Update CHANGELOG.md (#13642 )

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>
Update CHANGELOG.md (#13641 )
2026-04-10 11:36:27 -04:00 · 2026-04-10 09:29:59 +00:00 · 2026-04-10 09:29:45 +00:00 · 2026-04-10 11:29:31 +02:00 · 2026-04-10 09:29:19 +00:00 · 2026-04-10 11:28:52 +02:00
29 changed files with 213 additions and 47 deletions
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -439,6 +439,41 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit

 </details>

+## 2026-04-10
+
+### 🚀 Updated Scripts
+
+  - Immich: Pin version to 2.7.3 [@vhsdream](https://github.com/vhsdream) ([#13631](https://github.com/community-scripts/ProxmoxVE/pull/13631))
+
+  - #### ✨ New Features
+
+    - Homarr: bind Redis to localhost only [@MickLesk](https://github.com/MickLesk) ([#13552](https://github.com/community-scripts/ProxmoxVE/pull/13552))
+
+### 💾 Core
+
+  - #### 🐞 Bug Fixes
+
+    - tools.func: prevent script crash when entering GitHub token after rate limit [@MickLesk](https://github.com/MickLesk) ([#13638](https://github.com/community-scripts/ProxmoxVE/pull/13638))
+
+### 🧰 Tools
+
+  - #### 🔧 Refactor
+
+    - addons: Filebrowser & Filebrowser-Quantum get warning if host install [@MickLesk](https://github.com/MickLesk) ([#13639](https://github.com/community-scripts/ProxmoxVE/pull/13639))
+
+## 2026-04-09
+
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - boostack: add: git [@CrazyWolf13](https://github.com/CrazyWolf13) ([#13620](https://github.com/community-scripts/ProxmoxVE/pull/13620))
+
+  - #### ✨ New Features
+
+    - Update OPNsense version from 25.7 to 26.1 [@tdn131](https://github.com/tdn131) ([#13626](https://github.com/community-scripts/ProxmoxVE/pull/13626))
+    - CheckMK: Bump Default OS to 13 (trixie) + dynamic codename + fix RELEASE-Tag Fetching [@MickLesk](https://github.com/MickLesk) ([#13610](https://github.com/community-scripts/ProxmoxVE/pull/13610))
+
 ## 2026-04-08

 ### 🆕 New Scripts
--- a/ct/bookstack.sh
+++ b/ct/bookstack.sh
@@ -29,6 +29,7 @@ function update_script() {
    exit
  fi
  setup_mariadb
+  ensure_dependencies git
  if check_for_gh_release "bookstack" "BookStackApp/BookStack"; then
    msg_info "Stopping Apache2"
    systemctl stop apache2
--- a/ct/checkmk.sh
+++ b/ct/checkmk.sh
@@ -28,7 +28,7 @@ function update_script() {
    exit
  fi

-  RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags?per_page=50 | jq -r '.[].name' | sed 's/^v//' | grep -Ev 'rc|b' | sort -V | tail -n 1)
+  RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
  RELEASE="${RELEASE%%+*}"
  msg_info "Updating ${APP} to v${RELEASE}"
  $STD omd stop monitoring
--- a/ct/flaresolverr.sh
+++ b/ct/flaresolverr.sh
@@ -28,7 +28,7 @@ function update_script() {
    msg_error "No ${APP} Installation Found!"
    exit
  fi
-  if [[ "$(get_os_version_major)" == "12" ]]; then
+  if [[ $(grep -E '^VERSION_ID=' /etc/os-release) == *"12"* ]]; then
    msg_error "Wrong Debian version detected!"
    msg_error "You must upgrade your LXC to Debian Trixie before updating."
    exit
--- a/ct/homarr.sh
+++ b/ct/homarr.sh
@@ -65,6 +65,7 @@ EOF

    msg_info "Updating Homarr"
    cp /opt/homarr/redis.conf /etc/redis/redis.conf
+    grep -q '^bind 127.0.0.1 -::1$' /etc/redis/redis.conf || echo "bind 127.0.0.1 -::1" >> /etc/redis/redis.conf
    rm /etc/nginx/nginx.conf
    cp /opt/homarr/nginx.conf /etc/nginx/templates/nginx.conf
    msg_ok "Updated Homarr"
--- a/ct/immich.sh
+++ b/ct/immich.sh
@@ -109,7 +109,7 @@ EOF
    msg_ok "Image-processing libraries up to date"
  fi

