Update CHANGELOG.md

Step ca update (#14058 )
* Patch for step-ca.sh Patch for making $STD happy (/usr/bin/step is a symlink to /usr/bin/step-cli) * Refactor step-ca installation script Refactor step-ca installation script to improve configuration and template handling. - Carve out step-ca-admin.sh - Patch for making $STD happy (/usr/bin/step is a symlink to /usr/bin/step-cli) - Define enhanced x509 CA and Certificate Templates - Configure CA Provisioners, DB and CRL settings - Generate Root CA Certificate and Key - Validity: 219168h (~25 Years) - maxPathLen: 1 (Root -> Intermediate -> Leaf) => Only one Intermediate CA allowed below Root CA - Active revocation on Intermediate CA and Leaf Certificates by the usage of build-in Certificate Revocation List (CRL) - Generate Intermediate CA Certificate Bundle and Key - Validity: 175368h (~20 Years) - maxPathLen: 0 (Root -> Intermediate -> Leaf) => Intermediate CA is only allowed to issue Leaf Certificates - Active revocation on Leaf Certificates by the usage of build-in Certificate Revocation List (CRL) - Bundle: Certificate Chain (including Root CA Certificate) * Update source URL in step-ca.sh script
2026-05-02 06:55:58 +00:00 · 2026-05-01 21:07:47 +00:00 · 2026-05-01 23:07:30 +02:00 · 2026-05-01 20:48:14 +00:00 · 2026-05-01 22:47:49 +02:00 · 2026-05-01 20:44:53 +00:00
9 changed files with 547 additions and 279 deletions
@@ -450,10 +450,16 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 ## 2026-05-01

+### 🆕 New Scripts
+
+  - SoulSync ([#14124](https://github.com/community-scripts/ProxmoxVE/pull/14124))
+- Teable ([#14125](https://github.com/community-scripts/ProxmoxVE/pull/14125))
+
 ### 🚀 Updated Scripts

  - #### 🐞 Bug Fixes

+    - Step ca update [@heinemannj](https://github.com/heinemannj) ([#14058](https://github.com/community-scripts/ProxmoxVE/pull/14058))
    - paperless-ngx: refresh NLTK data on update [@kurtislanderson](https://github.com/kurtislanderson) ([#14144](https://github.com/community-scripts/ProxmoxVE/pull/14144))
    - [Pelican Panel] stop deleting the public storage [@LetterN](https://github.com/LetterN) ([#14145](https://github.com/community-scripts/ProxmoxVE/pull/14145))

@@ -0,0 +1,6 @@
+   _____             _______                 
+  / ___/____  __  __/ / ___/__  ______  _____
+  \__ \/ __ \/ / / / /\__ \/ / / / __ \/ ___/
+ ___/ / /_/ / /_/ / /___/ / /_/ / / / / /__  
+/____/\____/\__,_/_//____/\__, /_/ /_/\___/  
+                         /____/              
@@ -0,0 +1,6 @@
+  ______           __    __   
+ /_  __/__  ____ _/ /_  / /__ 
+  / / / _ \/ __ `/ __ \/ / _ \
+ / / /  __/ /_/ / /_/ / /  __/
+/_/  \___/\__,_/_.___/_/\___/ 
+                              
@@ -0,0 +1,68 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/Nezreka/SoulSync
+
+APP="SoulSync"
+var_tags="${var_tags:-music;automation;media}"
+var_cpu="${var_cpu:-2}"
+var_ram="${var_ram:-2048}"
+var_disk="${var_disk:-8}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -f ~/.soulsync ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "soulsync" "Nezreka/SoulSync"; then
+    msg_info "Stopping Service"
+    systemctl stop soulsync
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Data"
+    mv /opt/soulsync/config /opt/soulsync-config.bak
+    mv /opt/soulsync/data /opt/soulsync-data.bak
+    msg_ok "Backed up Data"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "soulsync" "Nezreka/SoulSync" "tarball"
+
+    msg_info "Updating Python Dependencies"
+    cd /opt/soulsync
+    $STD uv venv --clear /opt/soulsync/.venv --python 3.11
+    $STD /opt/soulsync/.venv/bin/pip install -r requirements.txt
+    msg_ok "Updated Python Dependencies"
+
+    mv /opt/soulsync-config.bak /opt/soulsync/config
+    mv /opt/soulsync-data.bak /opt/soulsync/data
+
+    msg_info "Starting Service"
+    systemctl start soulsync
+    msg_ok "Started Service"
+    msg_ok "Updated ${APP}"
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:8008${CL}"
@@ -30,6 +30,12 @@ function update_script() {
  msg_info "Updating step-ca and step-cli"
  $STD apt update
  $STD apt upgrade -y step-ca step-cli
+
+  # Patch for making $STD happy (/usr/bin/step is a symlink to /usr/bin/step-cli)
+  STEPBIN="$(which step)"
+  rm -f "$STEPBIN"
+  cp -f "$(which step-cli)" "$STEPBIN"
+
  $STD systemctl restart step-ca
  msg_ok "Updated step-ca and step-cli"

