fix(litellm): add prisma generate and use venv binary directly

The install failed on startup because Prisma engine binaries were
never generated. Added 'prisma generate' after pip install and
changed both the setup command and systemd service to use the venv
binary directly instead of 'uv run', ensuring prisma binaries
persist between install and service start.

Closes #13793

CHANGELOG.md

@@ -442,23 +442,79 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 </details>
 
+## 2026-04-18
+
+### 🆕 New Scripts
+
+  - Dagu ([#13830](https://github.com/community-scripts/ProxmoxVE/pull/13830))
+
+### 🧰 Tools
+
+  - #### 🐞 Bug Fixes
+
+    - SparkyFitness Garmin Microservice: fix update function [@tomfrenzel](https://github.com/tomfrenzel) ([#13824](https://github.com/community-scripts/ProxmoxVE/pull/13824))
+
+## 2026-04-17
+
+### 🆕 New Scripts
+
+  - step-ca ([#13775](https://github.com/community-scripts/ProxmoxVE/pull/13775))
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - core: pin IGC version to compute-runtime compatible tag (Intel GPU) [@MickLesk](https://github.com/MickLesk) ([#13814](https://github.com/community-scripts/ProxmoxVE/pull/13814))
+    - Fix for bambuddy community script update [@abbasegbeyemi](https://github.com/abbasegbeyemi) ([#13816](https://github.com/community-scripts/ProxmoxVE/pull/13816))
+    - Umami: Fix update procedure [@tremor021](https://github.com/tremor021) ([#13807](https://github.com/community-scripts/ProxmoxVE/pull/13807))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - core: sanitize mount_fs input — strip spaces and trailing commas [@MickLesk](https://github.com/MickLesk) ([#13806](https://github.com/community-scripts/ProxmoxVE/pull/13806))
+
+  - #### 🔧 Refactor
+
+    - core: fix some pct create issues (telemetry) + cleanup [@MickLesk](https://github.com/MickLesk) ([#13810](https://github.com/community-scripts/ProxmoxVE/pull/13810))
+
+## 2026-04-16
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Add pnpm as a dependency to ghost-cli install [@YourFavoriteKyle](https://github.com/YourFavoriteKyle) ([#13789](https://github.com/community-scripts/ProxmoxVE/pull/13789))
+
+### 💾 Core
+
+  - #### ✨ New Features
+
+    - core: wire ENABLE_MKNOD and ALLOW_MOUNT_FS into LXC features [@MickLesk](https://github.com/MickLesk) ([#13796](https://github.com/community-scripts/ProxmoxVE/pull/13796))
+
 ## 2026-04-15
 
 ### 🆕 New Scripts
 
-  - GitHub-Runner ([#13709](https://github.com/community-scripts/ProxmoxVE/pull/13709))
+  - iGotify ([#13773](https://github.com/community-scripts/ProxmoxVE/pull/13773))
+- GitHub-Runner ([#13709](https://github.com/community-scripts/ProxmoxVE/pull/13709))
 - Revert "Remove low-install-count CT scripts and installers (#13570)" [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13752](https://github.com/community-scripts/ProxmoxVE/pull/13752))
 
 ### 🚀 Updated Scripts
 
   - #### 🐞 Bug Fixes
 
+    - [alpine-nextcloud] Update Nginx MIME types to support .mjs files [@GuiltyFox](https://github.com/GuiltyFox) ([#13771](https://github.com/community-scripts/ProxmoxVE/pull/13771))
     - Domain Monitor: Fix file ownership after update [@tremor021](https://github.com/tremor021) ([#13759](https://github.com/community-scripts/ProxmoxVE/pull/13759))
 
   - #### 💥 Breaking Changes
 
     - Reitti: refactor scripts for v4 - remove RabbitMQ and Photon [@MickLesk](https://github.com/MickLesk) ([#13728](https://github.com/community-scripts/ProxmoxVE/pull/13728))
 
+  - #### 🔧 Refactor
+
+    - Semaphore: add BoltDB to SQLite migration [@tremor021](https://github.com/tremor021) ([#13779](https://github.com/community-scripts/ProxmoxVE/pull/13779))
+
 ### 📚 Documentation
 
   - cleanup: remove docs/, update README & CONTRIBUTING, fix repo config [@MickLesk](https://github.com/MickLesk) ([#13770](https://github.com/community-scripts/ProxmoxVE/pull/13770))

ct/bambuddy.sh

@@ -48,7 +48,7 @@ function update_script() {
 
     msg_info "Updating Python Dependencies"
     cd /opt/bambuddy
-    $STD uv venv
+    $STD uv venv --clear
     $STD uv pip install -r requirements.txt
     msg_ok "Updated Python Dependencies"
 

ct/dagu.sh

@@ -0,0 +1,64 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://dagu.sh/
+
+APP="Dagu"
+var_tags="${var_tags:-automation;workflow;scheduler}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-512}"
+var_disk="${var_disk:-4}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /opt/dagu/dagu ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "dagu" "dagucloud/dagu"; then
+    msg_info "Stopping Service"
+    systemctl stop dagu
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    cp -r /opt/dagu/data /opt/dagu_data_backup
+    msg_ok "Backed up Data"
+
+    fetch_and_deploy_gh_release "dagu" "dagucloud/dagu" "prebuild" "latest" "/opt/dagu" "dagu_*_linux_amd64.tar.gz"
+
+    msg_info "Restoring Data"
+    mkdir -p /opt/dagu/data
+    cp -r /opt/dagu_data_backup/. /opt/dagu/data
+    rm -rf /opt/dagu_data_backup
+    msg_ok "Restored Data"
+
+    msg_info "Starting Service"
+    systemctl start dagu
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8080${CL}"

ct/ghost.sh

@@ -25,7 +25,7 @@ function update_script() {
   check_container_resources
 
   setup_mariadb
-  NODE_VERSION="22" setup_nodejs
+  NODE_VERSION="22" NODE_MODULE="pnpm" setup_nodejs
   ensure_dependencies git
 
   msg_info "Updating Ghost"

ct/headers/dagu

@@ -0,0 +1,6 @@
+    ____                   
+   / __ \____ _____ ___  __
+  / / / / __ `/ __ `/ / / /
+ / /_/ / /_/ / /_/ / /_/ / 
+/_____/\__,_/\__, /\__,_/  
+            /____/         

