feat: private/custom git repos - GitHub, GitLab, Bitbucket, custom

- Add repository URL validation for GitHub, GitLab, Bitbucket, and custom hosts - Add git provider layer (listDirectory, downloadRawFile) for all providers - Wire githubJsonService and scriptDownloader to use provider; sync/download from any supported source - Update GeneralSettingsModal placeholder and help text; .env.example and env schema for GITLAB_TOKEN, BITBUCKET_APP_PASSWORD Closes #406
Merge pull request #471 from community-scripts/feat/419
2026-01-29 13:08:28 +01:00 · 2026-01-29 11:37:51 +01:00 · 2026-01-29 11:32:23 +01:00 · 2026-01-29 11:25:33 +01:00 · 2026-01-29 11:22:43 +01:00 · 2026-01-29 11:20:28 +01:00
49 changed files with 6874 additions and 1574 deletions
--- a/.env.example
+++ b/.env.example
@@ -18,7 +18,12 @@ ALLOWED_SCRIPT_PATHS="scripts/"
 WEBSOCKET_PORT="3001"

 # User settings
+# Optional tokens for private repos: GITHUB_TOKEN (GitHub), GITLAB_TOKEN (GitLab),
+# BITBUCKET_APP_PASSWORD or BITBUCKET_TOKEN (Bitbucket). REPO_URL and added repos
+# can be GitHub, GitLab, Bitbucket, or custom Git servers.
 GITHUB_TOKEN=
+GITLAB_TOKEN=
+BITBUCKET_APP_PASSWORD=
 SAVE_FILTER=false
 FILTERS=
 AUTH_USERNAME=
--- a/.github/pull_request_template.md
+++ b/.github/pull_request_template.md
@@ -4,7 +4,7 @@


 ## 🔗 Related PR / Issue  
-Link: #
+Fixes: #


 ## ✅ Prerequisites  (**X** in brackets) 
--- a/README.md
+++ b/README.md
@@ -100,7 +100,7 @@ apt install -y nodejs
 ```bash
 # Clone the repository
 git clone https://github.com/community-scripts/ProxmoxVE-Local.git /opt/PVESciptslocal
-cd PVESciptslocal
+cd /opt/PVESciptslocal

 # Install dependencies and build
 npm install
--- a/2
+++ b/2
@@ -1 +1 @@
-0.5.1
+0.5.5
--- a/package-lock.json
+++ b/package-lock.json
--- a/package.json
+++ b/package.json
@@ -25,35 +25,35 @@
    "typecheck": "tsc --noEmit"
  },
  "dependencies": {
-    "@prisma/adapter-better-sqlite3": "^7.0.1",
-    "@prisma/client": "^7.0.1",
+    "@prisma/adapter-better-sqlite3": "^7.2.0",
+    "@prisma/client": "^7.2.0",
    "@radix-ui/react-dropdown-menu": "^2.1.16",
    "@radix-ui/react-slot": "^1.2.4",
-    "@t3-oss/env-nextjs": "^0.13.8",
+    "@t3-oss/env-nextjs": "^0.13.10",
    "@tailwindcss/typography": "^0.5.19",
-    "@tanstack/react-query": "^5.90.11",
-    "@trpc/client": "^11.7.2",
-    "@trpc/react-query": "^11.7.2",
-    "@trpc/server": "^11.7.2",
+    "@tanstack/react-query": "^5.90.18",
+    "@trpc/client": "^11.8.1",
+    "@trpc/react-query": "^11.8.1",
+    "@trpc/server": "^11.8.1",
    "@types/react-syntax-highlighter": "^15.5.13",
    "@types/ws": "^8.18.1",
-    "@xterm/addon-fit": "^0.10.0",
-    "@xterm/addon-web-links": "^0.11.0",
-    "@xterm/xterm": "^5.5.0",
+    "@xterm/addon-fit": "^0.11.0",
+    "@xterm/addon-web-links": "^0.12.0",
+    "@xterm/xterm": "^6.0.0",
    "axios": "^1.13.2",
    "bcryptjs": "^3.0.3",
-    "better-sqlite3": "^12.5.0",
+    "better-sqlite3": "^12.6.0",
    "class-variance-authority": "^0.7.1",
    "clsx": "^2.1.1",
    "cron-validator": "^1.4.0",
    "dotenv": "^17.2.3",
-    "jsonwebtoken": "^9.0.2",
-    "lucide-react": "^0.555.0",
-    "next": "^16.0.6",
+    "jsonwebtoken": "^9.0.3",
+    "lucide-react": "^0.562.0",
+    "next": "^16.1.3",
    "node-cron": "^4.2.1",
-    "node-pty": "^1.0.0",
-    "react": "^19.2.0",
-    "react-dom": "^19.2.0",
+    "node-pty": "^1.1.0",
+    "react": "^19.2.3",
+    "react-dom": "^19.2.3",
    "react-markdown": "^10.1.0",
    "react-syntax-highlighter": "^16.1.0",
    "refractor": "^5.0.0",
@@ -62,37 +62,37 @@
    "strip-ansi": "^7.1.2",
    "superjson": "^2.2.6",
    "tailwind-merge": "^3.4.0",
-    "ws": "^8.18.3",
-    "zod": "^4.1.13"
+    "ws": "^8.19.0",
+    "zod": "^4.3.5"
  },
  "devDependencies": {
-    "@tailwindcss/postcss": "^4.1.17",
+    "@tailwindcss/postcss": "^4.1.18",
    "@testing-library/jest-dom": "^6.9.1",
-    "@testing-library/react": "^16.3.0",
+    "@testing-library/react": "^16.3.1",
    "@testing-library/user-event": "^14.6.1",
    "@types/bcryptjs": "^3.0.0",
    "@types/better-sqlite3": "^7.6.13",
    "@types/jsonwebtoken": "^9.0.10",
-    "@types/node": "^24.10.1",
+    "@types/node": "^24.10.9",
    "@types/node-cron": "^3.0.11",
-    "@types/react": "^19.2.7",
+    "@types/react": "^19.2.8",
    "@types/react-dom": "^19.2.3",
-    "@vitejs/plugin-react": "^5.1.1",
-    "@vitest/coverage-v8": "^4.0.15",
-    "@vitest/ui": "^4.0.14",
-    "baseline-browser-mapping": "^2.8.32",
-    "eslint": "^9.39.1",
-    "eslint-config-next": "^16.0.6",
-    "jsdom": "^27.2.0",
+    "@vitejs/plugin-react": "^5.1.2",
+    "@vitest/coverage-v8": "^4.0.17",
+    "@vitest/ui": "^4.0.17",
+    "baseline-browser-mapping": "^2.9.15",
+    "eslint": "^9.39.2",
+    "eslint-config-next": "^16.1.3",
+    "jsdom": "^27.4.0",
    "postcss": "^8.5.6",
-    "prettier": "^3.7.3",
+    "prettier": "^3.8.0",
    "prettier-plugin-tailwindcss": "^0.7.2",
-    "prisma": "^7.0.1",
-    "tailwindcss": "^4.1.17",
+    "prisma": "^7.2.0",
+    "tailwindcss": "^4.1.18",
    "tsx": "^4.21.0",
    "typescript": "^5.9.3",
-    "typescript-eslint": "^8.48.1",
-    "vitest": "^4.0.14"
+    "typescript-eslint": "^8.53.0",
+    "vitest": "^4.0.17"
  },
  "ct3aMetadata": {
    "initVersion": "7.39.3"
@@ -104,4 +104,4 @@
  "overrides": {
    "prismjs": "^1.30.0"
  }
-}
+}
--- a/scripts/core/alpine-install.func
+++ b/scripts/core/alpine-install.func
@@ -1,4 +1,4 @@
-# Copyright (c) 2021-2025 community-scripts ORG
+# Copyright (c) 2021-2026 community-scripts ORG
 # Author: tteck (tteckster)
 # Co-Author: MickLesk
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
@@ -11,6 +11,9 @@ source "$(dirname "${BASH_SOURCE[0]}")/error-handler.func"
 load_functions
 catch_errors

+# Get LXC IP address (must be called INSIDE container, after network is up)
+get_lxc_ip
+
 # This function enables IPv6 if it's not disabled and sets verbose mode
 verb_ip6() {
  set_std_mode # Set STD mode based on VERBOSE
@@ -125,22 +128,13 @@ update_os() {
 # This function modifies the message of the day (motd) and SSH settings
 motd_ssh() {
  echo "export TERM='xterm-256color'" >>/root/.bashrc
-  IP=$(ip -4 addr show eth0 | awk '/inet / {print $2}' | cut -d/ -f1 | head -n 1)
-
-  if [ -f "/etc/os-release" ]; then
-    OS_NAME=$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '"')
-    OS_VERSION=$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '"')
-  else
-    OS_NAME="Alpine Linux"
-    OS_VERSION="Unknown"
-  fi

  PROFILE_FILE="/etc/profile.d/00_lxc-details.sh"
  echo "echo -e \"\"" >"$PROFILE_FILE"
  echo -e "echo -e \"${BOLD}${APPLICATION} LXC Container${CL}"\" >>"$PROFILE_FILE"
  echo -e "echo -e \"${TAB}${GATEWAY}${YW} Provided by: ${GN}community-scripts ORG ${YW}| GitHub: ${GN}https://github.com/community-scripts/ProxmoxVE${CL}\"" >>"$PROFILE_FILE"
  echo "echo \"\"" >>"$PROFILE_FILE"
-  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}${OS_NAME} - Version: ${OS_VERSION}${CL}\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}\$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '\"') - Version: \$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '\"')${CL}\"" >>"$PROFILE_FILE"
  echo -e "echo -e \"${TAB}${HOSTNAME}${YW} Hostname: ${GN}\$(hostname)${CL}\"" >>"$PROFILE_FILE"
  echo -e "echo -e \"${TAB}${INFO}${YW} IP Address: ${GN}\$(ip -4 addr show eth0 | awk '/inet / {print \$2}' | cut -d/ -f1 | head -n 1)${CL}\"" >>"$PROFILE_FILE"

--- a/scripts/core/alpine-tools.func
+++ b/scripts/core/alpine-tools.func
@@ -0,0 +1,188 @@
+#!/bin/ash
+# shellcheck shell=ash
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+
+if ! command -v curl >/dev/null 2>&1; then
+  apk update && apk add curl >/dev/null 2>&1
+fi
+source "$(dirname "${BASH_SOURCE[0]}")/core.func"
+source "$(dirname "${BASH_SOURCE[0]}")/error-handler.func"
+load_functions
+catch_errors
+
+# Get LXC IP address (must be called INSIDE container, after network is up)
+get_lxc_ip
+
+# This function enables IPv6 if it's not disabled and sets verbose mode
+verb_ip6() {
+  set_std_mode # Set STD mode based on VERBOSE
+
+  if [ "${IPV6_METHOD:-}" = "disable" ]; then
+    msg_info "Disabling IPv6 (this may affect some services)"
+    $STD sysctl -w net.ipv6.conf.all.disable_ipv6=1
+    $STD sysctl -w net.ipv6.conf.default.disable_ipv6=1
+    $STD sysctl -w net.ipv6.conf.lo.disable_ipv6=1
+    mkdir -p /etc/sysctl.d
+    $STD tee /etc/sysctl.d/99-disable-ipv6.conf >/dev/null <<EOF
+net.ipv6.conf.all.disable_ipv6 = 1
+net.ipv6.conf.default.disable_ipv6 = 1
+net.ipv6.conf.lo.disable_ipv6 = 1
+EOF
+    $STD rc-update add sysctl default
+    msg_ok "Disabled IPv6"
+  fi
+}
+
+set -Eeuo pipefail
+trap 'error_handler $? $LINENO "$BASH_COMMAND"' ERR
+trap on_exit EXIT
+trap on_interrupt INT
+trap on_terminate TERM
+
+error_handler() {
+  local exit_code="$1"
+  local line_number="$2"
+  local command="$3"
+
+  if [[ "$exit_code" -eq 0 ]]; then
+    return 0
+  fi
+
+  printf "\e[?25h"
+  echo -e "\n${RD}[ERROR]${CL} in line ${RD}$line_number${CL}: exit code ${RD}$exit_code${CL}: while executing command ${YW}$command${CL}\n"
+  exit "$exit_code"
+}
+
+on_exit() {
+  local exit_code="$?"
