if pct exec "$container" -- [ -e "/usr/local/bin/patchmon-agent" ]; then
+        echo -e "${BL}[Info]${GN} patchmon-agent found in ${BL} $container ${CL}, triggering report. \n"
+        pct exec "$container" -- "/usr/local/bin/patchmon-agent" "report"
+      fi
     fi
   fi
 done