fix(immich): disable upgrade-insecure-requests CSP directive

Helmet's useDefaults adds upgrade-insecure-requests to the CSP, which forces browsers to upgrade all HTTP requests to HTTPS. Since most LXC users access Immich directly via HTTP, this breaks the web UI completely (CORS errors, spinning logo). Patch helmet.json after deploy to explicitly null out the directive, keeping CSP benefits while allowing HTTP access. Fixes #13597
Update .app files (#13595 )
2026-04-29 05:30:53 +00:00 · 2026-04-08 18:55:19 +02:00 · 2026-04-08 16:05:59 +02:00 · 2026-04-08 13:59:50 +00:00 · 2026-04-08 15:59:21 +02:00 · 2026-04-08 12:57:01 +00:00
11 changed files with 318 additions and 2 deletions
@@ -441,12 +441,20 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 ## 2026-04-08

+### 🆕 New Scripts
+
+  - IronClaw | Alpine-IronClaw ([#13591](https://github.com/community-scripts/ProxmoxVE/pull/13591))
+
 ### 🚀 Updated Scripts

  - #### 🐞 Bug Fixes

-    - Update flaresolverr-install.sh [@maztheman](https://github.com/maztheman) ([#13584](https://github.com/community-scripts/ProxmoxVE/pull/13584))
    - Immich: v2.7.2 [@vhsdream](https://github.com/vhsdream) ([#13579](https://github.com/community-scripts/ProxmoxVE/pull/13579))
+    - Update flaresolverr-install.sh [@maztheman](https://github.com/maztheman) ([#13584](https://github.com/community-scripts/ProxmoxVE/pull/13584))
+
+  - #### 🔧 Refactor
+
+    - feat: update UHF Server script to use setup_ffmpeg [@zackwithak13](https://github.com/zackwithak13) ([#13564](https://github.com/community-scripts/ProxmoxVE/pull/13564))

 ## 2026-04-07

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/nearai/ironclaw
+
+APP="Alpine-IronClaw"
+var_tags="${var_tags:-ai;agent;alpine}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-1024}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-alpine}"
+var_version="${var_version:-3.23}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /usr/local/bin/ironclaw ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "ironclaw-bin" "nearai/ironclaw"; then
+    msg_info "Stopping Service"
+    rc-service ironclaw stop 2>/dev/null || true
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Configuration"
+    cp /root/.ironclaw/.env /root/ironclaw.env.bak
+    msg_ok "Backed up Configuration"
+
+    fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest" "/usr/local/bin" \
+      "ironclaw-$(uname -m)-unknown-linux-musl.tar.gz"
+    chmod +x /usr/local/bin/ironclaw
+
+    msg_info "Restoring Configuration"
+    cp /root/ironclaw.env.bak /root/.ironclaw/.env
+    rm -f /root/ironclaw.env.bak
+    msg_ok "Restored Configuration"
+
+    msg_info "Starting Service"
+    rc-service ironclaw start
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Complete setup by running:${CL}"
+echo -e "${TAB}${BGN}ironclaw onboard${CL}"
+echo -e "${INFO}${YW} Then start the service:${CL}"
+echo -e "${TAB}${BGN}rc-service ironclaw start${CL}"
+echo -e "${INFO}${YW} Access the Web UI at:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${INFO}${YW} Auth token and database credentials:${CL}"
+echo -e "${TAB}${BGN}cat /root/.ironclaw/.env${CL}"
@@ -0,0 +1,6 @@
+    ___    __      _                  ____                 ________              
+   /   |  / /___  (_)___  ___        /  _/________  ____  / ____/ /___ __      __
+  / /| | / / __ \/ / __ \/ _ \______ / // ___/ __ \/ __ \/ /   / / __ `/ | /| / /
+ / ___ |/ / /_/ / / / / /  __/_____// // /  / /_/ / / / / /___/ / /_/ /| |/ |/ / 
+/_/  |_/_/ .___/_/_/ /_/\___/     /___/_/   \____/_/ /_/\____/_/\__,_/ |__/|__/  
+        /_/                                                                      
@@ -0,0 +1,6 @@
+    ____                 ________              
+   /  _/________  ____  / ____/ /___ __      __
+   / // ___/ __ \/ __ \/ /   / / __ `/ | /| / /
+ _/ // /  / /_/ / / / / /___/ / /_/ /| |/ |/ / 
+/___/_/   \____/_/ /_/\____/_/\__,_/ |__/|__/  
+                                               
@@ -181,6 +181,12 @@ EOF
    unset SHARP_IGNORE_GLOBAL_LIBVIPS
    export SHARP_FORCE_GLOBAL_LIBVIPS=true
    $STD pnpm --filter immich --frozen-lockfile --prod --no-optional deploy "$APP_DIR"
+
+    # Patch helmet.json: disable upgrade-insecure-requests for HTTP access
+    if [[ -f "$APP_DIR/helmet.json" ]]; then
+      jq '.contentSecurityPolicy.directives["upgrade-insecure-requests"] = null' "$APP_DIR/helmet.json" >"$APP_DIR/helmet.json.tmp" && mv "$APP_DIR/helmet.json.tmp" "$APP_DIR/helmet.json"
+    fi
+
    cp "$APP_DIR"/package.json "$APP_DIR"/bin
    sed -i "s|^start|${APP_DIR}/bin/start|" "$APP_DIR"/bin/immich-admin