+  [[ -n "${lockfile:-}" && -e "$lockfile" ]] && rm -f "$lockfile"
+  exit "$exit_code"
+}
+
+on_interrupt() {
+  echo -e "\n${RD}Interrupted by user (SIGINT)${CL}"
+  exit 130
+}
+
+on_terminate() {
+  echo -e "\n${RD}Terminated by signal (SIGTERM)${CL}"
+  exit 143
+}
+
+# This function sets up the Container OS by generating the locale, setting the timezone, and checking the network connection
+setting_up_container() {
+  msg_info "Setting up Container OS"
+  while [ $i -gt 0 ]; do
+    if [ "$(ip addr show | grep 'inet ' | grep -v '127.0.0.1' | awk '{print $2}' | cut -d'/' -f1)" != "" ]; then
+      break
+    fi
+    echo 1>&2 -en "${CROSS}${RD} No Network! "
+    sleep $RETRY_EVERY
+    i=$((i - 1))
+  done
+
+  if [ "$(ip addr show | grep 'inet ' | grep -v '127.0.0.1' | awk '{print $2}' | cut -d'/' -f1)" = "" ]; then
+    echo 1>&2 -e "\n${CROSS}${RD} No Network After $RETRY_NUM Tries${CL}"
+    echo -e "${NETWORK}Check Network Settings"
+    exit 1
+  fi
+  msg_ok "Set up Container OS"
+  msg_ok "Network Connected: ${BL}$(ip addr show | grep 'inet ' | awk '{print $2}' | cut -d'/' -f1 | tail -n1)${CL}"
+}
+
+# This function checks the network connection by pinging a known IP address and prompts the user to continue if the internet is not connected
+network_check() {
+  set +e
+  trap - ERR
+  if ping -c 1 -W 1 1.1.1.1 &>/dev/null || ping -c 1 -W 1 8.8.8.8 &>/dev/null || ping -c 1 -W 1 9.9.9.9 &>/dev/null; then
+    ipv4_status="${GN}✔${CL} IPv4"
+  else
+    ipv4_status="${RD}✖${CL} IPv4"
+    read -r -p "Internet NOT connected. Continue anyway? <y/N> " prompt
+    if [[ "${prompt,,}" =~ ^(y|yes)$ ]]; then
+      echo -e "${INFO}${RD}Expect Issues Without Internet${CL}"
+    else
+      echo -e "${NETWORK}Check Network Settings"
+      exit 1
+    fi
+  fi
+  RESOLVEDIP=$(getent hosts github.com | awk '{ print $1 }')
+  if [[ -z "$RESOLVEDIP" ]]; then
+    msg_error "Internet: ${ipv4_status}  DNS Failed"
+  else
+    msg_ok "Internet: ${ipv4_status}  DNS: ${BL}${RESOLVEDIP}${CL}"
+  fi
+  set -e
+  trap 'error_handler $LINENO "$BASH_COMMAND"' ERR
+}
+
+# This function updates the Container OS by running apt-get update and upgrade
+update_os() {
+  msg_info "Updating Container OS"
+  $STD apk -U upgrade
+  source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/tools.func)
+  msg_ok "Updated Container OS"
+}
+
+# This function modifies the message of the day (motd) and SSH settings
+motd_ssh() {
+  echo "export TERM='xterm-256color'" >>/root/.bashrc
+
+  PROFILE_FILE="/etc/profile.d/00_lxc-details.sh"
+  echo "echo -e \"\"" >"$PROFILE_FILE"
+  echo -e "echo -e \"${BOLD}${APPLICATION} LXC Container${CL}"\" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${GATEWAY}${YW} Provided by: ${GN}community-scripts ORG ${YW}| GitHub: ${GN}https://github.com/community-scripts/ProxmoxVE${CL}\"" >>"$PROFILE_FILE"
+  echo "echo \"\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}\$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '\"') - Version: \$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '\"')${CL}\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${HOSTNAME}${YW} Hostname: ${GN}\$(hostname)${CL}\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${INFO}${YW} IP Address: ${GN}\$(ip -4 addr show eth0 | awk '/inet / {print \$2}' | cut -d/ -f1 | head -n 1)${CL}\"" >>"$PROFILE_FILE"
+
+  # Configure SSH if enabled
+  if [[ "${SSH_ROOT}" == "yes" ]]; then
+    # Enable sshd service
+    $STD rc-update add sshd
+    # Allow root login via SSH
+    sed -i "s/#PermitRootLogin prohibit-password/PermitRootLogin yes/g" /etc/ssh/sshd_config
+    # Start the sshd service
+    $STD /etc/init.d/sshd start
+  fi
+}
+
+# Validate Timezone for some LXC's
+validate_tz() {
+  [[ -f "/usr/share/zoneinfo/$1" ]]
+}
+
+# This function customizes the container and enables passwordless login for the root user
+customize() {
+  if [[ "$PASSWORD" == "" ]]; then
+    msg_info "Customizing Container"
+    passwd -d root >/dev/null 2>&1
+
+    # Ensure agetty is available
+    apk add --no-cache --force-broken-world util-linux >/dev/null 2>&1
+
+    # Create persistent autologin boot script
+    mkdir -p /etc/local.d
+    cat <<'EOF' >/etc/local.d/autologin.start
+#!/bin/sh
+sed -i 's|^tty1::respawn:.*|tty1::respawn:/sbin/agetty --autologin root --noclear tty1 38400 linux|' /etc/inittab
+kill -HUP 1
+EOF
+    touch /root/.hushlogin
+
+    chmod +x /etc/local.d/autologin.start
+    rc-update add local >/dev/null 2>&1
+
+    # Apply autologin immediately for current session
+    /etc/local.d/autologin.start
+
+    msg_ok "Customized Container"
+  fi
+
+  echo "bash -c \"\$(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/ct/${app}.sh)\"" >/usr/bin/update
+  chmod +x /usr/bin/update
+
+}
--- a/scripts/core/api.func
+++ b/scripts/core/api.func
@@ -1,4 +1,4 @@
-# Copyright (c) 2021-2025 community-scripts ORG
+# Copyright (c) 2021-2026 community-scripts ORG
 # Author: michelroegl-brunner
 # License: MIT | https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/LICENSE

--- a/scripts/core/build.func
+++ b/scripts/core/build.func
--- a/scripts/core/cloud-init.func
+++ b/scripts/core/cloud-init.func
@@ -0,0 +1,505 @@
+#!/usr/bin/env bash
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: community-scripts ORG
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/branch/main/LICENSE
+# Revision: 1
+
+# ==============================================================================
+# CLOUD-INIT.FUNC - VM CLOUD-INIT CONFIGURATION LIBRARY
+# ==============================================================================
+#
+# Universal helper library for Cloud-Init configuration in Proxmox VMs.
+# Provides functions for:
+#
+#   - Native Proxmox Cloud-Init setup (user, password, network, SSH keys)
+#   - Interactive configuration dialogs (whiptail)
+#   - IP address retrieval via qemu-guest-agent
+#   - Cloud-Init status monitoring and waiting
+#
+# Usage:
+#   source <(curl -fsSL https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/misc/cloud-init.func)
+#   setup_cloud_init "$VMID" "$STORAGE" "$HN" "yes"
+#
+# Compatible with: Debian, Ubuntu, and all Cloud-Init enabled distributions
+# ==============================================================================
+
+# ==============================================================================
+# SECTION 1: CONFIGURATION DEFAULTS
+# ==============================================================================
+# These can be overridden before sourcing this library
+
+CLOUDINIT_DEFAULT_USER="${CLOUDINIT_DEFAULT_USER:-root}"
+CLOUDINIT_DNS_SERVERS="${CLOUDINIT_DNS_SERVERS:-1.1.1.1 8.8.8.8}"
+CLOUDINIT_SEARCH_DOMAIN="${CLOUDINIT_SEARCH_DOMAIN:-local}"
+CLOUDINIT_SSH_KEYS="${CLOUDINIT_SSH_KEYS:-/root/.ssh/authorized_keys}"
+
+# ==============================================================================
+# SECTION 2: HELPER FUNCTIONS
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# _ci_msg - Internal message helper with fallback
+# ------------------------------------------------------------------------------
+function _ci_msg_info() { msg_info "$1" 2>/dev/null || echo "[INFO] $1"; }
+function _ci_msg_ok() { msg_ok "$1" 2>/dev/null || echo "[OK] $1"; }
+function _ci_msg_warn() { msg_warn "$1" 2>/dev/null || echo "[WARN] $1"; }
+function _ci_msg_error() { msg_error "$1" 2>/dev/null || echo "[ERROR] $1"; }
+
+# ------------------------------------------------------------------------------
+# validate_ip_cidr - Validate IP address in CIDR format
+# Usage: validate_ip_cidr "192.168.1.100/24" && echo "Valid"
+# Returns: 0 if valid, 1 if invalid
+# ------------------------------------------------------------------------------
+function validate_ip_cidr() {
+  local ip_cidr="$1"
+  # Match: 0-255.0-255.0-255.0-255/0-32
+  if [[ "$ip_cidr" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}/([0-9]|[1-2][0-9]|3[0-2])$ ]]; then
+    # Validate each octet is 0-255
+    local ip="${ip_cidr%/*}"
+    IFS='.' read -ra octets <<<"$ip"
+    for octet in "${octets[@]}"; do
+      ((octet > 255)) && return 1
+    done
+    return 0
+  fi
+  return 1
+}
+
+# ------------------------------------------------------------------------------
+# validate_ip - Validate plain IP address (no CIDR)
+# Usage: validate_ip "192.168.1.1" && echo "Valid"
+# ------------------------------------------------------------------------------
+function validate_ip() {
+  local ip="$1"
+  if [[ "$ip" =~ ^([0-9]{1,3}\.){3}[0-9]{1,3}$ ]]; then
+    IFS='.' read -ra octets <<<"$ip"
+    for octet in "${octets[@]}"; do
+      ((octet > 255)) && return 1
+    done
+    return 0
+  fi
+  return 1
+}
+
+# ==============================================================================
+# SECTION 3: MAIN CLOUD-INIT FUNCTIONS
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# setup_cloud_init - Configures Proxmox Native Cloud-Init
+# ------------------------------------------------------------------------------
+# Parameters:
+#   $1 - VMID (required)
+#   $2 - Storage name (required)
+#   $3 - Hostname (optional, default: vm-<vmid>)
+#   $4 - Enable Cloud-Init (yes/no, default: no)
+#   $5 - User (optional, default: root)
+#   $6 - Network mode (dhcp/static, default: dhcp)
+#   $7 - Static IP (optional, format: 192.168.1.100/24)
+#   $8 - Gateway (optional)
+#   $9 - Nameservers (optional, default: 1.1.1.1 8.8.8.8)
+#
+# Returns: 0 on success, 1 on failure
+# Exports: CLOUDINIT_USER, CLOUDINIT_PASSWORD, CLOUDINIT_CRED_FILE
+# ==============================================================================
+function setup_cloud_init() {
+  local vmid="$1"
+  local storage="$2"
+  local hostname="${3:-vm-${vmid}}"
+  local enable="${4:-no}"
+  local ciuser="${5:-$CLOUDINIT_DEFAULT_USER}"
+  local network_mode="${6:-dhcp}"
+  local static_ip="${7:-}"
+  local gateway="${8:-}"
+  local nameservers="${9:-$CLOUDINIT_DNS_SERVERS}"
+
+  # Skip if not enabled
+  if [ "$enable" != "yes" ]; then
+    return 0
+  fi
+
+  # Validate static IP if provided
+  if [ "$network_mode" = "static" ]; then
+    if [ -n "$static_ip" ] && ! validate_ip_cidr "$static_ip"; then
+      _ci_msg_error "Invalid static IP format: $static_ip (expected: x.x.x.x/xx)"
+      return 1
+    fi
+    if [ -n "$gateway" ] && ! validate_ip "$gateway"; then
+      _ci_msg_error "Invalid gateway IP format: $gateway"
+      return 1
+    fi
+  fi
+
+  _ci_msg_info "Configuring Cloud-Init"
+
+  # Create Cloud-Init drive (try ide2 first, then scsi1 as fallback)
+  if ! qm set "$vmid" --ide2 "${storage}:cloudinit" >/dev/null 2>&1; then
+    qm set "$vmid" --scsi1 "${storage}:cloudinit" >/dev/null 2>&1
+  fi
+
+  # Set user
+  qm set "$vmid" --ciuser "$ciuser" >/dev/null
+
+  # Generate and set secure random password
+  local cipassword=$(openssl rand -base64 16)
+  qm set "$vmid" --cipassword "$cipassword" >/dev/null
+
+  # Add SSH keys if available
+  if [ -f "$CLOUDINIT_SSH_KEYS" ]; then
+    qm set "$vmid" --sshkeys "$CLOUDINIT_SSH_KEYS" >/dev/null 2>&1 || true
+  fi
+
+  # Configure network