ct/headers/igotify

@@ -0,0 +1,6 @@
+    _ ______      __  _ ____     
+   (_) ____/___  / /_(_) __/_  __
+  / / / __/ __ \/ __/ / /_/ / / /
+ / / /_/ / /_/ / /_/ / __/ /_/ / 
+/_/\____/\____/\__/_/_/  \__, /  
+                        /____/   

ct/headers/step-ca

@@ -0,0 +1,6 @@
+         __                             
+   _____/ /____  ____        _________ _
+  / ___/ __/ _ \/ __ \______/ ___/ __ `/
+ (__  ) /_/  __/ /_/ /_____/ /__/ /_/ / 
+/____/\__/\___/ .___/      \___/\__,_/  
+             /_/                        

ct/igotify.sh

@@ -0,0 +1,63 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: pfassina
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/androidseb25/iGotify-Notification-Assistent
+
+APP="iGotify"
+var_tags="${var_tags:-notifications;gotify}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-4}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/igotify ]]; then
+    msg_error "No iGotify Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "igotify" "androidseb25/iGotify-Notification-Assistent"; then
+    msg_info "Stopping Service"
+    systemctl stop igotify
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Configuration"
+    cp /opt/igotify/.env /opt/igotify.env.bak
+    msg_ok "Backed up Configuration"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "igotify" "androidseb25/iGotify-Notification-Assistent" "prebuild" "latest" "/opt/igotify" "iGotify-Notification-Service-amd64-v*.zip"
+
+    msg_info "Restoring Configuration"
+    cp /opt/igotify.env.bak /opt/igotify/.env
+    rm -f /opt/igotify.env.bak
+    msg_ok "Restored Configuration"
+
+    msg_info "Starting Service"
+    systemctl start igotify
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}${CL}"

ct/jellyfin.sh

@@ -32,10 +32,16 @@ function update_script() {
   if ! grep -qEi 'ubuntu' /etc/os-release; then
     msg_info "Updating Intel Dependencies"
     rm -f ~/.intel-* || true
-    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb"
+
-    fetch_and_deploy_gh_release "intel-igc-opencl-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb"
+    # Fetch compute-runtime first so /tmp/gh_rel.json is populated for IGC tag resolution
     fetch_and_deploy_gh_release "intel-libgdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb"
     fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb"
+
+    local igc_tag
+    _resolve_igc_tag igc_tag
+
+    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb"
+    fetch_and_deploy_gh_release "intel-igc-opencl-2" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb"
     msg_ok "Updated Intel Dependencies"
   fi
 

ct/litellm.sh

@@ -38,12 +38,18 @@ function update_script() {
 
   msg_info "Updating LiteLLM"
   $STD "$VENV_PATH/bin/python" -m pip install --upgrade litellm[proxy] prisma
+  $STD "$VENV_PATH/bin/prisma" generate
   msg_ok "LiteLLM updated"
 
   msg_info "Updating DB Schema"
-  $STD uv --directory=/opt/litellm run litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
+  $STD /opt/litellm/.venv/bin/litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
   msg_ok "DB Schema Updated"
 
+  msg_info "Updating Service"
+  sed -i 's|ExecStart=uv --directory=/opt/litellm run litellm|ExecStart=/opt/litellm/.venv/bin/litellm|' /etc/systemd/system/litellm.service
+  systemctl daemon-reload
+  msg_ok "Updated Service"
+
   msg_info "Starting Service"
   systemctl start litellm
   msg_ok "Started Service"

ct/semaphore.sh

@@ -29,40 +29,38 @@ function update_script() {
     exit
   fi
 
-  if [[ -f /opt/semaphore/semaphore_db.bolt ]]; then
-    msg_warn "WARNING: Due to bugs with BoltDB database, update script will move your application"
-    msg_warn "to use SQLite database instead. Unfortunately, this will reset your application and make it a fresh"
-    msg_warn "installation. All your data will be lost!"
-    echo ""
-    read -r -p "${TAB3}Do you want to continue? (y/N): " CONFIRM
-    if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
-      exit 0
-    else
-      msg_info "Moving from BoltDB to SQLite"
-      systemctl stop semaphore
-      rm -rf /opt/semaphore/semaphore_db.bolt
-      sed -i \
-        -e 's|"bolt": {|"sqlite": {|' \
-        -e 's|/semaphore_db.bolt"|/database.sqlite"|' \
-        -e '/semaphore_db.bolt/d' \
-        -e '/"dialect"/d' \
-        -e '/^  },$/a\  "dialect": "sqlite",' \
-        /opt/semaphore/config.json
-      SEM_PW=$(cat ~/semaphore.creds)
-      systemctl start semaphore
-      $STD semaphore user add --admin --login admin --email admin@community-scripts.org --name Administrator --password "${SEM_PW}" --config /opt/semaphore/config.json
-
-      msg_ok "Moved from BoltDB to SQLite"
-    fi
-  fi
-
   if check_for_gh_release "semaphore" "semaphoreui/semaphore"; then
+    if [[ -f /opt/semaphore/semaphore_db.bolt ]]; then
+      msg_warn "WARNING: Due to bugs with BoltDB database, update script will move your application"
+      msg_warn "to use SQLite database instead. Make sure you have a backup of your data!"
+      echo ""
+      read -r -p "${TAB3}Do you want to continue? (y/N): " CONFIRM
+      if [[ ! "$CONFIRM" =~ ^[Yy]$ ]]; then
+        exit 0
+      else
+        msg_info "Moving from BoltDB to SQLite"
+        sed -i \
+          -e 's|"bolt": {|"sqlite": {|' \
+          -e 's|/semaphore_db.bolt"|/database.sqlite"|' \
+          -e '/semaphore_db.bolt/d' \
+          -e '/"dialect"/d' \
+          -e '/^  },$/a\  "dialect": "sqlite",' \
+          /opt/semaphore/config.json
+        msg_ok "Moved from BoltDB to SQLite"
+      fi
+    fi
+
     msg_info "Stopping Service"
     systemctl stop semaphore
     msg_ok "Stopped Service"
 
     fetch_and_deploy_gh_release "semaphore" "semaphoreui/semaphore" "binary" "latest" "/opt/semaphore" "semaphore_*_linux_amd64.deb"
 