@@ -0,0 +1,71 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/nearai/ironclaw
+
+APP="IronClaw"
+var_tags="${var_tags:-ai;agent;security}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f /usr/local/bin/ironclaw ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "ironclaw-bin" "nearai/ironclaw"; then
+    msg_info "Stopping Service"
+    systemctl stop ironclaw
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Configuration"
+    cp /root/.ironclaw/.env /root/ironclaw.env.bak
+    msg_ok "Backed up Configuration"
+
+    fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest" "/usr/local/bin" \
+      "ironclaw-$(uname -m)-unknown-linux-$([[ -f /etc/alpine-release ]] && echo "musl" || echo "gnu").tar.gz"
+    chmod +x /usr/local/bin/ironclaw
+
+    msg_info "Restoring Configuration"
+    cp /root/ironclaw.env.bak /root/.ironclaw/.env
+    rm -f /root/ironclaw.env.bak
+    msg_ok "Restored Configuration"
+
+    msg_info "Starting Service"
+    systemctl start ironclaw
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Complete setup by running:${CL}"
+echo -e "${TAB}${BGN}ironclaw onboard${CL}"
+echo -e "${INFO}${YW} Then start the service:${CL}"
+echo -e "${TAB}${BGN}systemctl start ironclaw${CL}"
+echo -e "${INFO}${YW} Access the Web UI at:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
+echo -e "${INFO}${YW} Auth token and database credentials:${CL}"
+echo -e "${TAB}${BGN}cat /root/.ironclaw/.env${CL}"
@@ -38,8 +38,14 @@ function update_script() {
    $STD apt -y upgrade
    msg_ok "Updated LXC"

+    msg_info "Updating UHF Server"
+    if dpkg -l ffmpeg 2>&1 | grep -q "ii"; then
+      apt remove ffmpeg -y && apt autoremove -y
+    fi
+    setup_ffmpeg
    fetch_and_deploy_gh_release "comskip" "swapplications/comskip" "prebuild" "latest" "/opt/comskip" "comskip-x64-*.zip"
    fetch_and_deploy_gh_release "uhf-server" "swapplications/uhf-server-dist" "prebuild" "latest" "/opt/uhf-server" "UHF.Server-linux-x64-*.zip"
+    msg_ok "Updated UHF Server"

    msg_info "Starting Service"
    systemctl start uhf-server
@@ -0,0 +1,75 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/nearai/ironclaw
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apk add openssl
+msg_ok "Installed Dependencies"
+
+msg_info "Installing PostgreSQL"
+$STD apk add postgresql17 postgresql17-openrc postgresql-pgvector postgresql-common
+$STD rc-service postgresql setup
+$STD rc-update add postgresql default
+$STD rc-service postgresql start
+msg_ok "Installed PostgreSQL"
+
+msg_info "Setting up Database"
+PG_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | cut -c1-13)
+$STD su -s /bin/sh postgres -c "psql -c \"CREATE ROLE ironclaw WITH LOGIN PASSWORD '${PG_PASS}';\""
+$STD su -s /bin/sh postgres -c "psql -c \"CREATE DATABASE ironclaw WITH OWNER ironclaw;\""
+$STD su -s /bin/sh postgres -c "psql -d ironclaw -c \"CREATE EXTENSION IF NOT EXISTS vector;\""
+msg_ok "Set up Database"
+
+fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest" "/usr/local/bin" \
+  "ironclaw-$(uname -m)-unknown-linux-musl.tar.gz"
+chmod +x /usr/local/bin/ironclaw
+
+msg_info "Configuring IronClaw"
+mkdir -p /root/.ironclaw
+GATEWAY_TOKEN=$(openssl rand -hex 32)
+cat <<EOF >/root/.ironclaw/.env
+DATABASE_URL=postgresql://ironclaw:${PG_PASS}@localhost:5432/ironclaw?sslmode=disable
+GATEWAY_ENABLED=true
+GATEWAY_HOST=0.0.0.0
+GATEWAY_PORT=3000
+GATEWAY_AUTH_TOKEN=${GATEWAY_TOKEN}
+CLI_ENABLED=false
+AGENT_NAME=ironclaw
+RUST_LOG=ironclaw=info,tower_http=info
+EOF
+chmod 600 /root/.ironclaw/.env
+msg_ok "Configured IronClaw"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/init.d/ironclaw
+#!/sbin/openrc-run
+
+name="IronClaw"
+description="IronClaw AI Agent"
+command="/usr/local/bin/ironclaw"
+command_background=true
+pidfile="/run/ironclaw.pid"
+directory="/root"
+supervise_daemon_args="--env-file /root/.ironclaw/.env"
+
+depend() {
+  need net postgresql
+}
+EOF
+chmod +x /etc/init.d/ironclaw
+$STD rc-update add ironclaw default
+msg_ok "Created Service"
+
+motd_ssh
+customize
@@ -312,6 +312,12 @@ $STD pnpm --filter immich --frozen-lockfile build
 unset SHARP_IGNORE_GLOBAL_LIBVIPS
 export SHARP_FORCE_GLOBAL_LIBVIPS=true
 $STD pnpm --filter immich --frozen-lockfile --prod --no-optional deploy "$APP_DIR"
+
+# Patch helmet.json: disable upgrade-insecure-requests for HTTP access
+if [[ -f "$APP_DIR/helmet.json" ]]; then
+  jq '.contentSecurityPolicy.directives["upgrade-insecure-requests"] = null' "$APP_DIR/helmet.json" >"$APP_DIR/helmet.json.tmp" && mv "$APP_DIR/helmet.json.tmp" "$APP_DIR/helmet.json"
+fi
+
 cp "$APP_DIR"/package.json "$APP_DIR"/bin
 sed -i "s|^start|${APP_DIR}/bin/start|" "$APP_DIR"/bin/immich-admin