+  if [ "$network_mode" = "static" ] && [ -n "$static_ip" ] && [ -n "$gateway" ]; then
+    qm set "$vmid" --ipconfig0 "ip=${static_ip},gw=${gateway}" >/dev/null
+  else
+    qm set "$vmid" --ipconfig0 "ip=dhcp" >/dev/null
+  fi
+
+  # Set DNS servers
+  qm set "$vmid" --nameserver "$nameservers" >/dev/null
+
+  # Set search domain
+  qm set "$vmid" --searchdomain "$CLOUDINIT_SEARCH_DOMAIN" >/dev/null
+
+  # Enable package upgrades on first boot (if supported by Proxmox version)
+  qm set "$vmid" --ciupgrade 1 >/dev/null 2>&1 || true
+
+  # Save credentials to file (with restrictive permissions)
+  local cred_file="/tmp/${hostname}-${vmid}-cloud-init-credentials.txt"
+  umask 077
+  cat >"$cred_file" <<EOF
+╔══════════════════════════════════════════════════════════════════╗
+║  ⚠️  SECURITY WARNING: DELETE THIS FILE AFTER NOTING CREDENTIALS  ║
+╚══════════════════════════════════════════════════════════════════╝
+
+Cloud-Init Credentials
+────────────────────────────────────────
+VM ID:    ${vmid}
+Hostname: ${hostname}
+Created:  $(date)
+
+Username: ${ciuser}
+Password: ${cipassword}
+
+Network:  ${network_mode}$([ "$network_mode" = "static" ] && echo " (IP: ${static_ip}, GW: ${gateway})" || echo " (DHCP)")
+DNS:      ${nameservers}
+
+────────────────────────────────────────
+SSH Access (if keys configured):
+  ssh ${ciuser}@<vm-ip>
+
+Proxmox UI Configuration:
+  VM ${vmid} > Cloud-Init > Edit
+  - User, Password, SSH Keys
+  - Network (IP Config)
+  - DNS, Search Domain
+
+────────────────────────────────────────
+🗑️  To delete this file:
+  rm -f ${cred_file}
+────────────────────────────────────────
+EOF
+  chmod 600 "$cred_file"
+
+  _ci_msg_ok "Cloud-Init configured (User: ${ciuser})"
+
+  # Export for use in calling script (DO NOT display password here - will be shown in summary)
+  export CLOUDINIT_USER="$ciuser"
+  export CLOUDINIT_PASSWORD="$cipassword"
+  export CLOUDINIT_CRED_FILE="$cred_file"
+
+  return 0
+}
+
+# ==============================================================================
+# SECTION 4: INTERACTIVE CONFIGURATION
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# configure_cloud_init_interactive - Whiptail dialog for Cloud-Init setup
+# ------------------------------------------------------------------------------
+# Prompts user for Cloud-Init configuration choices
+# Returns configuration via exported variables:
+#   - CLOUDINIT_ENABLE (yes/no)
+#   - CLOUDINIT_USER
+#   - CLOUDINIT_NETWORK_MODE (dhcp/static)
+#   - CLOUDINIT_IP (if static)
+#   - CLOUDINIT_GW (if static)
+#   - CLOUDINIT_DNS
+# ------------------------------------------------------------------------------
+function configure_cloud_init_interactive() {
+  local default_user="${1:-root}"
+
+  # Check if whiptail is available
+  if ! command -v whiptail >/dev/null 2>&1; then
+    echo "Warning: whiptail not available, skipping interactive configuration"
+    export CLOUDINIT_ENABLE="no"
+    return 1
+  fi
+
+  # Ask if user wants to enable Cloud-Init
+  if ! (whiptail --backtitle "Proxmox VE Helper Scripts" --title "CLOUD-INIT" \
+    --yesno "Enable Cloud-Init for VM configuration?\n\nCloud-Init allows automatic configuration of:\n• User accounts and passwords\n• SSH keys\n• Network settings (DHCP/Static)\n• DNS configuration\n\nYou can also configure these settings later in Proxmox UI." 16 68); then
+    export CLOUDINIT_ENABLE="no"
+    return 0
+  fi
+
+  export CLOUDINIT_ENABLE="yes"
+
+  # Username
+  if CLOUDINIT_USER=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox \
+    "Cloud-Init Username" 8 58 "$default_user" --title "USERNAME" 3>&1 1>&2 2>&3); then
+    export CLOUDINIT_USER="${CLOUDINIT_USER:-$default_user}"
+  else
+    export CLOUDINIT_USER="$default_user"
+  fi
+
+  # Network configuration
+  if (whiptail --backtitle "Proxmox VE Helper Scripts" --title "NETWORK MODE" \
+    --yesno "Use DHCP for network configuration?\n\nSelect 'No' for static IP configuration." 10 58); then
+    export CLOUDINIT_NETWORK_MODE="dhcp"
+  else
+    export CLOUDINIT_NETWORK_MODE="static"
+
+    # Static IP with validation
+    while true; do
+      if CLOUDINIT_IP=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox \
+        "Static IP Address (CIDR format)\nExample: 192.168.1.100/24" 9 58 "" --title "IP ADDRESS" 3>&1 1>&2 2>&3); then
+        if validate_ip_cidr "$CLOUDINIT_IP"; then
+          export CLOUDINIT_IP
+          break
+        else
+          whiptail --backtitle "Proxmox VE Helper Scripts" --title "INVALID IP" \
+            --msgbox "Invalid IP format: $CLOUDINIT_IP\n\nPlease use CIDR format: x.x.x.x/xx\nExample: 192.168.1.100/24" 10 50
+        fi
+      else
+        _ci_msg_warn "Static IP required, falling back to DHCP"
+        export CLOUDINIT_NETWORK_MODE="dhcp"
+        break
+      fi
+    done
+
+    # Gateway with validation
+    if [ "$CLOUDINIT_NETWORK_MODE" = "static" ]; then
+      while true; do
+        if CLOUDINIT_GW=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox \
+          "Gateway IP Address\nExample: 192.168.1.1" 8 58 "" --title "GATEWAY" 3>&1 1>&2 2>&3); then
+          if validate_ip "$CLOUDINIT_GW"; then
+            export CLOUDINIT_GW
+            break
+          else
+            whiptail --backtitle "Proxmox VE Helper Scripts" --title "INVALID GATEWAY" \
+              --msgbox "Invalid gateway format: $CLOUDINIT_GW\n\nPlease use format: x.x.x.x\nExample: 192.168.1.1" 10 50
+          fi
+        else
+          _ci_msg_warn "Gateway required, falling back to DHCP"
+          export CLOUDINIT_NETWORK_MODE="dhcp"
+          break
+        fi
+      done
+    fi
+  fi
+
+  # DNS Servers
+  if CLOUDINIT_DNS=$(whiptail --backtitle "Proxmox VE Helper Scripts" --inputbox \
+    "DNS Servers (space-separated)" 8 58 "1.1.1.1 8.8.8.8" --title "DNS SERVERS" 3>&1 1>&2 2>&3); then
+    export CLOUDINIT_DNS="${CLOUDINIT_DNS:-1.1.1.1 8.8.8.8}"
+  else
+    export CLOUDINIT_DNS="1.1.1.1 8.8.8.8"
+  fi
+
+  return 0
+}
+
+# ==============================================================================
+# SECTION 5: UTILITY FUNCTIONS
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# display_cloud_init_info - Show Cloud-Init summary after setup
+# ------------------------------------------------------------------------------
+function display_cloud_init_info() {
+  local vmid="$1"
+  local hostname="${2:-}"
+
+  if [ -n "$CLOUDINIT_CRED_FILE" ] && [ -f "$CLOUDINIT_CRED_FILE" ]; then
+    if [ -n "${INFO:-}" ]; then
+      echo -e "\n${INFO}${BOLD:-}${GN:-} Cloud-Init Configuration:${CL:-}"
+      echo -e "${TAB:-  }${DGN:-}User: ${BGN:-}${CLOUDINIT_USER:-root}${CL:-}"
+      echo -e "${TAB:-  }${DGN:-}Password: ${BGN:-}${CLOUDINIT_PASSWORD}${CL:-}"
+      echo -e "${TAB:-  }${DGN:-}Credentials: ${BL:-}${CLOUDINIT_CRED_FILE}${CL:-}"
+      echo -e "${TAB:-  }${RD:-}⚠️  Delete credentials file after noting password!${CL:-}"
+      echo -e "${TAB:-  }${YW:-}💡 Configure in Proxmox UI: VM ${vmid} > Cloud-Init${CL:-}"
+    else
+      echo ""
+      echo "[INFO] Cloud-Init Configuration:"
+      echo "  User: ${CLOUDINIT_USER:-root}"
+      echo "  Password: ${CLOUDINIT_PASSWORD}"
+      echo "  Credentials: ${CLOUDINIT_CRED_FILE}"
+      echo "  ⚠️  Delete credentials file after noting password!"
+      echo "  Configure in Proxmox UI: VM ${vmid} > Cloud-Init"
+    fi
+  fi
+}
+
+# ------------------------------------------------------------------------------
+# cleanup_cloud_init_credentials - Remove credentials file
+# ------------------------------------------------------------------------------
+# Usage: cleanup_cloud_init_credentials
+# Call this after user has noted/saved the credentials
+# ------------------------------------------------------------------------------
+function cleanup_cloud_init_credentials() {
+  if [ -n "$CLOUDINIT_CRED_FILE" ] && [ -f "$CLOUDINIT_CRED_FILE" ]; then
+    rm -f "$CLOUDINIT_CRED_FILE"
+    _ci_msg_ok "Credentials file removed: $CLOUDINIT_CRED_FILE"
+    unset CLOUDINIT_CRED_FILE
+    return 0
+  fi
+  return 1
+}
+
+# ------------------------------------------------------------------------------
+# has_cloud_init - Check if VM has Cloud-Init configured
+# ------------------------------------------------------------------------------
+function has_cloud_init() {
+  local vmid="$1"
+  qm config "$vmid" 2>/dev/null | grep -qE "(ide2|scsi1):.*cloudinit"
+}
+
+# ------------------------------------------------------------------------------
+# regenerate_cloud_init - Regenerate Cloud-Init configuration
+# ------------------------------------------------------------------------------
+function regenerate_cloud_init() {
+  local vmid="$1"
+
+  if has_cloud_init "$vmid"; then
+    _ci_msg_info "Regenerating Cloud-Init configuration"
+    qm cloudinit update "$vmid" >/dev/null 2>&1 || true
+    _ci_msg_ok "Cloud-Init configuration regenerated"
+    return 0
+  else
+    _ci_msg_warn "VM $vmid does not have Cloud-Init configured"
+    return 1
+  fi
+}
+
+# ------------------------------------------------------------------------------
+# get_vm_ip - Get VM IP address via qemu-guest-agent
+# ------------------------------------------------------------------------------
+function get_vm_ip() {
+  local vmid="$1"
+  local timeout="${2:-30}"
+
+  local elapsed=0
+  while [ $elapsed -lt $timeout ]; do
+    local vm_ip=$(qm guest cmd "$vmid" network-get-interfaces 2>/dev/null |
+      jq -r '.[] | select(.name != "lo") | ."ip-addresses"[]? | select(."ip-address-type" == "ipv4") | ."ip-address"' 2>/dev/null | head -1)
+
+    if [ -n "$vm_ip" ]; then
+      echo "$vm_ip"
+      return 0
+    fi
+
+    sleep 2
+    elapsed=$((elapsed + 2))
+  done
+
+  return 1
+}
+
+# ------------------------------------------------------------------------------
+# wait_for_cloud_init - Wait for Cloud-Init to complete (requires SSH access)
+# ------------------------------------------------------------------------------
+function wait_for_cloud_init() {
+  local vmid="$1"
+  local timeout="${2:-300}"
+  local vm_ip="${3:-}"
+
+  # Get IP if not provided
+  if [ -z "$vm_ip" ]; then
+    vm_ip=$(get_vm_ip "$vmid" 60)
+  fi
+
+  if [ -z "$vm_ip" ]; then
+    _ci_msg_warn "Unable to determine VM IP address"
+    return 1
+  fi
+
+  _ci_msg_info "Waiting for Cloud-Init to complete on ${vm_ip}"
+
+  local elapsed=0
+  while [ $elapsed -lt $timeout ]; do
+    if timeout 10 ssh -o ConnectTimeout=5 -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \
+      "${CLOUDINIT_USER:-root}@${vm_ip}" "cloud-init status --wait" 2>/dev/null; then
+      _ci_msg_ok "Cloud-Init completed successfully"
+      return 0
+    fi
+    sleep 10
+    elapsed=$((elapsed + 10))
+  done
+
+  _ci_msg_warn "Cloud-Init did not complete within ${timeout}s"
+  return 1
+}
+
+# ==============================================================================
+# SECTION 6: EXPORTS
+# ==============================================================================
+# Export all functions for use in other scripts
+