+    if [[ -f /opt/semaphore/semaphore_db.bolt ]]; then
+      $STD semaphore migrate --from-boltdb /opt/semaphore/semaphore_db.bolt --config /opt/semaphore/config.json
+      rm -f /opt/semaphore/semaphore_db.bolt
+    fi
+
     msg_info "Starting Service"
     systemctl start semaphore
     msg_ok "Started Service"

ct/step-ca.sh

@@ -0,0 +1,50 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/smallstep/certificates
+
+APP="step-ca"
+var_tags="${var_tags:-certificate-authority;pki;acme-server}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-512}"
+var_disk="${var_disk:-2}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+  if [[ ! -f /etc/apt/sources.list.d/smallstep.sources ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+  msg_info "Updating step-ca and step-cli"
+  $STD apt update
+  $STD apt upgrade -y step-ca step-cli
+  $STD systemctl restart step-ca
+  msg_ok "Updated step-ca and step-cli"
+
+  if check_for_gh_release "step-badger" "lukasz-lobocki/step-badger"; then
+    fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
+    msg_ok "Updated step-badger"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}https://${IP}/provisioners${CL}"

ct/umami.sh

@@ -33,7 +33,9 @@ function update_script() {
     systemctl stop umami
     msg_ok "Stopped Service"
 
-    fetch_and_deploy_gh_release "umami" "umami-software/umami" "tarball"
+    mv /opt/umami/.env /opt/.env.bak
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "umami" "umami-software/umami" "tarball"
+    mv /opt/.env.bak /opt/umami/.env
 
     msg_info "Updating Umami"
     cd /opt/umami

install/alpine-nextcloud-install.sh

@@ -137,6 +137,7 @@ EOF
 sed -i -e 's|memory_limit = 128M|memory_limit = 512M|; $aapc.enable_cli=1' /etc/php83/php.ini
 sed -i -e 's|upload_max_file_size = 2M|upload_max_file_size = 16G|' /etc/php83/php.ini
 sed -i -E '/^php_admin_(flag|value)\[opcache/s/^/;/' /etc/php83/php-fpm.d/nextcloud.conf
+sed -i -e 's| js;| mjs js;|' /etc/nginx/mime.types
 msg_ok "Installed Nextcloud"
 
 msg_info "Adding Additional Nextcloud Packages"

install/dagu-install.sh

@@ -0,0 +1,47 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://dagu.sh/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+fetch_and_deploy_gh_release "dagu" "dagucloud/dagu" "prebuild" "latest" "/opt/dagu" "dagu_*_linux_amd64.tar.gz"
+
+msg_info "Setting up Dagu"
+mkdir -p /opt/dagu/data
+msg_ok "Set up Dagu"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/dagu.service
+[Unit]
+Description=Dagu Workflow Engine
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/dagu
+Environment=DAGU_HOME=/opt/dagu/data
+Environment=DAGU_HOST=0.0.0.0
+Environment=DAGU_PORT=8080
+ExecStart=/opt/dagu/dagu start-all
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now dagu
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/ghost-install.sh

@@ -23,7 +23,7 @@ msg_ok "Installed Dependencies"
 
 setup_mariadb
 MARIADB_DB_NAME="ghost" MARIADB_DB_USER="ghostuser" setup_mariadb_db
-NODE_VERSION="22" setup_nodejs
+NODE_VERSION="22" NODE_MODULE="pnpm" setup_nodejs
 
 msg_info "Installing Ghost CLI"
 $STD npm install ghost-cli@latest -g

install/igotify-install.sh

@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: pfassina
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/androidseb25/iGotify-Notification-Assistent
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+setup_deb822_repo \
+  "microsoft" \
+  "https://packages.microsoft.com/keys/microsoft-2025.asc" \
+  "https://packages.microsoft.com/debian/13/prod/" \
+  "trixie" \
+  "main"
+$STD apt install -y aspnetcore-runtime-10.0
+msg_ok "Installed Dependencies"
+
+fetch_and_deploy_gh_release "igotify" "androidseb25/iGotify-Notification-Assistent" "prebuild" "latest" "/opt/igotify" "iGotify-Notification-Service-amd64-v*.zip"
+
+msg_info "Creating Service"
+cat <<EOF >/opt/igotify/.env
+ASPNETCORE_URLS=http://0.0.0.0:80
+ASPNETCORE_ENVIRONMENT=Production
+GOTIFY_DEFAULTUSER_PASS=
+GOTIFY_URLS=
+GOTIFY_CLIENT_TOKENS=
+SECNTFY_TOKENS=
+EOF
+cat <<EOF >/etc/systemd/system/igotify.service
+[Unit]
+Description=iGotify Notification Service
+After=network.target
+
+[Service]
+EnvironmentFile=/opt/igotify/.env
+WorkingDirectory=/opt/igotify
+ExecStart=/usr/bin/dotnet "/opt/igotify/iGotify Notification Assist.dll"
+Restart=always
+RestartSec=10
+KillSignal=SIGINT
+TimeoutStopSec=10
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now igotify
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc

install/litellm-install.sh

@@ -30,6 +30,7 @@ $STD uv venv --clear /opt/litellm/.venv
 $STD /opt/litellm/.venv/bin/python -m ensurepip --upgrade
 $STD /opt/litellm/.venv/bin/python -m pip install --upgrade pip
 $STD /opt/litellm/.venv/bin/python -m pip install litellm[proxy] prisma
+$STD /opt/litellm/.venv/bin/prisma generate
 msg_ok "Installed LiteLLM"
 
 msg_info "Configuring LiteLLM"
@@ -40,7 +41,7 @@ general_settings:
   database_url: postgresql://$PG_DB_USER:$PG_DB_PASS@127.0.0.1:5432/$PG_DB_NAME
   store_model_in_db: true
 EOF
-uv --directory=/opt/litellm run litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
+$STD /opt/litellm/.venv/bin/litellm --config /opt/litellm/litellm.yaml --use_prisma_db_push --skip_server_startup
 msg_ok "Configured LiteLLM"
 
 msg_info "Creating Service"
@@ -50,7 +51,7 @@ Description=LiteLLM
 
 [Service]
 Type=simple
-ExecStart=uv --directory=/opt/litellm run litellm --config /opt/litellm/litellm.yaml
+ExecStart=/opt/litellm/.venv/bin/litellm --config /opt/litellm/litellm.yaml
 Restart=always
 