-  RELEASE="v2.7.2"
+  RELEASE="v2.7.3"
  if check_for_gh_release "Immich" "immich-app/immich" "${RELEASE}" "each release is tested individually before the version is updated. Please do not open issues for this"; then
    if [[ $(cat ~/.immich) > "2.5.1" ]]; then
      msg_info "Enabling Maintenance Mode"
--- a/ct/inventree.sh
+++ b/ct/inventree.sh
@@ -29,7 +29,7 @@ function update_script() {
    exit
  fi

-  if [[ "$(get_os_info id)" != "ubuntu" ]]; then
+  if ! grep -qE "^ID=(ubuntu)$" /etc/os-release; then
    msg_error "Unsupported OS. InvenTree requires Ubuntu (20.04/22.04/24.04)."
    exit
  fi
--- a/ct/jellyfin.sh
+++ b/ct/jellyfin.sh
@@ -29,7 +29,7 @@ function update_script() {
    exit
  fi

-  if [[ "$(get_os_info id)" != "ubuntu" ]]; then
+  if ! grep -qEi 'ubuntu' /etc/os-release; then
    msg_info "Updating Intel Dependencies"
    rm -f ~/.intel-* || true
    fetch_and_deploy_gh_release "intel-igc-core-2" "intel/intel-graphics-compiler" "binary" "latest" "" "intel-igc-core-2_*_amd64.deb"
--- a/ct/nginxproxymanager.sh
+++ b/ct/nginxproxymanager.sh
@@ -55,7 +55,7 @@ function update_script() {
  fi

  local pcre_pkg="libpcre3-dev"
-  if [[ "$(get_os_version_major)" -ge 13 ]]; then
+  if grep -qE 'VERSION_ID="1[3-9]"' /etc/os-release 2>/dev/null; then
    pcre_pkg="libpcre2-dev"
  fi
  $STD apt install -y build-essential "$pcre_pkg" libssl-dev zlib1g-dev
--- a/ct/paperless-ngx.sh
+++ b/ct/paperless-ngx.sh
@@ -65,7 +65,8 @@ function update_script() {
      CLEAN_INSTALL=1 fetch_and_deploy_gh_release "paperless" "paperless-ngx/paperless-ngx" "prebuild" "latest" "/opt/paperless" "paperless*tar.xz"
      CLEAN_INSTALL=1 fetch_and_deploy_gh_release "jbig2enc" "ie13/jbig2enc" "tarball" "latest" "/opt/jbig2enc"

-      if [ "$(get_os_info codename)" = "bookworm" ]; then
+      . /etc/os-release
+      if [ "$VERSION_CODENAME" = "bookworm" ]; then
        setup_gs
      else
        ensure_dependencies ghostscript
@@ -139,7 +140,8 @@ function update_script() {
      CLEAN_INSTALL=1 fetch_and_deploy_gh_release "paperless" "paperless-ngx/paperless-ngx" "prebuild" "latest" "/opt/paperless" "paperless*tar.xz"
      CLEAN_INSTALL=1 fetch_and_deploy_gh_release "jbig2enc" "ie13/jbig2enc" "tarball" "latest" "/opt/jbig2enc"

-      if [ "$(get_os_info codename)" = "bookworm" ]; then
+      . /etc/os-release
+      if [ "$VERSION_CODENAME" = "bookworm" ]; then
        setup_gs
      else
        msg_info "Installing Ghostscript"
--- a/ct/photoprism.sh
+++ b/ct/photoprism.sh
@@ -42,7 +42,7 @@ function update_script() {

    fetch_and_deploy_gh_release "photoprism" "photoprism/photoprism" "prebuild" "latest" "/opt/photoprism" "*linux-amd64.tar.gz"

-    LIBHEIF_URL=$(curl -fsSL "https://dl.photoprism.app/dist/libheif/" | grep -oP "libheif-$(get_os_info codename)-amd64-v[0-9\.]+\.tar\.gz" | sort -V | tail -n 1)
+    LIBHEIF_URL=$(curl -fsSL "https://dl.photoprism.app/dist/libheif/" | grep -oP "libheif-bookworm-amd64-v[0-9\.]+\.tar\.gz" | sort -V | tail -n 1)
    if [[ "${LIBHEIF_URL}" != "$(cat ~/.photoprism_libheif 2>/dev/null)" ]] || [[ ! -f ~/.photoprism_libheif ]]; then
      msg_info "Updating PhotoPrism LibHeif"
      ensure_dependencies libvips42
--- a/ct/proxmox-datacenter-manager.sh
+++ b/ct/proxmox-datacenter-manager.sh
@@ -28,7 +28,7 @@ function update_script() {
    exit
  fi