+export -f setup_cloud_init 2>/dev/null || true
+export -f configure_cloud_init_interactive 2>/dev/null || true
+export -f display_cloud_init_info 2>/dev/null || true
+export -f cleanup_cloud_init_credentials 2>/dev/null || true
+export -f has_cloud_init 2>/dev/null || true
+export -f regenerate_cloud_init 2>/dev/null || true
+export -f get_vm_ip 2>/dev/null || true
+export -f wait_for_cloud_init 2>/dev/null || true
+export -f validate_ip_cidr 2>/dev/null || true
+export -f validate_ip 2>/dev/null || true
+
+# ==============================================================================
+# SECTION 7: EXAMPLES & DOCUMENTATION
+# ==============================================================================
+: <<'EXAMPLES'
+
+# Example 1: Simple DHCP setup (most common)
+setup_cloud_init "$VMID" "$STORAGE" "$HN" "yes"
+
+# Example 2: Static IP setup
+setup_cloud_init "$VMID" "$STORAGE" "myserver" "yes" "root" "static" "192.168.1.100/24" "192.168.1.1"
+
+# Example 3: Interactive configuration in advanced_settings()
+configure_cloud_init_interactive "admin"
+if [ "$CLOUDINIT_ENABLE" = "yes" ]; then
+  setup_cloud_init "$VMID" "$STORAGE" "$HN" "yes" "$CLOUDINIT_USER" \
+    "$CLOUDINIT_NETWORK_MODE" "$CLOUDINIT_IP" "$CLOUDINIT_GW" "$CLOUDINIT_DNS"
+fi
+
+# Example 4: Display info after VM creation
+display_cloud_init_info "$VMID" "$HN"
+
+# Example 5: Check if VM has Cloud-Init
+if has_cloud_init "$VMID"; then
+    echo "Cloud-Init is configured"
+fi
+
+# Example 6: Wait for Cloud-Init to complete after VM start
+if [ "$START_VM" = "yes" ]; then
+    qm start "$VMID"
+    sleep 30
+    wait_for_cloud_init "$VMID" 300
+fi
+
+# Example 7: Cleanup credentials file after user has noted password
+display_cloud_init_info "$VMID" "$HN"
+read -p "Have you saved the credentials? (y/N): " -r
+[[ $REPLY =~ ^[Yy]$ ]] && cleanup_cloud_init_credentials
+
+# Example 8: Validate IP before using
+if validate_ip_cidr "192.168.1.100/24"; then
+  echo "Valid IP/CIDR"
+fi
+
+EXAMPLES
--- a/scripts/core/core.func
+++ b/scripts/core/core.func
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# Copyright (c) 2021-2025 community-scripts ORG
+# Copyright (c) 2021-2026 community-scripts ORG
 # License: MIT | https://raw.githubusercontent.com/community-scripts/ProxmoxVE/main/LICENSE

 # ==============================================================================
@@ -123,9 +123,38 @@ icons() {
  CREATING="${TAB}🚀${TAB}${CL}"
  ADVANCED="${TAB}🧩${TAB}${CL}"
  FUSE="${TAB}🗂️${TAB}${CL}"
+  GPU="${TAB}🎮${TAB}${CL}"
  HOURGLASS="${TAB}⏳${TAB}"
 }

+# ------------------------------------------------------------------------------
+# ensure_profile_loaded()
+#
+# - Sources /etc/profile.d/*.sh scripts if not already loaded
+# - Fixes PATH issues when running via pct enter/exec (non-login shells)
+# - Safe to call multiple times (uses guard variable)
+# - Should be called in update_script() or any script running inside LXC
+# ------------------------------------------------------------------------------
+ensure_profile_loaded() {
+  # Skip if already loaded or running on Proxmox host
+  [[ -n "${_PROFILE_LOADED:-}" ]] && return
+  command -v pveversion &>/dev/null && return
+
+  # Source all profile.d scripts to ensure PATH is complete
+  if [[ -d /etc/profile.d ]]; then
+    for script in /etc/profile.d/*.sh; do
+      [[ -r "$script" ]] && source "$script"
+    done
+  fi
+
+  # Also ensure /usr/local/bin is in PATH (common install location)
+  if [[ ":$PATH:" != *":/usr/local/bin:"* ]]; then
+    export PATH="/usr/local/bin:$PATH"
+  fi
+
+  export _PROFILE_LOADED=1
+}
+
 # ------------------------------------------------------------------------------
 # default_vars()
 #
@@ -786,11 +815,9 @@ is_verbose_mode() {
 # ------------------------------------------------------------------------------
 # cleanup_lxc()
 #
-# - Comprehensive cleanup of package managers, caches, and logs
-# - Supports Alpine (apk), Debian/Ubuntu (apt), and language package managers
-# - Cleans: Python (pip/uv), Node.js (npm/yarn/pnpm), Go, Rust, Ruby, PHP
-# - Truncates log files and vacuums systemd journal
-# - Run at end of container creation to minimize disk usage
+# - Cleans package manager and language caches (safe for installs AND updates)
+# - Supports Alpine (apk), Debian/Ubuntu (apt), Python, Node.js, Go, Rust, Ruby, PHP
+# - Uses fallback error handling to prevent cleanup failures from breaking installs
 # ------------------------------------------------------------------------------
 cleanup_lxc() {
  msg_info "Cleaning up"
@@ -799,39 +826,53 @@ cleanup_lxc() {
    $STD apk cache clean || true
    rm -rf /var/cache/apk/*
  else
-    $STD apt -y autoremove || true
-    $STD apt -y autoclean || true
-    $STD apt -y clean || true
+    $STD apt -y autoremove 2>/dev/null || msg_warn "apt autoremove failed (non-critical)"
+    $STD apt -y autoclean 2>/dev/null || msg_warn "apt autoclean failed (non-critical)"
+    $STD apt -y clean 2>/dev/null || msg_warn "apt clean failed (non-critical)"
  fi

-  # Clear temp artifacts (keep sockets/FIFOs; ignore errors)
  find /tmp /var/tmp -type f -name 'tmp*' -delete 2>/dev/null || true
  find /tmp /var/tmp -type f -name 'tempfile*' -delete 2>/dev/null || true

-  # Truncate writable log files silently (permission errors ignored)
-  if command -v truncate >/dev/null 2>&1; then
-    find /var/log -type f -writable -print0 2>/dev/null |
-      xargs -0 -n1 truncate -s 0 2>/dev/null || true
+  # Python
+  if command -v pip &>/dev/null; then
+    rm -rf /root/.cache/pip 2>/dev/null || true
+  fi
+  if command -v uv &>/dev/null; then
+    rm -rf /root/.cache/uv 2>/dev/null || true
  fi

-  # Node.js npm
-  if command -v npm &>/dev/null; then $STD npm cache clean --force || true; fi
-  # Node.js yarn
-  if command -v yarn &>/dev/null; then $STD yarn cache clean || true; fi
-  # Node.js pnpm
-  if command -v pnpm &>/dev/null; then $STD pnpm store prune || true; fi
-  # Go
-  if command -v go &>/dev/null; then $STD go clean -cache -modcache || true; fi
-  # Rust cargo
-  if command -v cargo &>/dev/null; then $STD cargo clean || true; fi
-  # Ruby gem
-  if command -v gem &>/dev/null; then $STD gem cleanup || true; fi
-  # Composer (PHP)
-  if command -v composer &>/dev/null; then $STD composer clear-cache || true; fi
-
-  if command -v journalctl &>/dev/null; then
-    $STD journalctl --vacuum-time=10m || true
+  # Node.js
+  if command -v npm &>/dev/null; then
+    rm -rf /root/.npm/_cacache /root/.npm/_logs 2>/dev/null || true
  fi
+  if command -v yarn &>/dev/null; then
+    rm -rf /root/.cache/yarn /root/.yarn/cache 2>/dev/null || true
+  fi
+  if command -v pnpm &>/dev/null; then
+    pnpm store prune &>/dev/null || true
+  fi
+
+  # Go (only build cache, not modules)
+  if command -v go &>/dev/null; then
+    $STD go clean -cache 2>/dev/null || true
+  fi
+
+  # Rust (only registry cache, not build artifacts)
+  if command -v cargo &>/dev/null; then
+    rm -rf /root/.cargo/registry/cache /root/.cargo/.package-cache 2>/dev/null || true
+  fi
+
+  # Ruby
+  if command -v gem &>/dev/null; then
+    rm -rf /root/.gem/cache 2>/dev/null || true
+  fi
+
+  # PHP
+  if command -v composer &>/dev/null; then
+    rm -rf /root/.composer/cache 2>/dev/null || true
+  fi
+
  msg_ok "Cleaned"
 }

@@ -883,6 +924,93 @@ check_or_create_swap() {
  fi
 }

+# ------------------------------------------------------------------------------
+# Loads LOCAL_IP from persistent store or detects if missing.
+#
+# Description:
+#   - Loads from /run/local-ip.env or performs runtime lookup
+# ------------------------------------------------------------------------------
+
+function get_lxc_ip() {
+  local IP_FILE="/run/local-ip.env"
+  if [[ -f "$IP_FILE" ]]; then
+    # shellcheck disable=SC1090
+    source "$IP_FILE"
+  fi
+
+  if [[ -z "${LOCAL_IP:-}" ]]; then
+    get_current_ip() {
+      local ip
+
+      # Try direct interface lookup for eth0 FIRST (most reliable for LXC) - IPv4
+      ip=$(ip -4 addr show eth0 2>/dev/null | awk '/inet / {print $2}' | cut -d/ -f1 | head -n1)
+      if [[ -n "$ip" && "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+        echo "$ip"
+        return 0
+      fi
+
+      # Fallback: Try hostname -I (returns IPv4 first if available)
+      if command -v hostname >/dev/null 2>&1; then
+        ip=$(hostname -I 2>/dev/null | awk '{print $1}')
+        if [[ -n "$ip" && "$ip" =~ ^[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+$ ]]; then
+          echo "$ip"
+          return 0
+        fi
+      fi
+
+      # Try routing table with IPv4 targets
+      local ipv4_targets=("8.8.8.8" "1.1.1.1" "default")
+      for target in "${ipv4_targets[@]}"; do
+        if [[ "$target" == "default" ]]; then
+          ip=$(ip route get 1 2>/dev/null | awk '{for(i=1;i<=NF;i++) if ($i=="src") print $(i+1)}')
+        else
+          ip=$(ip route get "$target" 2>/dev/null | awk '{for(i=1;i<=NF;i++) if ($i=="src") print $(i+1)}')
+        fi
+        if [[ -n "$ip" ]]; then
+          echo "$ip"
+          return 0
+        fi
+      done
+
+      # IPv6 fallback: Try direct interface lookup for eth0
+      ip=$(ip -6 addr show eth0 scope global 2>/dev/null | awk '/inet6 / {print $2}' | cut -d/ -f1 | head -n1)
+      if [[ -n "$ip" && "$ip" =~ : ]]; then
+        echo "$ip"
+        return 0
+      fi
+
+      # IPv6 fallback: Try hostname -I for IPv6
+      if command -v hostname >/dev/null 2>&1; then
+        ip=$(hostname -I 2>/dev/null | tr ' ' '\n' | grep -E ':' | head -n1)
+        if [[ -n "$ip" && "$ip" =~ : ]]; then
+          echo "$ip"
+          return 0
+        fi
+      fi
+
+      # IPv6 fallback: Use routing table with IPv6 targets
+      local ipv6_targets=("2001:4860:4860::8888" "2606:4700:4700::1111")
+      for target in "${ipv6_targets[@]}"; do
+        ip=$(ip -6 route get "$target" 2>/dev/null | awk '{for(i=1;i<=NF;i++) if ($i=="src") print $(i+1)}')
+        if [[ -n "$ip" && "$ip" =~ : ]]; then
+          echo "$ip"
+          return 0
+        fi
+      done
+
+      return 1
+    }
+
+    LOCAL_IP="$(get_current_ip || true)"
+    if [[ -z "$LOCAL_IP" ]]; then
+      msg_error "Could not determine LOCAL_IP"
+      return 1
+    fi
+  fi
+
+  export LOCAL_IP
+}
+
 # ==============================================================================
 # SIGNAL TRAPS
 # ==============================================================================
--- a/scripts/core/error-handler.func
+++ b/scripts/core/error-handler.func
@@ -0,0 +1,322 @@
+#!/usr/bin/env bash
+# ------------------------------------------------------------------------------
+# ERROR HANDLER - ERROR & SIGNAL MANAGEMENT
+# ------------------------------------------------------------------------------
+# Copyright (c) 2021-2026 community-scripts ORG
+# Author: MickLesk (CanbiZ)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# ------------------------------------------------------------------------------
+#
+# Provides comprehensive error handling and signal management for all scripts.