 [Install]

install/step-ca-install.sh

@@ -0,0 +1,400 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/smallstep/certificates
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+setup_deb822_repo \
+  "smallstep" \
+  "https://packages.smallstep.com/keys/apt/repo-signing-key.gpg" \
+  "https://packages.smallstep.com/stable/debian" \
+  "debs" \
+  "main"
+
+msg_info "Installing step-ca and step-cli"
+$STD apt install -y step-ca step-cli
+
+STEPHOME="/root/.step"
+export STEPPATH=/etc/step-ca
+export STEPHOME=$STEPHOME
+
+sed  -i '1i export STEPPATH=/etc/step-ca' /etc/profile
+sed  -i '1i export STEPHOME=/root/.step' /etc/profile
+
+setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
+
+$STD useradd --user-group --system --home $(step path) --shell /bin/false step
+msg_ok "Installed step-ca and step-cli"
+
+DomainName="$(hostname -d)"
+
+PKIName="$(prompt_input "Enter PKIName" "MyHomePKI" 30)"
+PKIProvisioner="$(prompt_input "Enter PKIProvisioner" "pki@$DomainName" 30)"
+AcmeProvisioner="$(prompt_input "Enter AcmeProvisioner" "acme@$DomainName" 30)"
+X509MinDur="$(prompt_input "Enter X509MinDur" "48h" 30)"
+X509MaxDur="$(prompt_input "Enter X509MaxDur" "87600h" 30)"
+X509DefaultDur="$(prompt_input "Enter X509DefaultDur" "168h" 30)"
+
+msg_info "Initializing step-ca"
+DeploymentType="standalone"
+FQDN="$(hostname -f)"
+IP="${LOCAL_IP}"
+LISTENER=":443"
+
+EncryptionPwdDir="$(step path)/encryption"
+PwdFile="$EncryptionPwdDir/ca.pwd"
+ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd"
+mkdir -p "$EncryptionPwdDir"
+gpg -q --gen-random --armor 2 32 >"$PwdFile"
+gpg -q --gen-random --armor 2 32 >"$ProvisionerPwdFile"
+
+$STD step ca init --deployment-type="$DeploymentType" --ssh --name="$PKIName" --dns="$FQDN" --dns="$IP" --address="$LISTENER" --provisioner="$PKIProvisioner" --password-file="$PwdFile" --provisioner-password-file="$ProvisionerPwdFile"
+
+ln -s "$PwdFile" "$(step path)/password.txt"
+chown -R step:step $(step path)
+chmod -R 700 $(step path)
+$STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner"
+$STD step ca provisioner update "$PKIProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
+$STD step ca provisioner update "$AcmeProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
+$STD step certificate install --all $(step path)/certs/root_ca.crt
+$STD update-ca-certificates
+msg_ok "Initialized step-ca"
+
+msg_info "Start step-ca as a Daemon"
+cat <<'EOF' >/etc/systemd/system/step-ca.service
+[Unit]
+Description=step-ca service
+Documentation=https://smallstep.com/docs/step-ca
+Documentation=https://smallstep.com/docs/step-ca/certificate-authority-server-production
+After=network-online.target
+Wants=network-online.target
+StartLimitIntervalSec=30
+StartLimitBurst=3
+ConditionFileNotEmpty=/etc/step-ca/config/ca.json
+ConditionFileNotEmpty=/etc/step-ca/password.txt
+
+[Service]
+Type=simple
+User=step
+Group=step
+Environment=STEPPATH=/etc/step-ca
+WorkingDirectory=/etc/step-ca
+ExecStart=/usr/bin/step-ca config/ca.json --password-file password.txt
+ExecReload=/bin/kill -USR1 $MAINPID
+Restart=on-failure
+RestartSec=5
+TimeoutStopSec=30
+StartLimitAction=reboot
+
+; Process capabilities & privileges
+AmbientCapabilities=CAP_NET_BIND_SERVICE
+CapabilityBoundingSet=CAP_NET_BIND_SERVICE
+SecureBits=keep-caps
+NoNewPrivileges=yes
+
+; Sandboxing
+SystemCallArchitectures=native
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources @privileged
+RestrictNamespaces=yes
+LockPersonality=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictSUIDSGID=yes
+PrivateMounts=yes
+ProtectControlGroups=yes
+ProtectKernelModules=yes
+ProtectKernelTunables=yes
+ProtectSystem=strict
+ProtectHome=yes
+ReadWritePaths=/etc/step-ca/db
+
+; Read only paths
+ReadOnlyPaths=/etc/step-ca
+
+[Install]
+WantedBy=multi-user.target
+EOF
+$STD systemctl enable -q --now step-ca
+msg_ok "Started step-ca as a Daemon"
+
+fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
+ln -s /opt/step-badger/step-badger /usr/local/bin/step-badger
+
+msg_info "Install step-ca Admin script"
+mkdir -p "$STEPHOME"
+cat <<'ADDON_EOF' >"$STEPHOME/step-ca-admin.sh"
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: Joerg Heinemann (heinemannj)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+
+function header_info() {
+  clear
+  cat <<"EOF"
+         __                                 ___       __          _     
+   _____/ /____  ____        _________ _   /   | ____/ /___ ___  (_)___ 
+  / ___/ __/ _ \/ __ \______/ ___/ __ `/  / /| |/ __  / __ `__ \/ / __ \
+ (__  ) /_/  __/ /_/ /_____/ /__/ /_/ /  / ___ / /_/ / / / / / / / / / /
+/____/\__/\___/ .___/      \___/\__,_/  /_/  |_\__,_/_/ /_/ /_/_/_/ /_/ 
+             /_/                                                            
+
+EOF
+}
+
+function die() {
+  echo -e "\n${BL}[ERROR]${GN} ${RD}${1}${CL}\n"
+  exit
+}
+
+function success() {
+  echo -e "${BL}[SUCCESS]${GN} ${1}${CL}\n"
+  exit
+}
+
+function whiptail_menu() {
+  MENU_ARRAY=()
+  MSG_MAX_LENGTH=0
+  while read -r TAG ITEM; do
+    OFFSET=2
+    ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=${#ITEM}+OFFSET
+    MENU_ARRAY+=("$TAG" "$ITEM " "OFF")
+  done < <(echo "$1")
+}
+
+function x509_list() {
+  CERT_LIST=""
+  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
+  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
+  if [[ $(step-badger x509Certs "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
+    CERT_LIST=$(step-badger x509Certs ${STEPHOME}/db-copy 2>/dev/null)
+  fi
+}
+
+function ssh_list() {
+  CERT_LIST=""
+  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
+  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
+  if [[ $(step-badger sshCerts "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
+    CERT_LIST=$(step-badgersshCerts ${STEPHOME}/db-copy 2>/dev/null)
+  fi
+}
+
+function x509_serial_to_cn() {
+  x509_list
+  CN="$(echo "${CERT_LIST}" | grep "${SERIAL_NUMBER}" | awk '{print $2}' | sed 's/CN=//g')"
+  CRT="$STEPHOME/certs/x509/$CN.crt"
+  KEY="$STEPHOME/certs/x509/$CN.key"
+  if ! [[ -f ${CRT} ]]; then
+    die "Certificate ${CRT} not found!"
+  elif ! [[ -f ${KEY} ]]; then
+    die "Private Key ${KEY} not found!"
+  fi
+}
+
+function x509_revoke() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Revoke x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
+    echo