@@ -0,0 +1,82 @@
+#!/usr/bin/env bash
+source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/build.func)
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/teableio/teable
+
+APP="Teable"
+var_tags="${var_tags:-database;no-code;spreadsheet}"
+var_cpu="${var_cpu:-4}"
+var_ram="${var_ram:-10240}"
+var_disk="${var_disk:-25}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+
+  if [[ ! -d /opt/teable ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+
+  if check_for_gh_release "teable" "teableio/teable"; then
+    msg_info "Stopping Service"
+    systemctl stop teable
+    msg_ok "Stopped Service"
+
+    msg_info "Backing up Configuration"
+    cp /opt/teable/.env /opt/teable.env.bak
+    msg_ok "Backed up Configuration"
+
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "teable" "teableio/teable" "tarball"
+
+    msg_info "Restoring Configuration"
+    mv /opt/teable.env.bak /opt/teable/.env
+    msg_ok "Restored Configuration"
+
+    msg_info "Rebuilding Teable"
+    cd /opt/teable
+    TEABLE_VERSION=$(cat ~/.teable)
+    echo "NEXT_PUBLIC_BUILD_VERSION=\"${TEABLE_VERSION}\"" >>apps/nextjs-app/.env
+    export HUSKY=0
+    export NODE_OPTIONS="--max-old-space-size=8192"
+    $STD pnpm install --frozen-lockfile
+    $STD pnpm -F @teable/db-main-prisma prisma-generate --schema ./prisma/postgres/schema.prisma
+    NODE_ENV=production NEXT_BUILD_ENV_TYPECHECK=false \
+      $STD pnpm -r --filter '!playground' run build
+    msg_ok "Rebuilt Teable"
+
+    msg_info "Running Database Migrations"
+    source /opt/teable/.env
+    $STD pnpm -F @teable/db-main-prisma prisma-migrate deploy --schema ./prisma/postgres/schema.prisma
+    msg_ok "Ran Database Migrations"
+
+    msg_info "Starting Service"
+    systemctl start teable
+    msg_ok "Started Service"
+    msg_ok "Updated successfully!"
+  else
+    msg_ok "No update available."
+  fi
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed Successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
+echo -e "${INFO}${YW} Access it using the following URL:${CL}"
+echo -e "${TAB}${GATEWAY}${BGN}http://${IP}:3000${CL}"
@@ -0,0 +1,59 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/Nezreka/SoulSync
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  gcc \
+  libffi-dev \
+  libssl-dev \
+  libchromaprint-tools \
+  ffmpeg
+msg_ok "Installed Dependencies"
+
+UV_PYTHON="3.11" setup_uv
+
+fetch_and_deploy_gh_release "soulsync" "Nezreka/SoulSync" "tarball"
+
+msg_info "Setting up Application"
+cd /opt/soulsync
+$STD uv venv /opt/soulsync/.venv --python 3.11
+$STD uv pip install -r requirements.txt --python /opt/soulsync/.venv/bin/python
+mkdir -p /opt/soulsync/{config,data,logs}
+msg_ok "Set up Application"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/soulsync.service
+[Unit]
+Description=SoulSync Music Discovery
+After=network.target
+
+[Service]
+Type=simple
+User=root
+WorkingDirectory=/opt/soulsync
+ExecStart=/opt/soulsync/.venv/bin/python web_server.py
+Environment=PYTHONPATH=/opt/soulsync PYTHONUNBUFFERED=1 DATABASE_PATH=/opt/soulsync/data/music_library.db
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now soulsync
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc
@@ -23,21 +23,34 @@ setup_deb822_repo \
 msg_info "Installing step-ca and step-cli"
 $STD apt install -y step-ca step-cli

-STEPHOME="/root/.step"
-export STEPPATH=/etc/step-ca
+STEPPATH="/etc/step-ca"
+STEPHOME="/etc/step"
+
+export STEPPATH=$STEPPATH
+echo "export STEPPATH=${STEPPATH}" >> /etc/profile
 export STEPHOME=$STEPHOME
+echo "export STEPHOME=${STEPHOME}" >> /etc/profile

-sed  -i '1i export STEPPATH=/etc/step-ca' /etc/profile
-sed  -i '1i export STEPHOME=/root/.step' /etc/profile
+mkdir -p "$STEPHOME"

-setcap CAP_NET_BIND_SERVICE=+eip $(which step-ca)
+# Patch for making $STD happy (/usr/bin/step is a symlink to /usr/bin/step-cli)
+STEPBIN="$(which step)"
+rm -f "$STEPBIN"
+cp -f "$(which step-cli)" "$STEPBIN"

-$STD useradd --user-group --system --home $(step path) --shell /bin/false step
+# Low port-binding capabilities (ports < 1024)
+# - Default step-ca listener port: 443
+setcap CAP_NET_BIND_SERVICE=+eip "$(which step-ca)"
+
+# Service User used by systemd step-ca.service
+$STD useradd --user-group --system --home "$(step path)" --shell /bin/false step
 msg_ok "Installed step-ca and step-cli"

 DomainName="$(hostname -d)"