+# Includes:
+#   - Exit code explanations (shell, package managers, databases, custom codes)
+#   - Error handler with detailed logging
+#   - Signal handlers (EXIT, INT, TERM)
+#   - Initialization function for trap setup
+#
+# Usage:
+#   source <(curl -fsSL .../error_handler.func)
+#   catch_errors
+#
+# ------------------------------------------------------------------------------
+
+# ==============================================================================
+# SECTION 1: EXIT CODE EXPLANATIONS
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# explain_exit_code()
+#
+# - Maps numeric exit codes to human-readable error descriptions
+# - Supports:
+#   * Generic/Shell errors (1, 2, 126, 127, 128, 130, 137, 139, 143)
+#   * Package manager errors (APT, DPKG: 100, 101, 255)
+#   * Node.js/npm errors (243-249, 254)
+#   * Python/pip/uv errors (210-212)
+#   * PostgreSQL errors (231-234)
+#   * MySQL/MariaDB errors (241-244)
+#   * MongoDB errors (251-254)
+#   * Proxmox custom codes (200-231)
+# - Returns description string for given exit code
+# ------------------------------------------------------------------------------
+explain_exit_code() {
+  local code="$1"
+  case "$code" in
+  # --- Generic / Shell ---
+  1) echo "General error / Operation not permitted" ;;
+  2) echo "Misuse of shell builtins (e.g. syntax error)" ;;
+  126) echo "Command invoked cannot execute (permission problem?)" ;;
+  127) echo "Command not found" ;;
+  128) echo "Invalid argument to exit" ;;
+  130) echo "Terminated by Ctrl+C (SIGINT)" ;;
+  137) echo "Killed (SIGKILL / Out of memory?)" ;;
+  139) echo "Segmentation fault (core dumped)" ;;
+  143) echo "Terminated (SIGTERM)" ;;
+
+  # --- Package manager / APT / DPKG ---
+  100) echo "APT: Package manager error (broken packages / dependency problems)" ;;
+  101) echo "APT: Configuration error (bad sources.list, malformed config)" ;;
+  255) echo "DPKG: Fatal internal error" ;;
+
+  # --- Node.js / npm / pnpm / yarn ---
+  243) echo "Node.js: Out of memory (JavaScript heap out of memory)" ;;
+  245) echo "Node.js: Invalid command-line option" ;;
+  246) echo "Node.js: Internal JavaScript Parse Error" ;;
+  247) echo "Node.js: Fatal internal error" ;;
+  248) echo "Node.js: Invalid C++ addon / N-API failure" ;;
+  249) echo "Node.js: Inspector error" ;;
+  254) echo "npm/pnpm/yarn: Unknown fatal error" ;;
+
+  # --- Python / pip / uv ---
+  210) echo "Python: Virtualenv / uv environment missing or broken" ;;
+  211) echo "Python: Dependency resolution failed" ;;
+  212) echo "Python: Installation aborted (permissions or EXTERNALLY-MANAGED)" ;;
+
+  # --- PostgreSQL ---
+  231) echo "PostgreSQL: Connection failed (server not running / wrong socket)" ;;
+  232) echo "PostgreSQL: Authentication failed (bad user/password)" ;;
+  233) echo "PostgreSQL: Database does not exist" ;;
+  234) echo "PostgreSQL: Fatal error in query / syntax" ;;
+
+  # --- MySQL / MariaDB ---
+  241) echo "MySQL/MariaDB: Connection failed (server not running / wrong socket)" ;;
+  242) echo "MySQL/MariaDB: Authentication failed (bad user/password)" ;;
+  243) echo "MySQL/MariaDB: Database does not exist" ;;
+  244) echo "MySQL/MariaDB: Fatal error in query / syntax" ;;
+
+  # --- MongoDB ---
+  251) echo "MongoDB: Connection failed (server not running)" ;;
+  252) echo "MongoDB: Authentication failed (bad user/password)" ;;
+  253) echo "MongoDB: Database not found" ;;
+  254) echo "MongoDB: Fatal query error" ;;
+
+  # --- Proxmox Custom Codes ---
+  200) echo "Proxmox: Failed to create lock file" ;;
+  203) echo "Proxmox: Missing CTID variable" ;;
+  204) echo "Proxmox: Missing PCT_OSTYPE variable" ;;
+  205) echo "Proxmox: Invalid CTID (<100)" ;;
+  206) echo "Proxmox: CTID already in use" ;;
+  207) echo "Proxmox: Password contains unescaped special characters" ;;
+  208) echo "Proxmox: Invalid configuration (DNS/MAC/Network format)" ;;
+  209) echo "Proxmox: Container creation failed" ;;
+  210) echo "Proxmox: Cluster not quorate" ;;
+  211) echo "Proxmox: Timeout waiting for template lock" ;;
+  212) echo "Proxmox: Storage type 'iscsidirect' does not support containers (VMs only)" ;;
+  213) echo "Proxmox: Storage type does not support 'rootdir' content" ;;
+  214) echo "Proxmox: Not enough storage space" ;;
+  215) echo "Proxmox: Container created but not listed (ghost state)" ;;
+  216) echo "Proxmox: RootFS entry missing in config" ;;
+  217) echo "Proxmox: Storage not accessible" ;;
+  219) echo "Proxmox: CephFS does not support containers - use RBD" ;;
+  224) echo "Proxmox: PBS storage is for backups only" ;;
+  218) echo "Proxmox: Template file corrupted or incomplete" ;;
+  220) echo "Proxmox: Unable to resolve template path" ;;
+  221) echo "Proxmox: Template file not readable" ;;
+  222) echo "Proxmox: Template download failed" ;;
+  223) echo "Proxmox: Template not available after download" ;;
+  225) echo "Proxmox: No template available for OS/Version" ;;
+  231) echo "Proxmox: LXC stack upgrade failed" ;;
+
+  # --- Default ---
+  *) echo "Unknown error" ;;
+  esac
+}
+
+# ==============================================================================
+# SECTION 2: ERROR HANDLERS
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# error_handler()
+#
+# - Main error handler triggered by ERR trap
+# - Arguments: exit_code, command, line_number
+# - Behavior:
+#   * Returns silently if exit_code is 0 (success)
+#   * Sources explain_exit_code() for detailed error description
+#   * Displays error message with:
+#     - Line number where error occurred
+#     - Exit code with explanation
+#     - Command that failed
+#   * Shows last 20 lines of SILENT_LOGFILE if available
+#   * Copies log to container /root for later inspection
+#   * Exits with original exit code
+# ------------------------------------------------------------------------------
+error_handler() {
+  local exit_code=${1:-$?}
+  local command=${2:-${BASH_COMMAND:-unknown}}
+  local line_number=${BASH_LINENO[0]:-unknown}
+
+  command="${command//\$STD/}"
+
+  if [[ "$exit_code" -eq 0 ]]; then
+    return 0
+  fi
+
+  local explanation
+  explanation="$(explain_exit_code "$exit_code")"
+
+  printf "\e[?25h"
+
+  # Use msg_error if available, fallback to echo
+  if declare -f msg_error >/dev/null 2>&1; then
+    msg_error "in line ${line_number}: exit code ${exit_code} (${explanation}): while executing command ${command}"
+  else
+    echo -e "\n${RD}[ERROR]${CL} in line ${RD}${line_number}${CL}: exit code ${RD}${exit_code}${CL} (${explanation}): while executing command ${YWB}${command}${CL}\n"
+  fi
+
+  if [[ -n "${DEBUG_LOGFILE:-}" ]]; then
+    {
+      echo "------ ERROR ------"
+      echo "Timestamp : $(date '+%Y-%m-%d %H:%M:%S')"
+      echo "Exit Code : $exit_code ($explanation)"
+      echo "Line      : $line_number"
+      echo "Command   : $command"
+      echo "-------------------"
+    } >>"$DEBUG_LOGFILE"
+  fi
+
+  # Get active log file (BUILD_LOG or INSTALL_LOG)
+  local active_log=""
+  if declare -f get_active_logfile >/dev/null 2>&1; then
+    active_log="$(get_active_logfile)"
+  elif [[ -n "${SILENT_LOGFILE:-}" ]]; then
+    active_log="$SILENT_LOGFILE"
+  fi
+
+  if [[ -n "$active_log" && -s "$active_log" ]]; then
+    echo "--- Last 20 lines of silent log ---"
+    tail -n 20 "$active_log"
+    echo "-----------------------------------"
+
+    # Detect context: Container (INSTALL_LOG set + /root exists) vs Host (BUILD_LOG)
+    if [[ -n "${INSTALL_LOG:-}" && -d /root ]]; then
+      # CONTAINER CONTEXT: Copy log and create flag file for host
+      local container_log="/root/.install-${SESSION_ID:-error}.log"
+      cp "$active_log" "$container_log" 2>/dev/null || true
+
+      # Create error flag file with exit code for host detection
+      echo "$exit_code" >"/root/.install-${SESSION_ID:-error}.failed" 2>/dev/null || true
+
+      if declare -f msg_custom >/dev/null 2>&1; then
+        msg_custom "📋" "${YW}" "Log saved to: ${container_log}"
+      else
+        echo -e "${YW}Log saved to:${CL} ${BL}${container_log}${CL}"
+      fi
+    else
+      # HOST CONTEXT: Show local log path and offer container cleanup
+      if declare -f msg_custom >/dev/null 2>&1; then
+        msg_custom "📋" "${YW}" "Full log: ${active_log}"
+      else
+        echo -e "${YW}Full log:${CL} ${BL}${active_log}${CL}"
+      fi
+
+      # Offer to remove container if it exists (build errors after container creation)
+      if [[ -n "${CTID:-}" ]] && command -v pct &>/dev/null && pct status "$CTID" &>/dev/null; then
+        echo ""
+        echo -en "${YW}Remove broken container ${CTID}? (Y/n) [auto-remove in 60s]: ${CL}"
+
+        if read -t 60 -r response; then
+          if [[ -z "$response" || "$response" =~ ^[Yy]$ ]]; then
+            echo -e "\n${YW}Removing container ${CTID}${CL}"
+            pct stop "$CTID" &>/dev/null || true
+            pct destroy "$CTID" &>/dev/null || true
+            echo -e "${GN}✔${CL} Container ${CTID} removed"
+          elif [[ "$response" =~ ^[Nn]$ ]]; then
+            echo -e "\n${YW}Container ${CTID} kept for debugging${CL}"
+          fi
+        else
+          # Timeout - auto-remove
+          echo -e "\n${YW}No response - auto-removing container${CL}"
+          pct stop "$CTID" &>/dev/null || true
+          pct destroy "$CTID" &>/dev/null || true
+          echo -e "${GN}✔${CL} Container ${CTID} removed"
+        fi
+      fi
+    fi
+  fi
+
+  exit "$exit_code"
+}
+
+# ==============================================================================
+# SECTION 3: SIGNAL HANDLERS
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# on_exit()
+#
+# - EXIT trap handler
+# - Cleans up lock files if lockfile variable is set
+# - Exits with captured exit code
+# - Always runs on script termination (success or failure)
+# ------------------------------------------------------------------------------
+on_exit() {
+  local exit_code=$?