+    TOKEN=$(step ca token --provisioner="$PROVISIONER" --provisioner-password-file="$PROVISIONER_PASSWORD" --revoke "${SERIAL_NUMBER}")
+    step ca revoke --token "$TOKEN" "${SERIAL_NUMBER}" || die "Failed to revoke certificate!"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_renew() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Renew x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
+    echo
+    x509_serial_to_cn
+    step ca renew "${CRT}" "${KEY}" --force || die "Failed to renew certificate!"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_inspect() {
+  # shellcheck disable=SC2206
+  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
+  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
+    echo -e "${BL}[Info]${GN} Inspect x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}\n"
+    x509_serial_to_cn
+    step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
+    if ! [[ $(step certificate inspect "${CRT}" | grep "${SERIAL_NUMBER}") ]]; then
+      die "Serial Number ${SERIAL_NUMBER} mismatch!"
+    fi
+    echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
+    cat "${CRT}"
+    echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
+    cat "${KEY}"
+    echo
+  done
+  success "Finished."
+}
+
+function x509_request() {
+  FQDN=""
+  SAN=""
+
+  while true; do
+    FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nFQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3)
+    IP=$(dig +short "$FQDN")
+    if [[ -z "$IP" ]]; then
+      die "Resolution failed for $FQDN!"
+    fi
+    HOST=$(echo "$FQDN" | awk -F'.' '{print $1}')
+    IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nIP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3)
+    HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nHostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3)
+    SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nSubject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3)
+    VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nValidity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3)
+
+    # shellcheck disable=SC2034
+    if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n
+      FQDN: $FQDN
+      Hostname: $HOST
+      IP Address: $IP
+      Subject Alternative Name(s) (SAN): $SAN
+      Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
+      break
+    fi
+  done
+
+  echo -e "${BL}[Info]${GN} Request x509 Certificate with subject ${BL}${FQDN}${GN}:${CL}"
+  echo
+  CRT="$STEPHOME/certs/x509/$FQDN.crt"
+  KEY="$STEPHOME/certs/x509/$FQDN.key"
+
+  SAN="$FQDN, $HOST, $IP, $SAN"
+
+  IFS=', ' read -r -a array <<< "$SAN"
+  for element in "${array[@]}"
+  do
+    SAN_ARRAY+=(--san "$element")
+  done
+
+  step ca certificate "$FQDN" "$CRT" "$KEY" \
+    --provisioner="$PROVISIONER" \
+    --provisioner-password-file="$PROVISIONER_PASSWORD" \
+    --not-after="$VALID_TO" \
+    "${SAN_ARRAY[@]}" \
+  || die "Failed to request certificate!"
+
+  echo -e "\n${BL}[Info]${GN} Inspect Certificate:${CL}\n"
+  step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
+  echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
+  cat "${CRT}"
+  echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
+  cat "${KEY}"
+  echo
+  success "Finished."
+}
+
+set -eEuo pipefail
+# shellcheck disable=SC2034
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+YW=$(echo "\033[33m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+BL=$(echo "\033[36m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+RD=$(echo "\033[01;31m")
+# shellcheck disable=SC2034
+CM='\xE2\x9C\x94\033'
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+GN=$(echo "\033[1;92m")
+# shellcheck disable=SC2116
+# shellcheck disable=SC2028
+CL=$(echo "\033[m")
+
+# Telemetry
+# shellcheck disable=SC1090
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
+declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "step-ca-admin" "step-ca"
+
+header_info
+
+mkdir --parents "$STEPHOME/db-copy/"
+mkdir --parents "$STEPHOME/certs/ca/_archive/"
+mkdir --parents "$STEPHOME/certs/ssh/_archive/"
+mkdir --parents "$STEPHOME/certs/x509/_archive/"
+
+PROVISIONER=$(jq '.authority.provisioners.[] | select(.type=="JWK") | .name' "$(step path)"/config/ca.json)
+PROVISIONER="${PROVISIONER#\"}"
+PROVISIONER="${PROVISIONER%\"}"
+PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd
+
+whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --yesno "This will maintain step-ca issued x509 and ssh Certificates. Proceed?" 10 58
+
+MENU_ARRAY=("x509" "Maintain x509 Certificates." "ON")
+MENU_ARRAY+=("ssh" "Maintain ssh Certificates." "OFF")
+CERT_TYPE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Certificate Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+
+[[ -z ${CERT_TYPE} ]] && die "No Certificate Type selected!"
+
+case ${CERT_TYPE} in
+("x509")
+  x509_list
+  CERT_LIST=$(echo "$CERT_LIST" | awk 'NR>1 {print $1 " " $2 "|" $3 "|" $4 "|" $5}')
+  if [[ $CERT_LIST ]]; then
+    whiptail_menu "$CERT_LIST"
+  else
+    MENU_ARRAY=()
+    MSG_MAX_LENGTH=2
+  fi
+  MENU_ARRAY+=("" "Create a new Certificate" "OFF")
+  CERT_SERIAL_NUMBERS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificates on $(hostname)" --checklist "\nSelect Certificate(s) to maintain:\n" 16 $((MSG_MAX_LENGTH + 55)) 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+
+  [[ -z ${CERT_SERIAL_NUMBERS} ]] && x509_request
+  
+  MENU_ARRAY=("Renew" "Renew x509 Certificates." "ON")
+  MENU_ARRAY+=("Revoke" "Revoke x509 Certificates." "OFF")
+  MENU_ARRAY+=("Inspect" "Inspect x509 Certificates." "OFF")
+  CERT_MAINTENANCE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Maintenance Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
+
+  case ${CERT_MAINTENANCE} in
+  ("Renew")
+    x509_renew "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  ("Revoke")
+    x509_revoke "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  ("Inspect")
+    x509_inspect "${CERT_SERIAL_NUMBERS[@]}"
+    ;;
+  *)
+    die "Unsupported CERT_MAINTENANCE Option!"
+    ;;
+  esac
+  ;;
+("ssh")
+  die "Maintain ssh Certificates - To be implemented in future"
+  ;;
+*)
+  die "Unsupported CERT_TYPE Option!"
+  ;;
+esac
+ADDON_EOF
+chmod 700 "$STEPHOME/step-ca-admin.sh"
+msg_ok "Installed step-ca Admin script"
+
+motd_ssh
+customize
+cleanup_lxc