-  if [[ "$(get_os_version_major)" == "12" ]] && [ -f /etc/apt/sources.list.d/proxmox-release-bookworm.list ] && [ -f /etc/apt/sources.list.d/pdm-test.list ]; then
+  if grep -q 'Debian GNU/Linux 12' /etc/os-release && [ -f /etc/apt/sources.list.d/proxmox-release-bookworm.list ] && [ -f /etc/apt/sources.list.d/pdm-test.list ]; then
    msg_info "Updating outdated outdated source formats"
    echo "deb [signed-by=/usr/share/keyrings/proxmox-archive-keyring.gpg] http://download.proxmox.com/debian/pdm bookworm pdm-test" >/etc/apt/sources.list.d/pdm-test.list
    curl -fsSL https://enterprise.proxmox.com/debian/proxmox-archive-keyring-trixie.gpg -o /usr/share/keyrings/proxmox-archive-keyring.gpg
@@ -37,16 +37,16 @@ function update_script() {
    msg_ok "Updated old sources"
  fi

-  if [[ "$(get_os_version_major)" == "13" ]]; then
+  if grep -q 'Debian GNU/Linux 13' /etc/os-release; then
    if [ -f "/etc/apt/sources.list.d/pdm-test.sources" ]; then
      if ! grep -qx "Enabled: false" "/etc/apt/sources.list.d/pdm-test.sources"; then
-        echo "Enabled: false" >>"/etc/apt/sources.list.d/pdm-test.sources"
-        setup_deb822_repo \
-          "pdm" \
-          "https://enterprise.proxmox.com/debian/proxmox-archive-keyring-trixie.gpg" \
-          "http://download.proxmox.com/debian/pdm" \
-          "trixie" \
-          "pdm-no-subscription"
+          echo "Enabled: false" >> "/etc/apt/sources.list.d/pdm-test.sources"
+          setup_deb822_repo \
+            "pdm" \
+            "https://enterprise.proxmox.com/debian/proxmox-archive-keyring-trixie.gpg" \
+            "http://download.proxmox.com/debian/pdm" \
+            "trixie" \
+            "pdm-no-subscription"
      fi
    fi
  fi
--- a/ct/zabbix.sh
+++ b/ct/zabbix.sh
@@ -29,8 +29,9 @@ function update_script() {
    exit
  fi

-  if [ "$(get_os_info codename)" != "trixie" ]; then
-    msg_error "Unsupported Debian version: $(get_os_info codename) – please upgrade to Debian 13 (Trixie) before updating Zabbix."
+  . /etc/os-release
+  if [ "$VERSION_CODENAME" != "trixie" ]; then
+    msg_error "Unsupported Debian version: $VERSION_CODENAME – please upgrade to Debian 13 (Trixie) before updating Zabbix."
    exit
  fi

--- a/install/bookstack-install.sh
+++ b/install/bookstack-install.sh
@@ -14,7 +14,9 @@ network_check
 update_os

 msg_info "Installing Dependencies"
-$STD apt install -y make
+$STD apt install -y \
+  make \
+  git
 msg_ok "Installed Dependencies"

 PHP_VERSION="8.3" PHP_APACHE="YES" PHP_FPM="YES" PHP_MODULE="ldap,tidy,mysqli" setup_php
--- a/install/checkmk-install.sh
+++ b/install/checkmk-install.sh
@@ -14,7 +14,7 @@ network_check
 update_os

 msg_info "Install Checkmk"
-RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags?per_page=50 | jq -r '.[].name' | sed 's/^v//' | grep -Ev 'rc|b' | sort -V | tail -n 1)
+RELEASE=$(curl -fsSL https://api.github.com/repos/checkmk/checkmk/tags | grep "name" | awk '{print substr($2, 3, length($2)-4) }' | tr ' ' '\n' | grep -Ev 'rc|b' | sort -V | tail -n 1)
 RELEASE="${RELEASE%%+*}"
 curl -fsSL "https://download.checkmk.com/checkmk/${RELEASE}/check-mk-raw-${RELEASE}_0.$(get_os_info codename)_amd64.deb" -o "/opt/checkmk.deb"
 $STD apt-get install -y /opt/checkmk.deb
--- a/install/cockpit-install.sh
+++ b/install/cockpit-install.sh
@@ -15,25 +15,26 @@ network_check
 update_os

 msg_info "Installing Cockpit"
+source /etc/os-release
 cat <<EOF >/etc/apt/sources.list.d/debian-backports.sources
 Types: deb deb-src
 URIs: http://deb.debian.org/debian
-Suites: $(get_os_info codename)-backports
+Suites: ${VERSION_CODENAME}-backports
 Components: main
 Enabled: yes
 Signed-By: /usr/share/keyrings/debian-archive-keyring.gpg
 EOF