+  [[ -n "${lockfile:-}" && -e "$lockfile" ]] && rm -f "$lockfile"
+  exit "$exit_code"
+}
+
+# ------------------------------------------------------------------------------
+# on_interrupt()
+#
+# - SIGINT (Ctrl+C) trap handler
+# - Displays "Interrupted by user" message
+# - Exits with code 130 (128 + SIGINT=2)
+# ------------------------------------------------------------------------------
+on_interrupt() {
+  if declare -f msg_error >/dev/null 2>&1; then
+    msg_error "Interrupted by user (SIGINT)"
+  else
+    echo -e "\n${RD}Interrupted by user (SIGINT)${CL}"
+  fi
+  exit 130
+}
+
+# ------------------------------------------------------------------------------
+# on_terminate()
+#
+# - SIGTERM trap handler
+# - Displays "Terminated by signal" message
+# - Exits with code 143 (128 + SIGTERM=15)
+# - Triggered by external process termination
+# ------------------------------------------------------------------------------
+on_terminate() {
+  if declare -f msg_error >/dev/null 2>&1; then
+    msg_error "Terminated by signal (SIGTERM)"
+  else
+    echo -e "\n${RD}Terminated by signal (SIGTERM)${CL}"
+  fi
+  exit 143
+}
+
+# ==============================================================================
+# SECTION 4: INITIALIZATION
+# ==============================================================================
+
+# ------------------------------------------------------------------------------
+# catch_errors()
+#
+# - Initializes error handling and signal traps
+# - Enables strict error handling:
+#   * set -Ee: Exit on error, inherit ERR trap in functions
+#   * set -o pipefail: Pipeline fails if any command fails
+#   * set -u: (optional) Exit on undefined variable (if STRICT_UNSET=1)
+# - Sets up traps:
+#   * ERR → error_handler
+#   * EXIT → on_exit
+#   * INT → on_interrupt
+#   * TERM → on_terminate
+# - Call this function early in every script
+# ------------------------------------------------------------------------------
+catch_errors() {
+  set -Ee -o pipefail
+  if [ "${STRICT_UNSET:-0}" = "1" ]; then
+    set -u
+  fi
+
+  trap 'error_handler' ERR
+  trap on_exit EXIT
+  trap on_interrupt INT
+  trap on_terminate TERM
+}
--- a/scripts/core/install.func
+++ b/scripts/core/install.func
@@ -1,4 +1,4 @@
-# Copyright (c) 2021-2025 community-scripts ORG
+# Copyright (c) 2021-2026 community-scripts ORG
 # Author: tteck (tteckster)
 # Co-Author: MickLesk
 # License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
@@ -37,6 +37,9 @@ source "$(dirname "${BASH_SOURCE[0]}")/error-handler.func"
 load_functions
 catch_errors

+# Get LXC IP address (must be called INSIDE container, after network is up)
+get_lxc_ip
+
 # ==============================================================================
 # SECTION 2: NETWORK & CONNECTIVITY
 # ==============================================================================
@@ -76,6 +79,13 @@ EOF
 # ------------------------------------------------------------------------------
 setting_up_container() {
  msg_info "Setting up Container OS"
+
+  # Fix Debian 13 LXC template bug where / is owned by nobody
+  # Only attempt in privileged containers (unprivileged cannot chown /)
+  if [[ "$(stat -c '%U' /)" != "root" ]]; then
+    (chown root:root / 2>/dev/null) || true
+  fi
+
  for ((i = RETRY_NUM; i > 0; i--)); do
    if [ "$(hostname -I)" != "" ]; then
      break
@@ -222,21 +232,12 @@ motd_ssh() {
  # Set terminal to 256-color mode
  grep -qxF "export TERM='xterm-256color'" /root/.bashrc || echo "export TERM='xterm-256color'" >>/root/.bashrc

-  # Get OS information (Debian / Ubuntu)
-  if [ -f "/etc/os-release" ]; then
-    OS_NAME=$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '"')
-    OS_VERSION=$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '"')
-  elif [ -f "/etc/debian_version" ]; then
-    OS_NAME="Debian"
-    OS_VERSION=$(cat /etc/debian_version)
-  fi
-
  PROFILE_FILE="/etc/profile.d/00_lxc-details.sh"
  echo "echo -e \"\"" >"$PROFILE_FILE"
  echo -e "echo -e \"${BOLD}${APPLICATION} LXC Container${CL}"\" >>"$PROFILE_FILE"
  echo -e "echo -e \"${TAB}${GATEWAY}${YW} Provided by: ${GN}community-scripts ORG ${YW}| GitHub: ${GN}https://github.com/community-scripts/ProxmoxVE${CL}\"" >>"$PROFILE_FILE"
  echo "echo \"\"" >>"$PROFILE_FILE"
-  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}${OS_NAME} - Version: ${OS_VERSION}${CL}\"" >>"$PROFILE_FILE"
+  echo -e "echo -e \"${TAB}${OS}${YW} OS: ${GN}\$(grep ^NAME /etc/os-release | cut -d= -f2 | tr -d '\"') - Version: \$(grep ^VERSION_ID /etc/os-release | cut -d= -f2 | tr -d '\"')${CL}\"" >>"$PROFILE_FILE"
  echo -e "echo -e \"${TAB}${HOSTNAME}${YW} Hostname: ${GN}\$(hostname)${CL}\"" >>"$PROFILE_FILE"
  echo -e "echo -e \"${TAB}${INFO}${YW} IP Address: ${GN}\$(hostname -I | awk '{print \$1}')${CL}\"" >>"$PROFILE_FILE"

--- a/scripts/core/tools.func
+++ b/scripts/core/tools.func
--- a/scripts/ct/debian.sh
+++ b/scripts/ct/debian.sh
@@ -0,0 +1,44 @@
+#!/usr/bin/env bash
+SCRIPT_DIR="$(dirname "$0")" 
+source "$SCRIPT_DIR/../core/build.func"
+# Copyright (c) 2021-2026 tteck
+# Author: tteck (tteckster)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://www.debian.org/
+
+APP="Debian"
+var_tags="${var_tags:-os}"
+var_cpu="${var_cpu:-1}"
+var_ram="${var_ram:-512}"
+var_disk="${var_disk:-2}"
+var_os="${var_os:-debian}"
+var_version="${var_version:-13}"
+var_unprivileged="${var_unprivileged:-1}"
+
+header_info "$APP"
+variables
+color
+catch_errors
+
+function update_script() {
+  header_info
+  check_container_storage
+  check_container_resources
+  if [[ ! -d /var ]]; then
+    msg_error "No ${APP} Installation Found!"
+    exit
+  fi
+  msg_info "Updating $APP LXC"
+  $STD apt update
+  $STD apt -y upgrade
+  msg_ok "Updated $APP LXC"
+  msg_ok "Updated successfully!"
+  exit
+}
+
+start
+build_container
+description
+
+msg_ok "Completed successfully!\n"
+echo -e "${CREATING}${GN}${APP} setup has been successfully initialized!${CL}"
--- a/scripts/install/debian-install.sh
+++ b/scripts/install/debian-install.sh
@@ -0,0 +1,18 @@
+#!/usr/bin/env bash
+
+# Copyright (c) 2021-2026 tteck
+# Author: tteck (tteckster)
+# License: MIT | https://github.com/community-scripts/ProxmoxVE/raw/main/LICENSE
+# Source: https://www.debian.org/
+
+source /dev/stdin <<<"$FUNCTIONS_FILE_PATH"
+color
+verb_ip6
+catch_errors
+setting_up_container
+network_check
+update_os
+
+motd_ssh
+customize
+cleanup_lxc
--- a/server.js
+++ b/server.js
@@ -82,6 +82,7 @@ const handle = app.getRequestHandler();
 * @property {number} [cloneCount]
 * @property {string[]} [hostnames]
 * @property {'lxc'|'vm'} [containerType]
+ * @property {Record<string, string|number|boolean>} [envVars]
 */

 class ScriptExecutionHandler {
@@ -299,7 +300,7 @@ class ScriptExecutionHandler {
   * @param {WebSocketMessage} message
   */
  async handleMessage(ws, message) {
-    const { action, scriptPath, executionId, input, mode, server, isUpdate, isShell, isBackup, isClone, containerId, storage, backupStorage, cloneCount, hostnames, containerType } = message;
+    const { action, scriptPath, executionId, input, mode, server, isUpdate, isShell, isBackup, isClone, containerId, storage, backupStorage, cloneCount, hostnames, containerType, envVars } = message;

    switch (action) {
      case 'start':
@@ -313,7 +314,7 @@ class ScriptExecutionHandler {
          } else if (isShell && containerId) {
            await this.startShellExecution(ws, containerId, executionId, mode, server);
          } else {
-            await this.startScriptExecution(ws, scriptPath, executionId, mode, server);
+            await this.startScriptExecution(ws, scriptPath, executionId, mode, server, envVars);
          }
        } else {
          this.sendMessage(ws, {
@@ -351,8 +352,9 @@ class ScriptExecutionHandler {
   * @param {string} executionId
   * @param {string} mode
   * @param {ServerInfo|null} server
+   * @param {Object} [envVars] - Optional environment variables to pass to the script
   */
-  async startScriptExecution(ws, scriptPath, executionId, mode = 'local', server = null) {
+  async startScriptExecution(ws, scriptPath, executionId, mode = 'local', server = null, envVars = {}) {
    /** @type {number|null} */
    let installationId = null;
    
@@ -381,7 +383,7 @@ class ScriptExecutionHandler {

      // Handle SSH execution
      if (mode === 'ssh' && server) {
-        await this.startSSHScriptExecution(ws, scriptPath, executionId, server, installationId);
+        await this.startSSHScriptExecution(ws, scriptPath, executionId, server, installationId, envVars);
        return;
      }
      
@@ -407,19 +409,32 @@ class ScriptExecutionHandler {
        return;
      }

+      // Format environment variables for local execution
+      // Convert envVars object to environment variables
+      const envWithVars = {
+        ...process.env,
+        TERM: 'xterm-256color', // Enable proper terminal support
+        FORCE_ANSI: 'true', // Allow ANSI codes for proper display
+        COLUMNS: '80', // Set terminal width
+        LINES: '24' // Set terminal height
+      };
+
+      // Add envVars to environment
+      if (envVars && typeof envVars === 'object') {
+        for (const [key, value] of Object.entries(envVars)) {
+          /** @type {Record<string, string>} */
+          const envRecord = envWithVars;
+          envRecord[key] = String(value);
+        }
+      }
+
      // Start script execution with pty for proper TTY support
      const childProcess = ptySpawn('bash', [resolvedPath], {
        cwd: scriptsDir,
        name: 'xterm-256color',
        cols: 80,
        rows: 24,
-        env: {
-          ...process.env,
-          TERM: 'xterm-256color', // Enable proper terminal support
-          FORCE_ANSI: 'true', // Allow ANSI codes for proper display
-          COLUMNS: '80', // Set terminal width
-          LINES: '24' // Set terminal height
-        }
+        env: envWithVars
      });

      // pty handles encoding automatically
@@ -522,8 +537,9 @@ class ScriptExecutionHandler {
   * @param {string} executionId
   * @param {ServerInfo} server
   * @param {number|null} installationId
+   * @param {Object} [envVars] - Optional environment variables to pass to the script
   */
-  async startSSHScriptExecution(ws, scriptPath, executionId, server, installationId = null) {
+  async startSSHScriptExecution(ws, scriptPath, executionId, server, installationId = null, envVars = {}) {
    const sshService = getSSHExecutionService();

    // Send start message
@@ -612,7 +628,8 @@ class ScriptExecutionHandler {
          
          // Clean up
          this.activeExecutions.delete(executionId);
-        }
+        },
+        envVars
      ));

      // Store the execution with installation ID
@@ -1593,6 +1610,7 @@ class ScriptExecutionHandler {
 // TerminalHandler removed - not used by current application

 app.prepare().then(() => {
+  console.log('> Next.js app prepared successfully');
  const httpServer = createServer(async (req, res) => {
    try {
      // Be sure to pass `true` as the second argument to `url.parse`.