 PKIName="$(prompt_input "Enter PKIName" "MyHomePKI" 30)"
+PKICountry="$(prompt_input "Enter PKICountry" "DE" 30)"
+PKIOrganizationalUnit="$(prompt_input "Enter PKIOrganizationalUnit" "MyHomeLab" 30)"
 PKIProvisioner="$(prompt_input "Enter PKIProvisioner" "pki@$DomainName" 30)"
 AcmeProvisioner="$(prompt_input "Enter AcmeProvisioner" "acme@$DomainName" 30)"
 X509MinDur="$(prompt_input "Enter X509MinDur" "48h" 30)"
@@ -45,11 +58,15 @@ X509MaxDur="$(prompt_input "Enter X509MaxDur" "87600h" 30)"
 X509DefaultDur="$(prompt_input "Enter X509DefaultDur" "168h" 30)"

 msg_info "Initializing step-ca"
+
+# Initialize step-ca
 DeploymentType="standalone"
 FQDN="$(hostname -f)"
 IP="${LOCAL_IP}"
 LISTENER=":443"
+LISTENER_INSECURE=":80"

+# Set different signing CA and Provisioner Passwords
 EncryptionPwdDir="$(step path)/encryption"
 PwdFile="$EncryptionPwdDir/ca.pwd"
 ProvisionerPwdFile="$EncryptionPwdDir/provisioner.pwd"
@@ -57,19 +74,208 @@ mkdir -p "$EncryptionPwdDir"
 gpg -q --gen-random --armor 2 32 >"$PwdFile"
 gpg -q --gen-random --armor 2 32 >"$ProvisionerPwdFile"