 $STD apt update
-$STD apt install -t $(get_os_info codename)-backports cockpit cracklib-runtime --no-install-recommends -y
+$STD apt install -t ${VERSION_CODENAME}-backports cockpit cracklib-runtime --no-install-recommends -y
 sed -i "s/root//g" /etc/cockpit/disallowed-users
 msg_ok "Installed Cockpit"

 read -r -p "Would you like to install 45Drives' cockpit-file-sharing, cockpit-identities, and cockpit-navigator  <y/N> " prompt
 if [[ "${prompt,,}" =~ ^(y|yes)$ ]]; then
  install_45drives=true
-  if [[ "$(get_os_version_major)" -ge 13 ]]; then
-    read -r -p "Debian $(get_os_version_major) is not officially supported by 45Drives yet, would you like to continue anyway? <y/N> " prompt
+  if [[ "${VERSION_ID}" -ge 13 ]]; then
+    read -r -p "Debian ${VERSION_ID} is not officially supported by 45Drives yet, would you like to continue anyway? <y/N> " prompt
    if [[ ! "${prompt,,}" =~ ^(y|yes)$ ]]; then
      install_45drives=false
    fi
--- a/install/frigate-install.sh
+++ b/install/frigate-install.sh
@@ -13,7 +13,8 @@ setting_up_container
 network_check
 update_os

-if [[ "$(get_os_version_major)" != "12" ]]; then
+source /etc/os-release
+if [[ "$VERSION_ID" != "12" ]]; then
  msg_error "Frigate requires Debian 12 (Bookworm) due to Python 3.11 dependencies"
  exit 238
 fi
--- a/install/homarr-install.sh
+++ b/install/homarr-install.sh
@@ -47,6 +47,7 @@ mkdir -p /appdata/redis
 chown -R redis:redis /appdata/redis
 chmod 744 /appdata/redis
 cp /opt/homarr/redis.conf /etc/redis/redis.conf
+grep -q '^bind 127.0.0.1 -::1$' /etc/redis/redis.conf || echo "bind 127.0.0.1 -::1" >>/etc/redis/redis.conf
 rm /etc/nginx/nginx.conf
 mkdir -p /etc/nginx/templates
 cp /opt/homarr/nginx.conf /etc/nginx/templates/nginx.conf
@@ -80,7 +81,7 @@ chmod +x /opt/homarr/run.sh
 systemctl daemon-reload
 systemctl enable -q --now redis-server
 systemctl enable -q --now homarr
-systemctl disable -q --now nginx 
+systemctl disable -q --now nginx
 msg_ok "Created Services"

 motd_ssh
--- a/install/immich-install.sh
+++ b/install/immich-install.sh
@@ -295,7 +295,7 @@ ML_DIR="${APP_DIR}/machine-learning"
 GEO_DIR="${INSTALL_DIR}/geodata"
 mkdir -p {"${APP_DIR}","${UPLOAD_DIR}","${GEO_DIR}","${INSTALL_DIR}"/cache}

-fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.2" "$SRC_DIR"
+fetch_and_deploy_gh_release "Immich" "immich-app/immich" "tarball" "v2.7.3" "$SRC_DIR"
 PNPM_VERSION="$(jq -r '.packageManager | split("@")[1] | split("+")[0]' ${SRC_DIR}/package.json)"
 NODE_VERSION="24" NODE_MODULE="pnpm@${PNPM_VERSION}" setup_nodejs

--- a/install/lldap-install.sh
+++ b/install/lldap-install.sh
@@ -15,17 +15,17 @@ network_check
 update_os

 msg_info "Installing lldap"
-OS_ID=$(get_os_info id)
-OS_VERSION=$(get_os_info version)
-if [ "$OS_ID" == "ubuntu" ]; then
+source /etc/os-release
+os=$ID
+if [ "$os" == "ubuntu" ]; then
  DISTRO="xUbuntu"
 else
-  DISTRO="${OS_ID^}"
+  DISTRO="${os^}"
 fi
-curl -fsSL https://download.opensuse.org/repositories/home:Masgalor:LLDAP/${DISTRO}_${OS_VERSION}/Release.key | gpg --dearmor >/usr/share/keyrings/home_Masgalor_LLDAP.gpg
+curl -fsSL https://download.opensuse.org/repositories/home:Masgalor:LLDAP/${DISTRO}_${VERSION_ID}/Release.key | gpg --dearmor >/usr/share/keyrings/home_Masgalor_LLDAP.gpg
 cat <<EOF >/etc/apt/sources.list.d/home:Masgalor:LLDAP.sources
 Types: deb
-URIs: http://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/${DISTRO}_${OS_VERSION}/
+URIs: http://download.opensuse.org/repositories/home:/Masgalor:/LLDAP/${DISTRO}_${VERSION_ID}/
 Suites: /
 Signed-By: /usr/share/keyrings/home_Masgalor_LLDAP.gpg
 EOF
--- a/install/mqtt-install.sh
+++ b/install/mqtt-install.sh
@@ -14,6 +14,7 @@ network_check
 update_os

 msg_info "Installing Mosquitto MQTT Broker"
+source /etc/os-release
 $STD apt update
 $STD apt -y install mosquitto mosquitto-clients