@@ -1698,4 +1716,9 @@ app.prepare().then(() => {
        autoSyncModule.setupGracefulShutdown();
      }
    });
+}).catch((err) => {
+  console.error('> Failed to start server:', err.message);
+  console.error('> If you see "Could not find a production build", run: npm run build');
+  console.error('> Full error:', err);
+  process.exit(1);
 });
--- a/src/app/_components/ConfigurationModal.tsx
+++ b/src/app/_components/ConfigurationModal.tsx
@@ -0,0 +1,990 @@
+'use client';
+
+import { useState, useEffect } from 'react';
+import { api } from '~/trpc/react';
+import type { Script } from '~/types/script';
+import type { Server } from '~/types/server';
+import { Button } from './ui/button';
+import { Input } from './ui/input';
+import { useRegisterModal } from './modal/ModalStackProvider';
+
+export type EnvVars = Record<string, string | number | boolean>;
+
+interface ConfigurationModalProps {
+  isOpen: boolean;
+  onClose: () => void;
+  onConfirm: (envVars: EnvVars) => void;
+  script: Script | null;
+  server: Server | null;
+  mode: 'default' | 'advanced';
+}
+
+export function ConfigurationModal({
+  isOpen,
+  onClose,
+  onConfirm,
+  script,
+  server,
+  mode,
+}: ConfigurationModalProps) {
+  useRegisterModal(isOpen, { id: 'configuration-modal', allowEscape: true, onClose });
+
+  // Fetch script data if we only have slug
+  const { data: scriptData } = api.scripts.getScriptBySlug.useQuery(
+    { slug: script?.slug ?? '' },
+    { enabled: !!script?.slug && isOpen }
+  );
+
+  const actualScript = script ?? (scriptData?.script ?? null);
+
+  // Fetch storages
+  const { data: rootfsStoragesData } = api.scripts.getRootfsStorages.useQuery(
+    { serverId: server?.id ?? 0, forceRefresh: false },
+    { enabled: !!server?.id && isOpen }
+  );
+
+  const { data: templateStoragesData } = api.scripts.getTemplateStorages.useQuery(
+    { serverId: server?.id ?? 0, forceRefresh: false },
+    { enabled: !!server?.id && isOpen && mode === 'advanced' }
+  );
+
+  // Get resources from JSON
+  const resources = actualScript?.install_methods?.[0]?.resources;
+  const slug = actualScript?.slug ?? '';
+
+  // Default mode state
+  const [containerStorage, setContainerStorage] = useState<string>('');
+
+  // Advanced mode state
+  const [advancedVars, setAdvancedVars] = useState<EnvVars>({});
+
+  // Discovered SSH keys on the Proxmox host (advanced mode only)
+  const [discoveredSshKeys, setDiscoveredSshKeys] = useState<string[]>([]);
+  const [discoveredSshKeysLoading, setDiscoveredSshKeysLoading] = useState(false);
+  const [discoveredSshKeysError, setDiscoveredSshKeysError] = useState<string | null>(null);
+
+  // Validation errors
+  const [errors, setErrors] = useState<Record<string, string>>({});
+
+  // Initialize defaults when script/server data is available
+  useEffect(() => {
+    if (!actualScript || !server) return;
+
+    if (mode === 'default') {
+      // Default mode: minimal vars
+      setContainerStorage('');
+    } else {
+      // Advanced mode: all vars with defaults
+      const defaults: EnvVars = {
+        // Resources from JSON
+        var_cpu: resources?.cpu ?? 1,
+        var_ram: resources?.ram ?? 1024,
+        var_disk: resources?.hdd ?? 4,
+        var_unprivileged: script?.privileged === false ? 1 : (script?.privileged === true ? 0 : 1),
+
+        // Network defaults
+        var_net: 'dhcp',
+        var_brg: 'vmbr0',
+        var_gateway: '',
+        var_ipv6_method: 'none',
+        var_ipv6_static: '',
+        var_vlan: '',
+        var_mtu: 1500,
+        var_mac: '',
+        var_ns: '',
+
+        // Identity
+        var_hostname: slug,
+        var_pw: '',
+        var_tags: 'community-script',
+
+        // SSH
+        var_ssh: 'no',
+        var_ssh_authorized_key: '',
+
+        // Features
+        var_nesting: 1,
+        var_fuse: 0,
+        var_keyctl: 0,
+        var_mknod: 0,
+        var_mount_fs: '',
+        var_protection: 'no',
+        var_tun: 'no',
+
+        // System
+        var_timezone: '',
+        var_verbose: 'no',
+        var_apt_cacher: 'no',
+        var_apt_cacher_ip: '',
+
+        // Storage
+        var_container_storage: '',
+        var_template_storage: '',
+      };
+      setAdvancedVars(defaults);
+    }
+  }, [actualScript, server, mode, resources, slug]);
+
+  // Discover SSH keys on the Proxmox host when advanced mode is open
+  useEffect(() => {
+    if (!server?.id || !isOpen || mode !== 'advanced') {
+      setDiscoveredSshKeys([]);
+      setDiscoveredSshKeysError(null);
+      return;
+    }
+    let cancelled = false;
+    setDiscoveredSshKeysLoading(true);
+    setDiscoveredSshKeysError(null);
+    fetch(`/api/servers/${server.id}/discover-ssh-keys`)
+      .then((res) => {
+        if (!res.ok) throw new Error(res.status === 404 ? 'Server not found' : res.statusText);
+        return res.json();
+      })
+      .then((data: { keys?: string[] }) => {
+        if (!cancelled && Array.isArray(data.keys)) setDiscoveredSshKeys(data.keys);
+      })
+      .catch((err) => {
+        if (!cancelled) {
+          setDiscoveredSshKeys([]);
+          setDiscoveredSshKeysError(err instanceof Error ? err.message : 'Could not detect keys');
+        }
+      })
+      .finally(() => {
+        if (!cancelled) setDiscoveredSshKeysLoading(false);
+      });
+    return () => {
+      cancelled = true;
+    };
+  }, [server?.id, isOpen, mode]);
+
+  // Validation functions
+  const validateIPv4 = (ip: string): boolean => {
+    if (!ip) return true; // Empty is allowed (auto)
+    const pattern = /^(\d{1,3}\.){3}\d{1,3}$/;
+    if (!pattern.test(ip)) return false;
+    const parts = ip.split('.').map(Number);
+    return parts.every(p => p >= 0 && p <= 255);
+  };
+
+  const validateCIDR = (cidr: string): boolean => {
+    if (!cidr) return true; // Empty is allowed
+    const pattern = /^([0-9]{1,3}\.){3}[0-9]{1,3}\/([0-9]|[1-2][0-9]|3[0-2])$/;
+    if (!pattern.test(cidr)) return false;
+    const parts = cidr.split('/');
+    if (parts.length !== 2) return false;
+    const [ip, prefix] = parts;
+    if (!ip || !prefix) return false;
+    const ipParts = ip.split('.').map(Number);
+    if (!ipParts.every(p => p >= 0 && p <= 255)) return false;
+    const prefixNum = parseInt(prefix, 10);
+    return prefixNum >= 0 && prefixNum <= 32;
+  };
+
+  const validateIPv6 = (ipv6: string): boolean => {
+    if (!ipv6) return true; // Empty is allowed
+    // Basic IPv6 validation (simplified - allows compressed format)
+    const pattern = /^([0-9a-fA-F]{0,4}:){2,7}[0-9a-fA-F]{0,4}(\/\d{1,3})?$/;
+    return pattern.test(ipv6);
+  };
+
+  const validateMAC = (mac: string): boolean => {
+    if (!mac) return true; // Empty is allowed (auto)
+    const pattern = /^([0-9A-Fa-f]{2}:){5}([0-9A-Fa-f]{2})$/;
+    return pattern.test(mac);
+  };
+
+  const validatePositiveInt = (value: string | number | undefined): boolean => {
+    if (value === '' || value === undefined) return true;
+    const num = typeof value === 'string' ? parseInt(value, 10) : value;
+    return !isNaN(num) && num > 0;
+  };
+
+  const validateForm = (): boolean => {
+    const newErrors: Record<string, string> = {};
+
+    if (mode === 'default') {
+      // Default mode: only storage is optional
+      // No validation needed
+    } else {
+      // Advanced mode: validate all fields
+      if (advancedVars.var_gateway && !validateIPv4(advancedVars.var_gateway as string)) {
+        newErrors.var_gateway = 'Invalid IPv4 address';
+      }
+      if (advancedVars.var_mac && !validateMAC(advancedVars.var_mac as string)) {
+        newErrors.var_mac = 'Invalid MAC address format (XX:XX:XX:XX:XX:XX)';
+      }
+      if (advancedVars.var_ns && !validateIPv4(advancedVars.var_ns as string)) {
+        newErrors.var_ns = 'Invalid IPv4 address';
+      }
+      if (advancedVars.var_apt_cacher_ip && !validateIPv4(advancedVars.var_apt_cacher_ip as string)) {
+        newErrors.var_apt_cacher_ip = 'Invalid IPv4 address';
+      }
+      // Validate IPv4 CIDR if network mode is static
+      const netValue = advancedVars.var_net;
+      const isStaticMode = netValue === 'static' || (typeof netValue === 'string' && netValue.includes('/'));
+      if (isStaticMode) {
+        const cidrValue = (typeof netValue === 'string' && netValue.includes('/')) ? netValue : (advancedVars.var_ip as string ?? '');
+        if (cidrValue && !validateCIDR(cidrValue)) {
+          newErrors.var_ip = 'Invalid CIDR format (e.g., 10.10.10.1/24)';
+        }
+      }
+      // Validate IPv6 static if IPv6 method is static
+      if (advancedVars.var_ipv6_method === 'static' && advancedVars.var_ipv6_static) {
+        if (!validateIPv6(advancedVars.var_ipv6_static as string)) {
+          newErrors.var_ipv6_static = 'Invalid IPv6 address';
+        }
+      }
+      if (!validatePositiveInt(advancedVars.var_cpu as string | number | undefined)) {
+        newErrors.var_cpu = 'Must be a positive integer';
+      }
+      if (!validatePositiveInt(advancedVars.var_ram as string | number | undefined)) {
+        newErrors.var_ram = 'Must be a positive integer';
+      }
+      if (!validatePositiveInt(advancedVars.var_disk as string | number | undefined)) {
+        newErrors.var_disk = 'Must be a positive integer';
+      }
+      if (advancedVars.var_mtu && !validatePositiveInt(advancedVars.var_mtu as string | number | undefined)) {
+        newErrors.var_mtu = 'Must be a positive integer';
+      }
+      if (advancedVars.var_vlan && !validatePositiveInt(advancedVars.var_vlan as string | number | undefined)) {
+        newErrors.var_vlan = 'Must be a positive integer';
+      }
+    }
+
+    setErrors(newErrors);
+    return Object.keys(newErrors).length === 0;
+  };
+
+  const handleConfirm = () => {
+    if (!validateForm()) {
+      return;
+    }
+
+    let envVars: EnvVars = {};
+
+    if (mode === 'default') {
+      // Default mode: minimal vars
+      envVars = {
+        var_hostname: slug,
+        var_brg: 'vmbr0',
+        var_net: 'dhcp',
+        var_ipv6_method: 'auto',
+        var_ssh: 'no',
+        var_nesting: 1,
+        var_verbose: 'no',
+        var_cpu: resources?.cpu ?? 1,
+        var_ram: resources?.ram ?? 1024,
+        var_disk: resources?.hdd ?? 4,
+        var_unprivileged: script?.privileged === false ? 1 : (script?.privileged === true ? 0 : 1),
+      };
+
+      if (containerStorage) {
+        envVars.var_container_storage = containerStorage;
+      }
+    } else {
+      // Advanced mode: all vars
+      envVars = { ...advancedVars };
+      
+      // If network mode is static and var_ip is set, replace var_net with the CIDR
+      if (envVars.var_net === 'static' && envVars.var_ip) {
+        envVars.var_net = envVars.var_ip as string;
+        delete envVars.var_ip; // Remove the temporary var_ip
+      }
+
+      // Format password correctly: if var_pw is set, format it as "-password <password>"
+      // build.func expects PW to be in "-password <password>" format when added to PCT_OPTIONS
+      const rawPassword = envVars.var_pw;
+      const hasPassword = rawPassword && typeof rawPassword === 'string' && rawPassword.trim() !== '';
+      const hasSSHKey = envVars.var_ssh_authorized_key && typeof envVars.var_ssh_authorized_key === 'string' && envVars.var_ssh_authorized_key.trim() !== '';
+      
+      if (hasPassword) {
+        // Remove any existing "-password" prefix to avoid double-formatting
+        const cleanPassword = rawPassword.startsWith('-password ') 
+          ? rawPassword.substring(11) 
+          : rawPassword;
+        // Format as "-password <password>" for build.func
+        envVars.var_pw = `-password ${cleanPassword}`;
+      } else {
+        // Empty password means auto-login, clear var_pw
+        envVars.var_pw = '';
+      }
+      
+
+      if ((hasPassword || hasSSHKey) && envVars.var_ssh !== 'no') {
+        envVars.var_ssh = 'yes';
+      }
+
+      // Normalize var_tags: accept both comma and semicolon, output comma-separated
+      const rawTags = envVars.var_tags;
+      if (typeof rawTags === 'string' && rawTags.trim() !== '') {
+        envVars.var_tags = rawTags
+          .split(/[,;]/)
+          .map((s) => s.trim())
+          .filter(Boolean)
+          .join(',');
+      }
+    }
+
+    // Remove empty string values (but keep 0, false, etc.)
+    const cleaned: EnvVars = {};
+    for (const [key, value] of Object.entries(envVars)) {
+      if (value !== '' && value !== undefined) {
+        cleaned[key] = value;
+      }
+    }
+
+    // Always set mode to "default" (build.func line 1783 expects this)
+    cleaned.mode = 'default';
+
+    onConfirm(cleaned);
+  };
+
+  const updateAdvancedVar = (key: string, value: string | number | boolean) => {
+    setAdvancedVars(prev => ({ ...prev, [key]: value }));
+    // Clear error for this field
+    if (errors[key]) {
+      setErrors(prev => {
+        const newErrors = { ...prev };
+        delete newErrors[key];
+        return newErrors;
+      });
+    }
+  };
+
+  if (!isOpen) return null;
+
+  const rootfsStorages = rootfsStoragesData?.storages ?? [];
+  const templateStorages = templateStoragesData?.storages ?? [];
+
+  return (
+    <div className="fixed inset-0 backdrop-blur-sm bg-black/50 flex items-center justify-center z-50 p-4">
+      <div className="bg-card rounded-lg shadow-xl max-w-4xl w-full border border-border max-h-[90vh] overflow-y-auto">
+        {/* Header */}
+        <div className="flex items-center justify-between p-6 border-b border-border">
+          <h2 className="text-xl font-bold text-foreground">
+            {mode === 'default' ? 'Default Configuration' : 'Advanced Configuration'}
+          </h2>
+          <Button
+            onClick={onClose}
+            variant="ghost"
+            size="icon"
+            className="text-muted-foreground hover:text-foreground"
+          >
+            <svg className="w-6 h-6" fill="none" stroke="currentColor" viewBox="0 0 24 24">
+              <path strokeLinecap="round" strokeLinejoin="round" strokeWidth={2} d="M6 18L18 6M6 6l12 12" />
+            </svg>
+          </Button>
+        </div>
+
+        {/* Content */}
+        <div className="p-6">
+          {mode === 'default' ? (
+            /* Default Mode */
+            <div className="space-y-6">
+              <div>
+                <label className="block text-sm font-medium text-foreground mb-2">
+                  Container Storage
+                </label>
+                <select
+                  value={containerStorage}
+                  onChange={(e) => setContainerStorage(e.target.value)}
+                  className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                >
+                  <option value="">Auto (let script choose)</option>
+                  {rootfsStorages.map((storage) => (
+                    <option key={storage.name} value={storage.name}>
+                      {storage.name} ({storage.type})
+                    </option>
+                  ))}
+                </select>
+                {rootfsStorages.length === 0 && (
+                  <p className="mt-1 text-xs text-muted-foreground">
+                    Could not fetch storages. Script will use default selection.