misc/api.func

@@ -344,21 +344,36 @@ explain_exit_code() {
 # - Escapes a string for safe JSON embedding
 # - Strips ANSI escape sequences and non-printable control characters
 # - Handles backslashes, quotes, newlines, tabs, and carriage returns
+# - Uses jq when available (guaranteed correct), falls back to awk
 # ------------------------------------------------------------------------------
 json_escape() {
-  # Escape a string for safe JSON embedding using awk (handles any input size).
+  local input
-  # Pipeline: strip ANSI → remove control chars → escape \ " TAB → join lines with \n
+  # Pipeline: strip ANSI → remove control chars → escape for JSON
-  printf '%s' "$1" |
+  input=$(printf '%s' "$1" |
     sed 's/\x1b\[[0-9;]*[a-zA-Z]//g' |
-    tr -d '\000-\010\013\014\016-\037\177\r' |
+    tr -d '\000-\010\013\014\016-\037\177\r')
+
+  # Prefer jq: guaranteed correct JSON string encoding (handles all edge cases)
+  if command -v jq &>/dev/null; then
+    # jq -Rs reads raw stdin as string, outputs JSON-encoded string with quotes.
+    # We strip the surrounding quotes since the heredoc adds them.
+    printf '%s' "$input" | jq -Rs '.' | sed 's/^"//;s/"$//'
+    return
+  fi
+
+  # Fallback: character-by-character processing with awk (avoids gsub replacement pitfalls)
+  printf '%s' "$input" |
     awk '
-        BEGIN { ORS = "" }
+        BEGIN { ORS="" }
         {
-          gsub(/\\/, "\\\\")   # backslash → \\
+          if (NR > 1) printf "%s", "\\n"
-          gsub(/"/, "\\\"")    # double quote → \"
+          for (i = 1; i <= length($0); i++) {
-          gsub(/\t/, "\\t")   # tab → \t
+            c = substr($0, i, 1)
-          if (NR > 1) printf "\\n"
+            if (c == "\\") printf "%s", "\\\\"
-          printf "%s", $0
+            else if (c == "\"") printf "%s", "\\\""
+            else if (c == "\t") printf "%s", "\\t"
+            else printf "%s", c
+          }
         }'
 }
 

misc/build.func

@@ -979,7 +979,6 @@ base_settings() {
   fi
 
   IPV6_METHOD=${var_ipv6_method:-"none"}
-  IPV6_STATIC=${var_ipv6_static:-""}
   GATE=${var_gateway:-""}
   APT_CACHER=${var_apt_cacher:-""}
   APT_CACHER_IP=${var_apt_cacher_ip:-""}
@@ -1015,8 +1014,12 @@ base_settings() {
   VLAN=${var_vlan:-""}
   SSH=${var_ssh:-"no"}
   SSH_AUTHORIZED_KEY=${var_ssh_authorized_key:-""}
-  UDHCPC_FIX=${var_udhcpc_fix:-""}
+  # Build TAGS: ensure community-script prefix, use semicolons (pct format), no duplicates
-  TAGS="community-script,${var_tags:-}"
+  if [[ "${var_tags:-}" == *community-script* ]]; then
+    TAGS="${var_tags:-community-script}"
+  else
+    TAGS="community-script${var_tags:+;${var_tags}}"
+  fi
   ENABLE_FUSE=${var_fuse:-"${1:-no}"}
   ENABLE_TUN=${var_tun:-"${1:-no}"}
 
@@ -1025,6 +1028,7 @@ base_settings() {
   ENABLE_NESTING=${var_nesting:-"1"}
   ENABLE_KEYCTL=${var_keyctl:-"0"}
   ENABLE_MKNOD=${var_mknod:-"0"}
+  ALLOW_MOUNT_FS=${var_mount_fs:-""}
   PROTECT_CT=${var_protection:-"no"}
   CT_TIMEZONE=${var_timezone:-"$timezone"}
   [[ "${CT_TIMEZONE:-}" == Etc/* ]] && CT_TIMEZONE="host" # pct doesn't accept Etc/* zones
@@ -1203,6 +1207,22 @@ load_vars_file() {
             continue
           fi
           ;;
+        var_mknod)
+          if [[ "$var_val" != "0" && "$var_val" != "1" ]]; then
+            msg_warn "Invalid mknod value '$var_val' in $file (must be 0 or 1), ignoring"
+            continue
+          fi
+          ;;
+        var_mount_fs)
+          # Normalize: strip spaces, trailing commas
+          var_val="${var_val// /}"
+          var_val="${var_val%%,}"
+          var_val="${var_val##,}"
+          if [[ -n "$var_val" ]] && [[ ! "$var_val" =~ ^[a-zA-Z0-9]+(,[a-zA-Z0-9]+)*$ ]]; then
+            msg_warn "Invalid mount_fs value '$var_val' in $file (comma-separated fs names only, e.g. nfs,cifs), ignoring"
+            continue
+          fi
+          ;;
         var_ipv6_method)
           if [[ "$var_val" != "auto" && "$var_val" != "dhcp" && "$var_val" != "static" && "$var_val" != "none" ]]; then
             msg_warn "Invalid IPv6 method '$var_val' in $file (must be auto/dhcp/static/none), ignoring"
@@ -1428,10 +1448,10 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
   # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
   declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
-    var_gateway var_hostname var_ipv6_method var_mac var_mtu
+    var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
-    var_net var_ns var_os var_pw var_ram var_tags var_tun var_unprivileged
+    var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
-    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
+    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
   )
 fi
 
@@ -1781,7 +1801,12 @@ advanced_settings() {
   trap 'tput rmcup 2>/dev/null || true' RETURN
 
   # Initialize defaults
-  TAGS="community-script;${var_tags:-}"
+  # Build TAGS: ensure community-script prefix, use semicolons (pct format), no duplicates
+  if [[ "${var_tags:-}" == *community-script* ]]; then
+    TAGS="${var_tags:-community-script}"
+  else
+    TAGS="community-script${var_tags:+;${var_tags}}"
+  fi
   local STEP=1
   local MAX_STEP=28
 