--- a/install/pangolin-install.sh
+++ b/install/pangolin-install.sh
@@ -182,7 +182,8 @@ http:
 EOF
 $STD npm run db:push

-if [ "$(get_os_info codename)" = "trixie" ]; then
+. /etc/os-release
+if [ "$VERSION_CODENAME" = "trixie" ]; then
  echo "net.ipv4.ip_forward=1" >>/etc/sysctl.d/sysctl.conf
  $STD sysctl -p /etc/sysctl.d/sysctl.conf
 else
--- a/install/photoprism-install.sh
+++ b/install/photoprism-install.sh
@@ -40,7 +40,7 @@ msg_info "Installing PhotoPrism (Patience)"
 mkdir -p /opt/photoprism/{cache,config,photos,storage,temp}
 mkdir -p /opt/photoprism/photos/{originals,import}
 mkdir -p /opt/photoprism_backups
-LIBHEIF_URL=$(curl -fsSL "https://dl.photoprism.app/dist/libheif/" | grep -oP "libheif-$(get_os_info codename)-amd64-v[0-9\.]+\.tar\.gz" | sort -V | tail -n 1)
+LIBHEIF_URL=$(curl -fsSL "https://dl.photoprism.app/dist/libheif/" | grep -oP "libheif-bookworm-amd64-v[0-9\.]+\.tar\.gz" | sort -V | tail -n 1)
 curl -fsSL "https://dl.photoprism.app/dist/libheif/$LIBHEIF_URL" -o /tmp/libheif.tar.gz
 tar -xzf /tmp/libheif.tar.gz -C /usr/local
 ldconfig
--- a/install/wireguard-install.sh
+++ b/install/wireguard-install.sh
@@ -31,7 +31,8 @@ if [[ "${prompt,,}" =~ ^(y|yes)$ ]]; then
  cd /etc/wgdashboard/src
  chmod u+x wgd.sh
  $STD ./wgd.sh install
-  if [ "$(get_os_info codename)" = "trixie" ]; then
+  . /etc/os-release
+  if [ "$VERSION_CODENAME" = "trixie" ]; then
    echo "net.ipv4.ip_forward=1" >>/etc/sysctl.d/sysctl.conf
    $STD sysctl -p /etc/sysctl.d/sysctl.conf
  else
--- a/misc/build.func
+++ b/misc/build.func
@@ -1054,7 +1054,7 @@ load_vars_file() {

  # Allowed var_* keys
  local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
    var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
    var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage var_searchdomain
@@ -1255,7 +1255,7 @@ default_var_settings() {
  # Allowed var_* keys (alphabetically sorted)
  # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
  local VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu var_keyctl
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu var_keyctl
    var_gateway var_hostname var_ipv6_method var_mac var_mknod var_mount_fs var_mtu
    var_net var_nesting var_ns var_os var_protection var_pw var_ram var_tags var_timezone var_tun var_unprivileged
    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
@@ -1350,6 +1350,10 @@ var_verbose=no

 # Security (root PW) – empty => autologin
 # var_pw=
+
+# GitHub Personal Access Token (optional – avoids API rate limits during installs)
+# Create at https://github.com/settings/tokens – read-only public access is sufficient
+# var_github_token=ghp_your_token_here
 EOF

    # Now choose storages (always prompt unless just one exists)
@@ -1387,6 +1391,11 @@ EOF
    VERBOSE="no"
  fi

+  # 4) Map var_github_token → GITHUB_TOKEN (only if not already set in environment)
+  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
+    export GITHUB_TOKEN="${var_github_token}"
+  fi
+
  # 4) Apply base settings and show summary
  METHOD="mydefaults-global"
  base_settings "$VERBOSE"
@@ -1419,7 +1428,7 @@ get_app_defaults_path() {
 if ! declare -p VAR_WHITELIST >/dev/null 2>&1; then
  # Note: Removed var_ctid (can only exist once), var_ipv6_static (static IPs are unique)
  declare -ag VAR_WHITELIST=(
-    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_gpu
+    var_apt_cacher var_apt_cacher_ip var_brg var_cpu var_disk var_fuse var_github_token var_gpu
    var_gateway var_hostname var_ipv6_method var_mac var_mtu
    var_net var_ns var_os var_pw var_ram var_tags var_tun var_unprivileged
    var_verbose var_version var_vlan var_ssh var_ssh_authorized_key var_container_storage var_template_storage
--- a/misc/tools.func
+++ b/misc/tools.func
@@ -1117,15 +1117,87 @@ is_package_installed() {
  fi
 }