-$STD step ca init --deployment-type="$DeploymentType" --ssh --name="$PKIName" --dns="$FQDN" --dns="$IP" --address="$LISTENER" --provisioner="$PKIProvisioner" --password-file="$PwdFile" --provisioner-password-file="$ProvisionerPwdFile"
-
+# Used by systemd step-ca.service
 ln -s "$PwdFile" "$(step path)/password.txt"
-chown -R step:step $(step path)
-chmod -R 700 $(step path)
-$STD step ca provisioner add "$AcmeProvisioner" --type ACME --admin-name "$AcmeProvisioner"
-$STD step ca provisioner update "$PKIProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
-$STD step ca provisioner update "$AcmeProvisioner" --x509-min-dur="$X509MinDur" --x509-max-dur="$X509MaxDur" --x509-default-dur="$X509DefaultDur" --allow-renewal-after-expiry
-$STD step certificate install --all $(step path)/certs/root_ca.crt
+
+# Usage of:
+# - SSH feature of step-ca
+# - BadgerDB (badgerv2) => Default DB backend of step-ca
+# - badgerFileLoadingMode: FileIO (instead of MemoryMap) for LXC with low RAM
+$STD step ca init \
+  --deployment-type="$DeploymentType" \
+  --ssh \
+  --name="$PKIName" \
+  --dns="$FQDN" \
+  --dns="$IP" \
+  --address="$LISTENER" \
+  --provisioner="$PKIProvisioner" \
+  --password-file="$PwdFile" \
+  --provisioner-password-file="$ProvisionerPwdFile"
+
+# Define enhanced x509 CA and Certificate Templates
+mkdir -p "$(step path)/templates/ca"
+mkdir -p "$(step path)/templates/x509"
+
+CARootTemplate="$(step path)/templates/ca/root.tpl"
+CAIntermediateTemplate="$(step path)/templates/ca/intermediate.tpl"
+X509LeafTemplate="$(step path)/templates/x509/leaf.tpl"
+X509LeafTemplateData="$(step path)/templates/x509/leaf_data.tpl"
+
+cat <<'EOF' >"$CARootTemplate"
+{
+	"subject": {
+		"country": {{ toJson .Insecure.User.country }},
+		"organization": {{ toJson .Insecure.User.organization }},
+		"organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }},
+		"commonName": {{ toJson .Subject.CommonName }}
+	},
+  "issuer": {{ toJson .Subject }},
+	"keyUsage": ["certSign", "crlSign"],
+	"basicConstraints": {
+		"isCA": true,
+		"maxPathLen": 1
+	},
+	"issuingCertificateURL": [{{ toJson .Insecure.User.issuingCertificateURL }}],
+	"crlDistributionPoints": [{{ toJson .Insecure.User.crlDistributionPoints }}]
+}
+EOF
+
+cat <<'EOF' >"$CAIntermediateTemplate"
+{
+	"subject": {
+		"country": {{ toJson .Insecure.User.country }},
+		"organization": {{ toJson .Insecure.User.organization }},
+		"organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }},
+		"commonName": {{ toJson .Subject.CommonName }}
+	},
+	"keyUsage": ["certSign", "crlSign"],
+	"basicConstraints": {
+		"isCA": true,
+		"maxPathLen": 0
+	},
+	"issuingCertificateURL": [{{ toJson .Insecure.User.issuingCertificateURL }}],
+	"crlDistributionPoints": [{{ toJson .Insecure.User.crlDistributionPoints }}]
+}
+EOF
+
+cat <<'EOF' >"$X509LeafTemplate"
+{
+	"subject": {
+{{- if .Insecure.User.Country }}
+		"country": {{ toJson .Insecure.User.country }},
+{{- else }}
+		"country": {{ toJson .country }},
+{{- end }}
+{{- if .Insecure.User.organization }}
+		"organization": {{ toJson .Insecure.User.organization }},
+{{- else }}
+		"organization": {{ toJson .organization }},
+{{- end }}
+{{- if .Insecure.User.organizationalUnit }}
+		"organizationalUnit": {{ toJson .Insecure.User.organizationalUnit }},
+{{- else }}
+		"organizationalUnit": {{ toJson .organizationalUnit }},
+{{- end }}
+		"commonName": {{ toJson .Subject.CommonName }}
+	},
+	"sans": {{ toJson .SANs }},
+{{- if typeIs "*rsa.PublicKey" .Insecure.CR.PublicKey }}
+	"keyUsage": ["keyEncipherment", "digitalSignature"],
+{{- else }}
+	"keyUsage": ["digitalSignature"],
+{{- end }}
+	"extKeyUsage": ["serverAuth", "clientAuth"],
+{{- if .Insecure.User.issuingCertificateURL }}
+	"issuingCertificateURL": [{{ toJson .Insecure.User.issuingCertificateURL }}],
+{{- else }}
+	"issuingCertificateURL": [{{ toJson .issuingCertificateURL }}],
+{{- end }}
+{{- if .Insecure.User.crlDistributionPoints }}
+	"crlDistributionPoints": [{{ toJson .Insecure.User.crlDistributionPoints }}]
+{{- else }}
+	"crlDistributionPoints": [{{ toJson .crlDistributionPoints }}]
+{{- end }}
+}
+EOF
+
+cat <<EOF >"$X509LeafTemplateData"
+{
+	"country": "${PKICountry}",