@@ -2518,6 +2543,13 @@ advanced_settings() {
     # STEP 22: Keyctl Support (Docker/systemd)
     # ═══════════════════════════════════════════════════════════════════════════
     22)
+      # Keyctl is always required for unprivileged containers — skip dialog
+      if [[ "$_ct_type" == "1" ]]; then
+        _enable_keyctl="1"
+        ((STEP++))
+        continue
+      fi
+
       local keyctl_default_flag="--defaultno"
       [[ "$_enable_keyctl" == "1" ]] && keyctl_default_flag=""
 
@@ -2525,7 +2557,7 @@ advanced_settings() {
         --title "KEYCTL SUPPORT" \
         --ok-button "Next" --cancel-button "Back" \
         $keyctl_default_flag \
-        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\nNote: Automatically enabled for unprivileged containers.\n\n(App default: ${var_keyctl:-0})" 16 62; then
+        --yesno "\nEnable Keyctl support?\n\nRequired for: Docker containers, systemd-networkd,\nand kernel keyring operations.\n\n(App default: ${var_keyctl:-0})" 14 62; then
         _enable_keyctl="1"
       else
         if [ $? -eq 1 ]; then
@@ -2655,6 +2687,10 @@ advanced_settings() {
         --ok-button "Next" --cancel-button "Back" \
         --inputbox "\nAllow specific filesystem mounts.\n\nComma-separated list: nfs, cifs, fuse, ext4, etc.\nLeave empty for defaults (none).\n\nCurrent: $mount_hint" 14 62 "$_mount_fs" \
         3>&1 1>&2 2>&3); then
+        # Normalize: strip spaces and trailing/leading commas
+        result="${result// /}"
+        result="${result%%,}"
+        result="${result##,}"
         _mount_fs="$result"
         ((STEP++))
       else
@@ -2711,6 +2747,7 @@ Network:
 Features:
   FUSE: $_enable_fuse | TUN: $_enable_tun
   Nesting: $nesting_desc | Keyctl: $keyctl_desc
+  Mknod: $([ "$_enable_mknod" == "1" ] && echo Enabled || echo Disabled) | Mount FS: ${_mount_fs:-(none)}
   GPU: $_enable_gpu | Protection: $protect_desc
 
 Advanced:
@@ -2780,13 +2817,6 @@ Advanced:
   [[ -n "$_mac" ]] && MAC=",hwaddr=$_mac" || MAC=""
   [[ -n "$_vlan" ]] && VLAN=",tag=$_vlan" || VLAN=""
 
-  # Alpine UDHCPC fix
-  if [ "$var_os" == "alpine" ] && [ "$NET" == "dhcp" ] && [ -n "$_ns" ]; then
-    UDHCPC_FIX="yes"
-  else
-    UDHCPC_FIX="no"
-  fi
-  export UDHCPC_FIX
   export SSH_KEYS_FILE
 
   # Exit alternate screen buffer before showing summary (so output remains visible)
@@ -2811,6 +2841,8 @@ Advanced:
   echo -e "${CONTAINERTYPE}${BOLD}${DGN}Nesting: ${BGN}$([ "${ENABLE_NESTING:-1}" == "1" ] && echo "Enabled" || echo "Disabled")${CL}"
   [[ "${ENABLE_KEYCTL:-0}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Keyctl: ${BGN}Enabled${CL}"
   echo -e "${GPU}${BOLD}${DGN}GPU Passthrough: ${BGN}${ENABLE_GPU:-no}${CL}"
+  [[ "${ENABLE_MKNOD:-0}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Mknod: ${BGN}Enabled${CL}"
+  [[ -n "${ALLOW_MOUNT_FS:-}" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Mount FS: ${BGN}${ALLOW_MOUNT_FS}${CL}"
   [[ "${PROTECT_CT:-no}" == "yes" || "${PROTECT_CT:-no}" == "1" ]] && echo -e "${CONTAINERTYPE}${BOLD}${DGN}Protection: ${BGN}Enabled${CL}"
   [[ -n "${CT_TIMEZONE:-}" ]] && echo -e "${INFO}${BOLD}${DGN}Timezone: ${BGN}$CT_TIMEZONE${CL}"
   [[ "$APT_CACHER" == "yes" ]] && echo -e "${INFO}${BOLD}${DGN}APT Cacher: ${BGN}$APT_CACHER_IP${CL}"
@@ -2833,6 +2865,8 @@ Advanced:
   log_msg "IPv6: $IPV6_METHOD"
   log_msg "FUSE Support: ${ENABLE_FUSE:-no}"
   log_msg "Nesting: $([ "${ENABLE_NESTING:-1}" == "1" ] && echo "Enabled" || echo "Disabled")"
+  log_msg "Mknod: $([ "${ENABLE_MKNOD:-0}" == "1" ] && echo "Enabled" || echo "Disabled")"
+  [[ -n "${ALLOW_MOUNT_FS:-}" ]] && log_msg "Mount FS: ${ALLOW_MOUNT_FS}"
   log_msg "GPU Passthrough: ${ENABLE_GPU:-no}"
   log_msg "Verbose Mode: $VERBOSE"
   log_msg "Session ID: ${SESSION_ID}"
@@ -3612,6 +3646,26 @@ build_container() {
     FEATURES="${FEATURES}fuse=1"
   fi
 
+  # Mknod support (user configurable via advanced settings)
+  if [ "${ENABLE_MKNOD:-0}" == "1" ]; then
+    [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+    FEATURES="${FEATURES}mknod=1"
+  fi
+
+  # Mount filesystem types (user configurable via advanced settings)
+  if [ -n "${ALLOW_MOUNT_FS:-}" ]; then
+    # Sanitize: strip spaces, trailing/leading commas, then convert commas to semicolons
+    local _mount_clean="${ALLOW_MOUNT_FS// /}"
+    _mount_clean="${_mount_clean%%,}"
+    _mount_clean="${_mount_clean##,}"
+    _mount_clean="${_mount_clean%%;}"  
+    _mount_clean="${_mount_clean//,/;}"
+    if [ -n "$_mount_clean" ]; then
+      [ -n "$FEATURES" ] && FEATURES="$FEATURES,"
+      FEATURES="${FEATURES}mount=${_mount_clean}"
+    fi
+  fi
+
   # Build PCT_OPTIONS as string for export
   local _func_url
   if [ "$var_os" == "alpine" ]; then
@@ -5751,6 +5805,9 @@ create_lxc_container() {
   msg_debug "Logfile: $LOGFILE"
 
   # First attempt (PCT_OPTIONS is a multi-line string, use it directly)
+  # Disable globbing: unquoted $PCT_OPTIONS needs word-splitting but must not glob-expand
+  # (e.g. passwords containing * or ? would match filenames otherwise)
+  set -f
   if ! pct create "$CTID" "${TEMPLATE_STORAGE}:vztmpl/${TEMPLATE}" $PCT_OPTIONS >"$LOGFILE" 2>&1; then
     msg_debug "Container creation failed on ${TEMPLATE_STORAGE}. Checking error..."
 