+# ------------------------------------------------------------------------------
+# validate_github_token()
+# Checks a GitHub token via the /user endpoint.
+# Prints a status message and returns:
+#   0 - token is valid
+#   1 - token is invalid / expired (HTTP 401)
+#   2 - token has no public repo scope (HTTP 200 but missing scope)
+#   3 - network/API error
+# Also reports expiry date if the token carries an x-oauth-expiry header.
+# ------------------------------------------------------------------------------
+validate_github_token() {
+  local token="${1:-${GITHUB_TOKEN:-}}"
+  [[ -z "$token" ]] && return 3
+
+  local response headers http_code expiry_date scopes
+  headers=$(mktemp)
+  response=$(curl -sSL -w "%{http_code}" \
+    -D "$headers" \
+    -o /dev/null \
+    -H "Authorization: Bearer $token" \
+    -H "Accept: application/vnd.github+json" \
+    -H "X-GitHub-Api-Version: 2022-11-28" \
+    "https://api.github.com/user" 2>/dev/null) || { rm -f "$headers"; return 3; }
+  http_code="$response"
+
+  # Read expiry header (fine-grained PATs carry this)
+  expiry_date=$(grep -i '^github-authentication-token-expiration:' "$headers" \
+    | sed 's/.*: *//' | tr -d '\r\n' || true)
+  # Read token scopes (classic PATs)
+  scopes=$(grep -i '^x-oauth-scopes:' "$headers" \
+    | sed 's/.*: *//' | tr -d '\r\n' || true)
+  rm -f "$headers"
+
+  case "$http_code" in
+    200)
+      if [[ -n "$expiry_date" ]]; then
+        msg_ok "GitHub token is valid (expires: $expiry_date)."
+      else
+        msg_ok "GitHub token is valid (no expiry / fine-grained PAT)."
+      fi
+      # Warn if classic PAT has no public_repo scope
+      if [[ -n "$scopes" && "$scopes" != *"public_repo"* && "$scopes" != *"repo"* ]]; then
+        msg_warn "Token has no 'public_repo' scope - private repos and some release APIs may fail."
+        return 2
+      fi
+      return 0
+      ;;
+    401)
+      msg_error "GitHub token is invalid or expired (HTTP 401)."
+      return 1
+      ;;
+    *)
+      msg_warn "GitHub token validation returned HTTP $http_code - treating as valid."
+      return 0
+      ;;
+  esac
+}
+
 # ------------------------------------------------------------------------------
 # Prompt user to enter a GitHub Personal Access Token (PAT) interactively
 # Returns 0 if a valid token was provided, 1 otherwise
 # ------------------------------------------------------------------------------
 prompt_for_github_token() {
  if [[ ! -t 0 ]]; then
+    # Non-interactive: pick up var_github_token if set (from default.vars / app.vars / env)
+    if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
+      export GITHUB_TOKEN="${var_github_token}"
+      msg_ok "GitHub token loaded from var_github_token."
+      return 0
+    fi
    return 1
  fi

+  # Prefer var_github_token when already set and no interactive override needed
+  if [[ -z "${GITHUB_TOKEN:-}" && -n "${var_github_token:-}" ]]; then
+    export GITHUB_TOKEN="${var_github_token}"
+    msg_ok "GitHub token loaded from var_github_token."
+    validate_github_token || true
+    return 0
+  fi
+
  local reply
  read -rp "${TAB}Would you like to enter a GitHub Personal Access Token (PAT)? [y/N]: " reply
  reply="${reply:-n}"
@@ -1147,10 +1219,16 @@ prompt_for_github_token() {
      msg_warn "Token must not contain spaces. Please try again."
      continue
    fi
-    break
+    # Validate before accepting
+    export GITHUB_TOKEN="$token"
+    if validate_github_token "$token"; then
+      break
+    else
+      msg_warn "Please enter a valid token, or press Ctrl+C to abort."
+      unset GITHUB_TOKEN
+    fi
  done