+	"organization": "${PKIName}",
+	"organizationalUnit": "${PKIOrganizationalUnit}",
+	"issuingCertificateURL": ["https://${FQDN}${LISTENER}/intermediates.pem"],
+	"crlDistributionPoints": ["https://${FQDN}${LISTENER}/crl"]
+}
+EOF
+
+# Configure CA Provisioners, DB and CRL settings
+$STD step ca provisioner add "$AcmeProvisioner" \
+  --type ACME \
+  --admin-name "$AcmeProvisioner"
+
+$STD step ca provisioner update "$PKIProvisioner" \
+  --x509-min-dur="$X509MinDur" \
+  --x509-max-dur="$X509MaxDur" \
+  --x509-default-dur="$X509DefaultDur" \
+  --x509-template="$X509LeafTemplate" \
+  --x509-template-data="$X509LeafTemplateData" \
+  --allow-renewal-after-expiry
+
+$STD step ca provisioner update "$AcmeProvisioner" \
+  --x509-min-dur="$X509MinDur" \
+  --x509-max-dur="$X509MaxDur" \
+  --x509-default-dur="$X509DefaultDur" \
+  --x509-template="$X509LeafTemplate" \
+  --x509-template-data="$X509LeafTemplateData" \
+  --allow-renewal-after-expiry
+
+CAConfig="$(step path)/config/ca.json"
+jq --arg a "${PKICountry}" '.country = $a' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq --arg a "${PKIName}" '.organization = $a' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq --arg a "${PKIOrganizationalUnit}" '.organizationalUnit = $a' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq --arg a "${PKIName} Online CA" '.commonName = $a' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq '.db.badgerFileLoadingMode = "FileIO"' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq '.crl.enabled = true' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq '.crl.generateOnRevoke = true' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq '.crl.cacheDuration = "24h0m0s"' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq '.crl.renewPeriod = "16h0m0s"' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq --arg a "https://${FQDN}${LISTENER}/crl" '.crl.idpURL = $a' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+jq --arg a "$LISTENER_INSECURE" '.insecureAddress = $a' "${CAConfig}" > "${CAConfig}_tmp" && mv "${CAConfig}_tmp" "${CAConfig}"
+
+# Generate Root CA Certificate and Key
+# - Validity: 219168h (~25 Years)
+# - maxPathLen: 1 (Root -> Intermediate -> Leaf) => Only one Intermediate CA allowed below Root CA
+# - Active revocation on Intermediate CA and Leaf Certificates by the usage of build-in Certificate Revocation List (CRL)
+FLAGS=(--force
+  --template="${CARootTemplate}"
+  --not-after="219168h"
+  --password-file="${PwdFile}"
+  --set country="${PKICountry}"
+  --set organization="${PKIName}"
+  --set organizationalUnit="${PKIOrganizationalUnit}"
+  --set issuingCertificateURL="https://${FQDN}${LISTENER}/roots.pem"
+  --set crlDistributionPoints="https://${FQDN}${LISTENER}/crl")
+
+$STD step certificate create "${PKIName} Root CA" \
+  "$(step path)/certs/root_ca.crt" \
+  "$(step path)/secrets/root_ca_key" \
+  "${FLAGS[@]}"
+
+# Generate Intermediate CA Certificate Bundle and Key
+# - Validity: 175368h (~20 Years)
+# - maxPathLen: 0 (Root -> Intermediate -> Leaf) => Intermediate CA is only allowed to issue Leaf Certificates
+# - Active revocation on Leaf Certificates by the usage of build-in Certificate Revocation List (CRL)
+# - Bundle: Certificate Chain (including Root CA Certificate)
+FLAGS=(--force
+  --template="${CAIntermediateTemplate}"
+  --ca="$(step path)/certs/root_ca.crt"
+  --ca-key="$(step path)/secrets/root_ca_key"
+  --not-after="175368h"
+  --ca-password-file="${PwdFile}"
+  --password-file="${PwdFile}"
+  --bundle
+  --set country="${PKICountry}"
+  --set organization="${PKIName}"
+  --set organizationalUnit="${PKIOrganizationalUnit}"
+  --set issuingCertificateURL="https://${FQDN}${LISTENER}/roots.pem"
+  --set crlDistributionPoints="https://${FQDN}${LISTENER}/crl")
+
+$STD step certificate create "${PKIName} Intermediate CA" \
+  "$(step path)/certs/intermediate_ca.crt" \
+  "$(step path)/secrets/intermediate_ca_key" \
+  "${FLAGS[@]}"
+
+# Install Root CA Certificate to System Trust Store
+$STD step certificate install --all "$(step path)/certs/root_ca.crt"
 $STD update-ca-certificates
+
+chown -R step:step "$(step path)"
+chmod -R 700 "$(step path)"
 msg_ok "Initialized step-ca"