@@ -5858,6 +5915,7 @@ create_lxc_container() {
       fi
     fi # close CTID collision else-branch
   fi
+  set +f  # re-enable globbing after pct create block
 
   # Verify container exists (allow up to 10s for pmxcfs sync in clusters)
   local _pct_visible=false

misc/tools.func

@@ -1139,39 +1139,42 @@ validate_github_token() {
     -H "Authorization: Bearer $token" \
     -H "Accept: application/vnd.github+json" \
     -H "X-GitHub-Api-Version: 2022-11-28" \
-    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
+    "https://api.github.com/user" 2>/dev/null) || {
+    rm -f "$headers"
+    return 3
+  }
   http_code="$response"
 
   # Read expiry header (fine-grained PATs carry this)
-  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
+  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" |
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
+    sed 's/.*: *//' | tr -d '\r\n' || true)
   # Read token scopes (classic PATs)
-  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
+  scopes=$(grep -i '^x-oauth-scopes:' "$headers" |
-    | sed 's/.*: *//' | tr -d '\r\n' || true)
+    sed 's/.*: *//' | tr -d '\r\n' || true)
   rm -f "$headers"
 
   case "$http_code" in
-    200)
+  200)
-      if [[ -n "$expiry_date" ]]; then
+    if [[ -n "$expiry_date" ]]; then
-        msg_ok "GitHub token is valid (expires: $expiry_date)."
+      msg_ok "GitHub token is valid (expires: $expiry_date)."
-      else
+    else
-        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
+      msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
-      fi
+    fi
-      # Warn if classic PAT has no public_repo scope
+    # Warn if classic PAT has no public_repo scope
-      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
+    if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
-        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
+      msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
-        return 2
+      return 2
-      fi
+    fi
-      return 0
+    return 0
-      ;;
+    ;;
-    401)
+  401)
-      msg_error "GitHub token is invalid or expired (HTTP 401)."
+    msg_error "GitHub token is invalid or expired (HTTP 401)."
-      return 1
+    return 1
-      ;;
+    ;;
-    *)
+  *)
-      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
+    msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
-      return 0
+    return 0
-      ;;
+    ;;
   esac
 }
 
@@ -4604,6 +4607,23 @@ function setup_hwaccel() {
   msg_ok "Setup Hardware Acceleration"
 }
 
+# ══════════════════════════════════════════════════════════════════════════════
+# Resolve the IGC tag that the latest compute-runtime was built against.
+# Must be called AFTER a fetch_and_deploy_gh_release for intel/compute-runtime
+# so that /tmp/gh_rel.json contains the compute-runtime release metadata.
+# Sets the variable named by $1 (default: igc_tag) to the discovered tag.
+# ══════════════════════════════════════════════════════════════════════════════
+_resolve_igc_tag() {
+  local -n _out_ref="${1:-igc_tag}"
+  _out_ref="latest"
+  if [[ -f /tmp/gh_rel.json ]]; then
+    local _body _parsed
+    _body=$(jq -r '.body // empty' /tmp/gh_rel.json 2>/dev/null) || return 0
+    _parsed=$(grep -oP 'intel-graphics-compiler/releases/tag/\K[^\s\)]+' <<<"$_body" | head -1)
+    [[ -n "$_parsed" ]] && _out_ref="$_parsed"
+  fi
+}
+
 # ══════════════════════════════════════════════════════════════════════════════
 # Intel Arc GPU Setup
 # ══════════════════════════════════════════════════════════════════════════════
@@ -4630,12 +4650,17 @@ _setup_intel_arc() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub for Arc support"
 
+      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
+      # then resolve the matching IGC tag from the release notes.
       # libigdgmm - bundled in compute-runtime releases
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
 
-      # Intel Graphics Compiler (note: packages have -2 suffix)
+      local igc_tag
-      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb" || true
+      _resolve_igc_tag igc_tag
-      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb" || true
+
+      # Intel Graphics Compiler – pinned to the version compute-runtime expects
+      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb" || true
+      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb" || true
 
       # Compute Runtime (depends on IGC and gmmlib)
       fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb" || true
@@ -4685,12 +4710,17 @@ _setup_intel_modern() {
     if [[ "$os_codename" == "trixie" || "$os_codename" == "sid" ]]; then
       msg_info "Fetching Intel compute-runtime from GitHub"
 
+      # Fetch a compute-runtime package first so /tmp/gh_rel.json is populated,
+      # then resolve the matching IGC tag from the release notes.
       # libigdgmm first (bundled in compute-runtime releases)
       fetch_and_deploy_gh_release "libigdgmm12" "intel/compute-runtime" "binary" "latest" "" "libigdgmm12_*_amd64.deb" || true
 
-      # Intel Graphics Compiler (note: packages have -2 suffix)
+      local igc_tag
-      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb" || true
+      _resolve_igc_tag igc_tag
-      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-opencl-2_*_amd64.deb" || true
+
+      # Intel Graphics Compiler – pinned to the version compute-runtime expects
+      fetch_and_deploy_gh_release "intel-igc-core" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-core-2_*_amd64.deb" || true
+      fetch_and_deploy_gh_release "intel-igc-opencl" "intel/intel-graphics-compiler" "binary" "$igc_tag" "" "intel-igc-opencl-2_*_amd64.deb" || true
 
       # Compute Runtime
       fetch_and_deploy_gh_release "intel-opencl-icd" "intel/compute-runtime" "binary" "latest" "" "intel-opencl-icd_*_amd64.deb" || true

tools/addon/sparkyfitness-garmin.sh

@@ -69,6 +69,9 @@ function update() {
     msg_ok "Stopped service"
 
     CLEAN_INSTALL=1 fetch_and_deploy_gh_release "sparkyfitness-garmin" "CodeWithCJ/SparkyFitness" "tarball" "latest" $INSTALL_PATH
+    cd $INSTALL_PATH/SparkyFitnessGarmin
+    $STD uv venv --clear .venv
+    $STD uv pip install -r requirements.txt
 
     msg_info "Starting service"
     systemctl start sparkyfitness-garmin