-  export GITHUB_TOKEN="$token"
  msg_ok "GitHub token has been set."
  return 0
 }
@@ -2860,7 +2938,7 @@ function fetch_and_deploy_codeberg_release() {

  while ((attempt < ${#api_timeouts[@]})); do
    resp=$(curl --connect-timeout 10 --max-time "${api_timeouts[$attempt]}" -fsSL -w "%{http_code}" -o /tmp/codeberg_rel.json "$api_url") && success=true && break
-    ((attempt++))
+    attempt=$((attempt + 1))
    if ((attempt < ${#api_timeouts[@]})); then
      msg_warn "API request timed out after ${api_timeouts[$((attempt - 1))]}s, retrying... (attempt $((attempt + 1))/${#api_timeouts[@]})"
    fi
@@ -3370,7 +3448,8 @@ function fetch_and_deploy_gh_release() {
        if prompt_for_github_token; then
          header=(-H "Authorization: token $GITHUB_TOKEN")
          retry_delay=2
-          attempt=0
+          attempt=1
+          continue
        fi
      fi
    else
--- a/tools/addon/filebrowser-quantum.sh
+++ b/tools/addon/filebrowser-quantum.sh
@@ -43,6 +43,21 @@ IP=$(ip -4 addr show "$IFACE" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n
 [[ -z "$IP" ]] && IP=$(hostname -I | awk '{print $1}')
 [[ -z "$IP" ]] && IP="127.0.0.1"

+# Proxmox Host Warning
+if [[ -d "/etc/pve" ]]; then
+  echo -e "${RD}⚠️  Warning: Running this addon directly on the Proxmox host is not recommended!${CL}"
+  echo -e "${YW}   Only the boot disk will be visible — passthrough drives will not be indexed.${CL}"
+  echo -e "${YW}   This causes incorrect disk usage stats and incomplete file browsing.${CL}"
+  echo -e "${YW}   Run this addon inside an LXC or VM instead and mount your drives there.${CL}"
+  echo ""
+  echo -n "Continue anyway on the Proxmox host? (y/N): "
+  read -r host_confirm
+  if [[ ! "${host_confirm,,}" =~ ^(y|yes)$ ]]; then
+    echo -e "${YW}Aborted.${CL}"
+    exit 0
+  fi
+fi
+
 # OS Detection
 if [[ -f "/etc/alpine-release" ]]; then
  OS="Alpine"
--- a/tools/addon/filebrowser.sh
+++ b/tools/addon/filebrowser.sh
@@ -41,6 +41,21 @@ IP=$(ip -4 addr show "$IFACE" | awk '/inet / {print $2}' | cut -d/ -f1 | head -n
 [[ -z "$IP" ]] && IP=$(hostname -I | awk '{print $1}')
 [[ -z "$IP" ]] && IP="127.0.0.1"