 msg_info "Start step-ca as a Daemon"
+
+# https://smallstep.com/docs/step-ca/certificate-authority-server-production/#running-step-ca-as-a-daemon
 cat <<'EOF' >/etc/systemd/system/step-ca.service
 [Unit]
 Description=step-ca service
@@ -130,271 +336,6 @@ msg_ok "Started step-ca as a Daemon"
 fetch_and_deploy_gh_release "step-badger" "lukasz-lobocki/step-badger" "prebuild" "latest" "/opt/step-badger" "step-badger_Linux_x86_64.tar.gz"
 ln -s /opt/step-badger/step-badger /usr/local/bin/step-badger

-msg_info "Install step-ca Admin script"
-mkdir -p "$STEPHOME"
-cat <<'ADDON_EOF' >"$STEPHOME/step-ca-admin.sh"
-#!/usr/bin/env bash
-
-# Copyright (c) 2021-2026 community-scripts ORG
-# Author: Joerg Heinemann (heinemannj)
-# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
-
-function header_info() {
-  clear
-  cat <<"EOF"
-         __                                 ___       __          _     
-   _____/ /____  ____        _________ _   /   | ____/ /___ ___  (_)___ 
-  / ___/ __/ _ \/ __ \______/ ___/ __ `/  / /| |/ __  / __ `__ \/ / __ \
- (__  ) /_/  __/ /_/ /_____/ /__/ /_/ /  / ___ / /_/ / / / / / / / / / /
-/____/\__/\___/ .___/      \___/\__,_/  /_/  |_\__,_/_/ /_/ /_/_/_/ /_/ 
-             /_/                                                            
-
-EOF
-}
-
-function die() {
-  echo -e "\n${BL}[ERROR]${GN} ${RD}${1}${CL}\n"
-  exit
-}
-
-function success() {
-  echo -e "${BL}[SUCCESS]${GN} ${1}${CL}\n"
-  exit
-}
-
-function whiptail_menu() {
-  MENU_ARRAY=()
-  MSG_MAX_LENGTH=0
-  while read -r TAG ITEM; do
-    OFFSET=2
-    ((${#ITEM} + OFFSET > MSG_MAX_LENGTH)) && MSG_MAX_LENGTH=${#ITEM}+OFFSET
-    MENU_ARRAY+=("$TAG" "$ITEM " "OFF")
-  done < <(echo "$1")
-}
-
-function x509_list() {
-  CERT_LIST=""
-  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
-  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
-  if [[ $(step-badger x509Certs "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
-    CERT_LIST=$(step-badger x509Certs ${STEPHOME}/db-copy 2>/dev/null)
-  fi
-}
-
-function ssh_list() {
-  CERT_LIST=""
-  cp --recursive --force "$(step path)/db/"* "$STEPHOME/db-copy/"
-  cp --recursive --force "$(step path)/certs/"* "$STEPHOME/certs/ca/"
-  if [[ $(step-badger sshCerts "${STEPHOME}/db-copy" 2>/dev/null) ]]; then
-    CERT_LIST=$(step-badgersshCerts ${STEPHOME}/db-copy 2>/dev/null)
-  fi
-}
-
-function x509_serial_to_cn() {
-  x509_list
-  CN="$(echo "${CERT_LIST}" | grep "${SERIAL_NUMBER}" | awk '{print $2}' | sed 's/CN=//g')"
-  CRT="$STEPHOME/certs/x509/$CN.crt"
-  KEY="$STEPHOME/certs/x509/$CN.key"
-  if ! [[ -f ${CRT} ]]; then
-    die "Certificate ${CRT} not found!"
-  elif ! [[ -f ${KEY} ]]; then
-    die "Private Key ${KEY} not found!"
-  fi
-}
-
-function x509_revoke() {
-  # shellcheck disable=SC2206
-  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
-  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
-    echo -e "${BL}[Info]${GN} Revoke x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
-    echo
-    TOKEN=$(step ca token --provisioner="$PROVISIONER" --provisioner-password-file="$PROVISIONER_PASSWORD" --revoke "${SERIAL_NUMBER}")
-    step ca revoke --token "$TOKEN" "${SERIAL_NUMBER}" || die "Failed to revoke certificate!"
-    echo
-  done
-  success "Finished."
-}
-
-function x509_renew() {
-  # shellcheck disable=SC2206
-  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
-  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
-    echo -e "${BL}[Info]${GN} Renew x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}"
-    echo
-    x509_serial_to_cn
-    step ca renew "${CRT}" "${KEY}" --force || die "Failed to renew certificate!"
-    echo
-  done
-  success "Finished."
-}
-
-function x509_inspect() {
-  # shellcheck disable=SC2206
-  SERIAL_NUMBER_ARRAY=(${CERT_SERIAL_NUMBERS})
-  for SERIAL_NUMBER in "${SERIAL_NUMBER_ARRAY[@]}"; do
-    echo -e "${BL}[Info]${GN} Inspect x509 Certificate with Serial Number ${BL}${SERIAL_NUMBER}${GN}:${CL}\n"
-    x509_serial_to_cn
-    step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
-    if ! [[ $(step certificate inspect "${CRT}" | grep "${SERIAL_NUMBER}") ]]; then
-      die "Serial Number ${SERIAL_NUMBER} mismatch!"
-    fi
-    echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
-    cat "${CRT}"
-    echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
-    cat "${KEY}"
-    echo
-  done
-  success "Finished."
-}
-
-function x509_request() {
-  FQDN=""
-  SAN=""
-
-  while true; do
-    FQDN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nFQDN (e.g. MyLXC.example.com)' 10 50 "$FQDN" 3>&1 1>&2 2>&3)
-    IP=$(dig +short "$FQDN")
-    if [[ -z "$IP" ]]; then
-      die "Resolution failed for $FQDN!"
-    fi
-    HOST=$(echo "$FQDN" | awk -F'.' '{print $1}')
-    IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nIP Address (e.g. x.x.x.x)' 10 50 "$IP" 3>&1 1>&2 2>&3)