@@ -0,0 +1,61 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/nearai/ironclaw
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+PG_VERSION="17" PG_MODULES="pgvector" setup_postgresql
+PG_DB_NAME="ironclaw" PG_DB_USER="ironclaw" PG_DB_EXTENSIONS="vector" setup_postgresql_db
+
+fetch_and_deploy_gh_release "ironclaw-bin" "nearai/ironclaw" "prebuild" "latest" "/usr/local/bin" \
+  "ironclaw-$(uname -m)-unknown-linux-$([[ -f /etc/alpine-release ]] && echo "musl" || echo "gnu").tar.gz"
+chmod +x /usr/local/bin/ironclaw
+
+msg_info "Configuring IronClaw"
+mkdir -p /root/.ironclaw
+GATEWAY_TOKEN=$(openssl rand -hex 32)
+cat <<EOF >/root/.ironclaw/.env
+DATABASE_URL=postgresql://${PG_DB_USER}:${PG_DB_PASS}@localhost:5432/${PG_DB_NAME}?sslmode=disable
+GATEWAY_ENABLED=true
+GATEWAY_HOST=0.0.0.0
+GATEWAY_PORT=3000
+GATEWAY_AUTH_TOKEN=${GATEWAY_TOKEN}
+CLI_ENABLED=false
+AGENT_NAME=ironclaw
+RUST_LOG=ironclaw=info,tower_http=info
+EOF
+chmod 600 /root/.ironclaw/.env
+msg_ok "Configured IronClaw"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/ironclaw.service
+[Unit]
+Description=IronClaw AI Agent
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/root
+ExecStart=/usr/local/bin/ironclaw
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q ironclaw
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc
@@ -15,7 +15,7 @@ update_os
 setup_hwaccel

 msg_info "Installing Dependencies"
-$STD apt install -y ffmpeg
+setup_ffmpeg
 msg_ok "Installed Dependencies"

 msg_info "Setting Up UHF Server Environment"
Author	SHA1	Message	Date
MickLesk	c44c297ed8	fix(immich): disable upgrade-insecure-requests CSP directive Helmet's useDefaults adds upgrade-insecure-requests to the CSP, which forces browsers to upgrade all HTTP requests to HTTPS. Since most LXC users access Immich directly via HTTP, this breaks the web UI completely (CORS errors, spinning logo). Patch helmet.json after deploy to explicitly null out the directive, keeping CSP benefits while allowing HTTP access. Fixes #13597	2026-04-08 18:55:19 +02:00
community-scripts-pr-app[bot]	c11b2e9db2	Update .app files (#13595 ) Co-authored-by: GitHub Actions <github-actions[bot]@users.noreply.github.com>	2026-04-08 16:05:59 +02:00
community-scripts-pr-app[bot]	f7c2477e09	Update CHANGELOG.md (#13594 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-08 13:59:50 +00:00
push-app-to-main[bot]	8b7c620f92	IronClaw \| Alpine-IronClaw (#13591 ) * Add ironclaw (ct) * add alpine variant --------- Co-authored-by: push-app-to-main[bot] <203845782+push-app-to-main[bot]@users.noreply.github.com> Co-authored-by: CanbiZ (MickLesk) <47820557+MickLesk@users.noreply.github.com>	2026-04-08 15:59:21 +02:00
community-scripts-pr-app[bot]	d3a935e347	Update CHANGELOG.md (#13592 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-08 12:57:01 +00:00
Zack	74c430ddf2	feat: update UHF Server script to use setup_ffmpeg (#13564 ) Co-authored-by: Zack Rupinga <zackruppert@livenation.com>	2026-04-08 14:56:33 +02:00