+# Proxmox Host Warning
+if [[ -d "/etc/pve" ]]; then
+  echo -e "${RD}⚠️  Warning: Running this addon directly on the Proxmox host is not recommended!${CL}"
+  echo -e "${YW}   Only the boot disk will be visible — passthrough drives will not be indexed.${CL}"
+  echo -e "${YW}   This causes incorrect disk usage stats and incomplete file browsing.${CL}"
+  echo -e "${YW}   Run this addon inside an LXC or VM instead and mount your drives there.${CL}"
+  echo ""
+  echo -n "Continue anyway on the Proxmox host? (y/N): "
+  read -r host_confirm
+  if [[ ! "${host_confirm,,}" =~ ^(y|yes)$ ]]; then
+    echo -e "${YW}Aborted.${CL}"
+    exit 0
+  fi
+fi
+
 # Detect OS
 if [[ -f "/etc/alpine-release" ]]; then
  OS="Alpine"
--- a/vm/opnsense-vm.sh
+++ b/vm/opnsense-vm.sh
@@ -24,7 +24,7 @@ RANDOM_UUID="$(cat /proc/sys/kernel/random/uuid)"
 METHOD=""
 NSAPP="opnsense-vm"
 var_os="opnsense"
-var_version="25.7"
+var_version="26.1"
 #
 GEN_MAC=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
 GEN_MAC_LAN=02:$(openssl rand -hex 5 | awk '{print toupper($0)}' | sed 's/\(..\)/\1:/g; s/.$//')
@@ -797,7 +797,7 @@ if [ -n "$WAN_BRG" ]; then
  msg_ok "WAN interface added"
  sleep 5 # Brief pause after adding network interface
 fi
-send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 25.7"
+send_line_to_vm "sh ./opnsense-bootstrap.sh.in -y -f -r 26.1"
 msg_ok "OPNsense VM is being installed, do not close the terminal, or the installation will fail."
 #We need to wait for the OPNsense build proccess to finish, this takes a few minutes
 sleep 1000
Author	SHA1	Message	Date
community-scripts-pr-app[bot]	ba876c7495	Update CHANGELOG.md (#13642 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 09:29:59 +00:00
community-scripts-pr-app[bot]	0d2d1f46f5	Update CHANGELOG.md (#13641 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 09:29:45 +00:00
CanbiZ (MickLesk)	5e865278e9	addons: Filebrowser & Filebrowser-Quantum get warning if host install (#13639 ) * fix(filebrowser-quantum): warn when addon is run directly on Proxmox host Detect /etc/pve and show a clear warning with link to the recommended LXC installer. User must explicitly confirm to continue on the host, addressing the size calculation and indexing issues reported in gtsteffaniak/filebrowser#1893. Closes #13636 * fix(filebrowser): improve host warning text and add to filebrowser addon - Clarify that passthrough drives are not visible on the Proxmox host - Mention incorrect disk usage stats and incomplete file browsing - Add same warning to filebrowser (non-quantum) addon which also serves from / - Reduce verbosity, remove redundant phrasing * fix(filebrowser): fix misleading host warning wording Remove reference to a non-existent dedicated LXC installer. The addons should simply be run inside an LXC or VM instead.	2026-04-10 11:29:31 +02:00
community-scripts-pr-app[bot]	a18642a8f8	Update CHANGELOG.md (#13640 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 09:29:19 +00:00
CanbiZ (MickLesk)	9a82ec48b2	tools.func: prevent script crash when entering GitHub token after rate limit (#13638 ) * fix(tools): prevent script crash when entering GitHub token after rate limit fetch_and_deploy_gh_release set attempt=0 after accepting a token, then immediately ran ((0++)) which evaluates to 0 (falsy) causing exit code 1 and killing the script under set -e. Fix: set attempt=1 and continue to restart the retry loop cleanly, giving the full max_retries budget with the new token. Also fix fetch_and_deploy_codeberg_release: replace ((attempt++)) with attempt=\ to avoid the same zero-evaluation crash on the first connection timeout (attempt starts at 0 in that loop). Fixes #13635 * feat(tools): add var_github_token support with token validation - Add var_github_token to all VAR_WHITELIST arrays in build.func so the token can be set via default.vars, app.vars, or environment variable - Map var_github_token -> GITHUB_TOKEN in default_var_settings() (env variable takes precedence over the var file value) - Add commented var_github_token example to the default.vars template - Add validate_github_token() to tools.func: * Calls GET /user to verify the token is accepted * Reports expiry date from x-oauth-expiry header (fine-grained PATs) * Warns when classic PAT is missing public_repo scope * Returns distinct exit codes: 0=valid, 1=invalid/expired, 2=no scope, 3=error - Update prompt_for_github_token(): * Non-interactive path now picks up var_github_token automatically * Interactive path also picks up var_github_token without prompting * Validates token immediately after entry; loops until valid or Ctrl+C	2026-04-10 11:28:52 +02:00
community-scripts-pr-app[bot]	f2d46dd8c8	Update CHANGELOG.md (#13637 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 08:03:50 +00:00
CanbiZ (MickLesk)	2707295eba	Homarr: bind Redis to localhost only (#13552 ) * Homarr: bind Redis to localhost only * fix(homarr): make Redis bind directive idempotent Replace unconditional append with grep guard to prevent duplicate 'bind 127.0.0.1 -::1' entries on repeated updates. * Fix whitespace in homarr install script Clean up minor whitespace issues in install/homarr-install.sh: remove an extra space before the here-path in the Redis config append (>>/etc/redis/redis.conf) and strip a trailing space after the nginx service name in the systemctl disable call. These are whitespace-only edits to keep the script tidy and avoid passing unintended whitespace to commands.	2026-04-10 10:03:22 +02:00
community-scripts-pr-app[bot]	82cc074b05	Update CHANGELOG.md (#13633 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-10 05:20:42 +00:00
Chris	6b224ac649	Immich: Pin version to 2.7.3 (#13631 )	2026-04-10 07:20:17 +02:00
community-scripts-pr-app[bot]	a69f9955f4	Update CHANGELOG.md (#13628 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-09 19:45:36 +00:00
tdn131	7d19269122	Update OPNsense version from 25.7 to 26.1 (#13626 )	2026-04-09 21:45:07 +02:00
community-scripts-pr-app[bot]	498d37ae3a	Update CHANGELOG.md (#13622 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-09 14:44:55 +00:00
Tobias	703ad0ecb7	boostack: add: git (#13620 ) * boostack: add: git * bookstack: add: git	2026-04-09 16:44:11 +02:00
community-scripts-pr-app[bot]	ae6cf7666e	Update CHANGELOG.md (#13613 ) Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>	2026-04-09 08:53:01 +00:00
CanbiZ (MickLesk)	2c2beab3ce	checkmk: default v13 + dynamic codename (#13610 )	2026-04-09 10:52:36 +02:00