-    HOST=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nHostname (e.g. MyHostName)' 10 50 "$HOST" 3>&1 1>&2 2>&3)
-    SAN=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nSubject Alternative Name(s) (SAN) (e.g. myapp-1.example.com, myapp-2.example.com)' 10 50 "$SAN" 3>&1 1>&2 2>&3)
-    VALID_TO=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --inputbox '\nValidity (e.g. 2034-01-31T00:00:00Z)' 10 50 "2034-01-31T00:00:00Z" 3>&1 1>&2 2>&3)
-
-    # shellcheck disable=SC2034
-    if whiptail_yesno=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificate Signing Request (CSR)" --yesno "Continue with below?\n
-      FQDN: $FQDN
-      Hostname: $HOST
-      IP Address: $IP
-      Subject Alternative Name(s) (SAN): $SAN
-      Validity: $VALID_TO" --no-button "Change" --yes-button "Continue" 15 70 3>&1 1>&2 2>&3); then
-      break
-    fi
-  done
-
-  echo -e "${BL}[Info]${GN} Request x509 Certificate with subject ${BL}${FQDN}${GN}:${CL}"
-  echo
-  CRT="$STEPHOME/certs/x509/$FQDN.crt"
-  KEY="$STEPHOME/certs/x509/$FQDN.key"
-
-  SAN="$FQDN, $HOST, $IP, $SAN"
-
-  IFS=', ' read -r -a array <<< "$SAN"
-  for element in "${array[@]}"
-  do
-    SAN_ARRAY+=(--san "$element")
-  done
-
-  step ca certificate "$FQDN" "$CRT" "$KEY" \
-    --provisioner="$PROVISIONER" \
-    --provisioner-password-file="$PROVISIONER_PASSWORD" \
-    --not-after="$VALID_TO" \
-    "${SAN_ARRAY[@]}" \
-  || die "Failed to request certificate!"
-
-  echo -e "\n${BL}[Info]${GN} Inspect Certificate:${CL}\n"
-  step certificate inspect "${CRT}" || die "Failed to inspect certificate!"
-  echo -e "\n${BL}[Info]${GN} Public Key:${CL}\n"
-  cat "${CRT}"
-  echo -e "\n${BL}[Info]${GN} Private Key:${CL}\n"
-  cat "${KEY}"
-  echo
-  success "Finished."
-}
-
-set -eEuo pipefail
-# shellcheck disable=SC2034
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-YW=$(echo "\033[33m")
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-BL=$(echo "\033[36m")
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-RD=$(echo "\033[01;31m")
-# shellcheck disable=SC2034
-CM='\xE2\x9C\x94\033'
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-GN=$(echo "\033[1;92m")
-# shellcheck disable=SC2116
-# shellcheck disable=SC2028
-CL=$(echo "\033[m")
-
-# Telemetry
-# shellcheck disable=SC1090
-source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/api.func) 2>/dev/null || true
-declare -f init_tool_telemetry &>/dev/null && init_tool_telemetry "step-ca-admin" "step-ca"
-
-header_info
-
-mkdir --parents "$STEPHOME/db-copy/"
-mkdir --parents "$STEPHOME/certs/ca/_archive/"
-mkdir --parents "$STEPHOME/certs/ssh/_archive/"
-mkdir --parents "$STEPHOME/certs/x509/_archive/"
-
-PROVISIONER=$(jq '.authority.provisioners.[] | select(.type=="JWK") | .name' "$(step path)"/config/ca.json)
-PROVISIONER="${PROVISIONER#\"}"
-PROVISIONER="${PROVISIONER%\"}"
-PROVISIONER_PASSWORD=$(step path)/encryption/provisioner.pwd
-
-whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --yesno "This will maintain step-ca issued x509 and ssh Certificates. Proceed?" 10 58
-
-MENU_ARRAY=("x509" "Maintain x509 Certificates." "ON")
-MENU_ARRAY+=("ssh" "Maintain ssh Certificates." "OFF")
-CERT_TYPE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Certificate Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
-
-[[ -z ${CERT_TYPE} ]] && die "No Certificate Type selected!"
-
-case ${CERT_TYPE} in
-("x509")
-  x509_list
-  CERT_LIST=$(echo "$CERT_LIST" | awk 'NR>1 {print $1 " " $2 "|" $3 "|" $4 "|" $5}')
-  if [[ $CERT_LIST ]]; then
-    whiptail_menu "$CERT_LIST"
-  else
-    MENU_ARRAY=()
-    MSG_MAX_LENGTH=2
-  fi
-  MENU_ARRAY+=("" "Create a new Certificate" "OFF")
-  CERT_SERIAL_NUMBERS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "Certificates on $(hostname)" --checklist "\nSelect Certificate(s) to maintain:\n" 16 $((MSG_MAX_LENGTH + 55)) 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
-
-  [[ -z ${CERT_SERIAL_NUMBERS} ]] && x509_request
-  
-  MENU_ARRAY=("Renew" "Renew x509 Certificates." "ON")
-  MENU_ARRAY+=("Revoke" "Revoke x509 Certificates." "OFF")
-  MENU_ARRAY+=("Inspect" "Inspect x509 Certificates." "OFF")
-  CERT_MAINTENANCE=$(whiptail --backtitle "Proxmox VE Helper Scripts" --title "step-ca Admin" --radiolist "\nSelect Maintenance Type:" 16 48 6 "${MENU_ARRAY[@]}" 3>&1 1>&2 2>&3 | tr -d '"')
-
-  case ${CERT_MAINTENANCE} in
-  ("Renew")
-    x509_renew "${CERT_SERIAL_NUMBERS[@]}"
-    ;;
-  ("Revoke")
-    x509_revoke "${CERT_SERIAL_NUMBERS[@]}"
-    ;;
-  ("Inspect")
-    x509_inspect "${CERT_SERIAL_NUMBERS[@]}"
-    ;;
-  *)
-    die "Unsupported CERT_MAINTENANCE Option!"
-    ;;
-  esac
-  ;;
-("ssh")
-  die "Maintain ssh Certificates - To be implemented in future"
-  ;;
-*)
-  die "Unsupported CERT_TYPE Option!"
-  ;;
-esac
-ADDON_EOF
-chmod 700 "$STEPHOME/step-ca-admin.sh"
-msg_ok "Installed step-ca Admin script"
-
 motd_ssh
 customize
 cleanup_lxc
@@ -0,0 +1,94 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://github.com/teableio/teable
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+msg_info "Installing Dependencies"
+$STD apt install -y \
+  build-essential \
+  python3 \
+  git
+msg_ok "Installed Dependencies"
+
+NODE_VERSION="24" NODE_MODULE="pnpm" setup_nodejs
+PG_VERSION="16" setup_postgresql
+PG_DB_NAME="teable" PG_DB_USER="teable" setup_postgresql_db
+
+fetch_and_deploy_gh_release "teable" "teableio/teable" "tarball"
+
+msg_info "Setting up Teable"
+cd /opt/teable
+TEABLE_VERSION=$(cat ~/.teable)
+echo "NEXT_PUBLIC_BUILD_VERSION=\"${TEABLE_VERSION}\"" >>apps/nextjs-app/.env
+export HUSKY=0
+export NODE_OPTIONS="--max-old-space-size=8192"
+$STD pnpm install --frozen-lockfile
+$STD pnpm -F @teable/db-main-prisma prisma-generate --schema ./prisma/postgres/schema.prisma
+msg_ok "Set up Teable"
+
+msg_info "Building Teable"
+NODE_ENV=production NEXT_BUILD_ENV_TYPECHECK=false \
+  $STD pnpm -r --filter '!playground' run build
+msg_ok "Built Teable"
+
+msg_info "Running Database Migrations"
+PRISMA_DATABASE_URL="postgresql://teable:${PG_DB_PASS}@localhost:5432/teable?schema=public" \
+  $STD pnpm -F @teable/db-main-prisma prisma-migrate deploy --schema ./prisma/postgres/schema.prisma
+msg_ok "Ran Database Migrations"
+
+msg_info "Configuring Teable"
+mkdir -p /opt/teable/.assets /opt/teable/.temporary
+SECRET_KEY=$(openssl rand -base64 32)
+cat <<EOF >/opt/teable/.env
+PRISMA_DATABASE_URL=postgresql://teable:${PG_DB_PASS}@localhost:5432/teable?schema=public&statement_cache_size=1
+PUBLIC_ORIGIN=http://${LOCAL_IP}:3000
+SECRET_KEY=${SECRET_KEY}
+PORT=3000
+NODE_ENV=production
+NEXT_TELEMETRY_DISABLED=1
+BACKEND_CACHE_PROVIDER=sqlite
+BACKEND_CACHE_SQLITE_URI=sqlite:///opt/teable/.assets/.cache.db
+NEXTJS_DIR=apps/nextjs-app
+EOF
+ln -sf /opt/teable /app
+rm -rf /opt/teable/static
+if [ -d "/opt/teable/apps/nestjs-backend/static/static" ]; then
+  ln -sf /opt/teable/apps/nestjs-backend/static/static /opt/teable/static
+else
+  ln -sf /opt/teable/apps/nestjs-backend/static /opt/teable/static
+fi
+msg_ok "Configured Teable"
+
+msg_info "Creating Service"
+cat <<EOF >/etc/systemd/system/teable.service
+[Unit]
+Description=Teable
+After=network.target postgresql.service
+
+[Service]
+Type=simple
+WorkingDirectory=/opt/teable
+EnvironmentFile=/opt/teable/.env
+ExecStart=/usr/bin/node apps/nestjs-backend/dist/index.js
+Restart=on-failure
+RestartSec=5
+
+[Install]
+WantedBy=multi-user.target
+EOF
+systemctl enable -q --now teable
+msg_ok "Created Service"
+
+motd_ssh
+customize
+cleanup_lxc
Author	SHA1	Message	Date
github-actions[bot]	a3e4980344	Update CHANGELOG.md	2026-05-01 21:07:47 +00:00
Joerg Heinemann	cf391086e5	Step ca update (#14058 ) * Patch for step-ca.sh Patch for making $STD happy (/usr/bin/step is a symlink to /usr/bin/step-cli) * Refactor step-ca installation script Refactor step-ca installation script to improve configuration and template handling. - Carve out step-ca-admin.sh - Patch for making $STD happy (/usr/bin/step is a symlink to /usr/bin/step-cli) - Define enhanced x509 CA and Certificate Templates - Configure CA Provisioners, DB and CRL settings - Generate Root CA Certificate and Key - Validity: 219168h (~25 Years) - maxPathLen: 1 (Root -> Intermediate -> Leaf) => Only one Intermediate CA allowed below Root CA - Active revocation on Intermediate CA and Leaf Certificates by the usage of build-in Certificate Revocation List (CRL) - Generate Intermediate CA Certificate Bundle and Key - Validity: 175368h (~20 Years) - maxPathLen: 0 (Root -> Intermediate -> Leaf) => Intermediate CA is only allowed to issue Leaf Certificates - Active revocation on Leaf Certificates by the usage of build-in Certificate Revocation List (CRL) - Bundle: Certificate Chain (including Root CA Certificate) * Update source URL in step-ca.sh script	2026-05-01 23:07:30 +02:00
community-scripts-pr-app[bot]	bc72ce83ce	Update CHANGELOG.md (#14167 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-05-01 20:48:14 +00:00
push-app-to-main[bot]	9eee1a7f95	SoulSync (#14124 ) * Add soulsync (ct) * Update pip install command to use requirements.txt * Update soulsync.sh --------- Co-authored-by: push-app-to-main[bot] <203845782+push-app-to-main[bot]@users.noreply.github.com> Co-authored-by: Slaviša Arežina <58952836+tremor021@users.noreply.github.com>	2026-05-01 22:47:49 +02:00
community-scripts-pr-app[bot]	ecd1e29df5	Update CHANGELOG.md (#14165 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-05-01 20:44:53 +00:00
push-app-to-main[bot]	b556b5f8c6	Teable (#14125 ) * Add teable (ct) * Apply suggestion from @tremor021 --------- Co-authored-by: push-app-to-main[bot] <203845782+push-app-to-main[bot]@users.noreply.github.com> Co-authored-by: Slaviša Arežina <58952836+tremor021@users.noreply.github.com>	2026-05-01 22:44:29 +02:00