+                  </p>
+                )}
+              </div>
+
+              <div className="bg-muted/50 rounded-lg p-4 border border-border">
+                <h3 className="text-sm font-medium text-foreground mb-2">Default Values</h3>
+                <div className="text-xs text-muted-foreground space-y-1">
+                  <p>Hostname: {slug}</p>
+                  <p>Bridge: vmbr0</p>
+                  <p>Network: DHCP</p>
+                  <p>IPv6: Auto</p>
+                  <p>SSH: Disabled</p>
+                  <p>Nesting: Enabled</p>
+                  <p>CPU: {resources?.cpu ?? 1}</p>
+                  <p>RAM: {resources?.ram ?? 1024} MB</p>
+                  <p>Disk: {resources?.hdd ?? 4} GB</p>
+                </div>
+              </div>
+            </div>
+          ) : (
+            /* Advanced Mode */
+            <div className="space-y-6">
+              {/* Resources */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">Resources</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      CPU Cores *
+                    </label>
+                    <Input
+                      type="number"
+                      min="1"
+                      value={typeof advancedVars.var_cpu === 'boolean' ? '' : (advancedVars.var_cpu ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_cpu', parseInt(e.target.value) || 1)}
+                      className={errors.var_cpu ? 'border-destructive' : ''}
+                    />
+                    {errors.var_cpu && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_cpu}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      RAM (MB) *
+                    </label>
+                    <Input
+                      type="number"
+                      min="1"
+                      value={typeof advancedVars.var_ram === 'boolean' ? '' : (advancedVars.var_ram ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_ram', parseInt(e.target.value) || 1024)}
+                      className={errors.var_ram ? 'border-destructive' : ''}
+                    />
+                    {errors.var_ram && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_ram}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Disk Size (GB) *
+                    </label>
+                    <Input
+                      type="number"
+                      min="1"
+                      value={typeof advancedVars.var_disk === 'boolean' ? '' : (advancedVars.var_disk ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_disk', parseInt(e.target.value) || 4)}
+                      className={errors.var_disk ? 'border-destructive' : ''}
+                    />
+                    {errors.var_disk && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_disk}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Unprivileged
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_unprivileged === 'boolean' ? (advancedVars.var_unprivileged ? 0 : 1) : (advancedVars.var_unprivileged ?? 1)}
+                      onChange={(e) => updateAdvancedVar('var_unprivileged', parseInt(e.target.value))}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value={1}>Yes (Unprivileged)</option>
+                      <option value={0}>No (Privileged)</option>
+                    </select>
+                  </div>
+                </div>
+              </div>
+
+              {/* Network */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">Network</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Network Mode
+                    </label>
+                    <select
+                      value={(typeof advancedVars.var_net === 'string' && advancedVars.var_net.includes('/')) ? 'static' : (typeof advancedVars.var_net === 'boolean' ? 'dhcp' : (advancedVars.var_net ?? 'dhcp'))}
+                      onChange={(e) => {
+                        if (e.target.value === 'static') {
+                          updateAdvancedVar('var_net', 'static');
+                        } else {
+                          updateAdvancedVar('var_net', e.target.value);
+                          // Clear IPv4 IP when switching away from static
+                          if (advancedVars.var_ip) {
+                            updateAdvancedVar('var_ip', '');
+                          }
+                        }
+                      }}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="dhcp">DHCP</option>
+                      <option value="static">Static</option>
+                    </select>
+                  </div>
+                  {(advancedVars.var_net === 'static' || (typeof advancedVars.var_net === 'string' && advancedVars.var_net.includes('/'))) && (
+                    <div>
+                      <label className="block text-sm font-medium text-foreground mb-2">
+                        IPv4 Address (CIDR) *
+                      </label>
+                      <Input
+                        type="text"
+                        value={(typeof advancedVars.var_net === 'string' && advancedVars.var_net.includes('/')) ? advancedVars.var_net : (advancedVars.var_ip as string | undefined ?? '')}
+                        onChange={(e) => {
+                          // Store in var_ip temporarily, will be moved to var_net on confirm
+                          updateAdvancedVar('var_ip', e.target.value);
+                        }}
+                        placeholder="10.10.10.1/24"
+                        className={errors.var_ip ? 'border-destructive' : ''}
+                      />
+                      {errors.var_ip && (
+                        <p className="mt-1 text-xs text-destructive">{errors.var_ip}</p>
+                      )}
+                    </div>
+                  )}
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Bridge
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_brg === 'boolean' ? '' : String(advancedVars.var_brg ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_brg', e.target.value)}
+                      placeholder="vmbr0"
+                    />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Gateway (IP)
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_gateway === 'boolean' ? '' : String(advancedVars.var_gateway ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_gateway', e.target.value)}
+                      placeholder="Auto"
+                      className={errors.var_gateway ? 'border-destructive' : ''}
+                    />
+                    {errors.var_gateway && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_gateway}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      IPv6 Method
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_ipv6_method === 'boolean' ? 'none' : String(advancedVars.var_ipv6_method ?? 'none')}
+                      onChange={(e) => {
+                        updateAdvancedVar('var_ipv6_method', e.target.value);
+                        // Clear IPv6 static when switching away from static
+                        if (e.target.value !== 'static' && advancedVars.var_ipv6_static) {
+                          updateAdvancedVar('var_ipv6_static', '');
+                        }
+                      }}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="none">None</option>
+                      <option value="auto">Auto</option>
+                      <option value="dhcp">DHCP</option>
+                      <option value="static">Static</option>
+                      <option value="disable">Disable</option>
+                    </select>
+                  </div>
+                  {advancedVars.var_ipv6_method === 'static' && (
+                    <div>
+                      <label className="block text-sm font-medium text-foreground mb-2">
+                        IPv6 Static Address *
+                      </label>
+                      <Input
+                        type="text"
+                        value={typeof advancedVars.var_ipv6_static === 'boolean' ? '' : String(advancedVars.var_ipv6_static ?? '')}
+                        onChange={(e) => updateAdvancedVar('var_ipv6_static', e.target.value)}
+                        placeholder="2001:db8::1/64"
+                        className={errors.var_ipv6_static ? 'border-destructive' : ''}
+                      />
+                      {errors.var_ipv6_static && (
+                        <p className="mt-1 text-xs text-destructive">{errors.var_ipv6_static}</p>
+                      )}
+                    </div>
+                  )}
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      VLAN Tag
+                    </label>
+                    <Input
+                      type="number"
+                      min="1"
+                      value={typeof advancedVars.var_vlan === 'boolean' ? '' : String(advancedVars.var_vlan ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_vlan', e.target.value ? parseInt(e.target.value) : '')}
+                      placeholder="None"
+                      className={errors.var_vlan ? 'border-destructive' : ''}
+                    />
+                    {errors.var_vlan && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_vlan}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      MTU
+                    </label>
+                    <Input
+                      type="number"
+                      min="1"
+                      value={typeof advancedVars.var_mtu === 'boolean' ? '' : String(advancedVars.var_mtu ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_mtu', e.target.value ? parseInt(e.target.value) : 1500)}
+                      placeholder="1500"
+                      className={errors.var_mtu ? 'border-destructive' : ''}
+                    />
+                    {errors.var_mtu && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_mtu}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      MAC Address
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_mac === 'boolean' ? '' : String(advancedVars.var_mac ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_mac', e.target.value)}
+                      placeholder="Auto"
+                      className={errors.var_mac ? 'border-destructive' : ''}
+                    />
+                    {errors.var_mac && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_mac}</p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      DNS Nameserver (IP)
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_ns === 'boolean' ? '' : String(advancedVars.var_ns ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_ns', e.target.value)}
+                      placeholder="Auto"
+                      className={errors.var_ns ? 'border-destructive' : ''}
+                    />
+                    {errors.var_ns && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_ns}</p>
+                    )}
+                  </div>
+                </div>
+              </div>
+
+              {/* Identity & Metadata */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">Identity & Metadata</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Hostname *
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_hostname === 'boolean' ? '' : String(advancedVars.var_hostname ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_hostname', e.target.value)}
+                      placeholder={slug}
+                    />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Root Password
+                    </label>
+                    <Input
+                      type="password"
+                      value={typeof advancedVars.var_pw === 'boolean' ? '' : String(advancedVars.var_pw ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_pw', e.target.value)}
+                      placeholder="Random (empty = auto-login)"
+                    />
+                  </div>
+                  <div className="col-span-2">
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Tags (comma or semicolon separated)
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_tags === 'boolean' ? '' : String(advancedVars.var_tags ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_tags', e.target.value)}
+                      placeholder="e.g. tag1; tag2"
+                    />
+                  </div>
+                </div>
+              </div>
+
+              {/* SSH Access */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">SSH Access</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Enable SSH
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_ssh === 'boolean' ? (advancedVars.var_ssh ? 'yes' : 'no') : String(advancedVars.var_ssh ?? 'no')}
+                      onChange={(e) => updateAdvancedVar('var_ssh', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="no">No</option>
+                      <option value="yes">Yes</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      SSH Authorized Key
+                    </label>
+                    {discoveredSshKeysLoading && (
+                      <p className="text-sm text-muted-foreground mb-2">Detecting SSH keys...</p>
+                    )}
+                    {discoveredSshKeysError && !discoveredSshKeysLoading && (
+                      <p className="text-sm text-muted-foreground mb-2">Could not detect keys on host</p>
+                    )}
+                    {discoveredSshKeys.length > 0 && !discoveredSshKeysLoading && (
+                      <div className="mb-2">
+                        <label htmlFor="discover-ssh-key" className="sr-only">Use detected key</label>
+                        <select
+                          id="discover-ssh-key"
+                          className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none mb-2"
+                          value=""
+                          onChange={(e) => {
+                            const idx = e.target.value;
+                            if (idx === '') return;
+                            const key = discoveredSshKeys[Number(idx)];
+                            if (key) updateAdvancedVar('var_ssh_authorized_key', key);
+                          }}
+                        >
+                          <option value="">— Select or paste below —</option>
+                          {discoveredSshKeys.map((key, i) => (
+                            <option key={i} value={i}>
+                              {key.length > 44 ? `${key.slice(0, 44)}...` : key}
+                            </option>
+                          ))}
+                        </select>
+                      </div>
+                    )}
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_ssh_authorized_key === 'boolean' ? '' : String(advancedVars.var_ssh_authorized_key ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_ssh_authorized_key', e.target.value)}
+                      placeholder="Or paste a public key: ssh-rsa AAAA..."
+                    />
+                  </div>
+                </div>
+              </div>
+
+              {/* Container Features */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">Container Features</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Nesting (Docker)
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_nesting === 'boolean' ? 1 : (advancedVars.var_nesting ?? 1)}
+                      onChange={(e) => updateAdvancedVar('var_nesting', parseInt(e.target.value))}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value={1}>Enabled</option>
+                      <option value={0}>Disabled</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      FUSE
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_fuse === 'boolean' ? 0 : (advancedVars.var_fuse ?? 0)}
+                      onChange={(e) => updateAdvancedVar('var_fuse', parseInt(e.target.value))}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value={0}>Disabled</option>
+                      <option value={1}>Enabled</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Keyctl
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_keyctl === 'boolean' ? 0 : (advancedVars.var_keyctl ?? 0)}
+                      onChange={(e) => updateAdvancedVar('var_keyctl', parseInt(e.target.value))}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value={0}>Disabled</option>
+                      <option value={1}>Enabled</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      TUN/TAP (VPN)
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_tun === 'boolean' ? (advancedVars.var_tun ? 'yes' : 'no') : String(advancedVars.var_tun ?? 'no')}
+                      onChange={(e) => updateAdvancedVar('var_tun', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="no">No</option>
+                      <option value="yes">Yes</option>
+                    </select>
+                    <p className="text-xs text-muted-foreground mt-1">For Tailscale, WireGuard, OpenVPN</p>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Mknod
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_mknod === 'boolean' ? 0 : (advancedVars.var_mknod ?? 0)}
+                      onChange={(e) => updateAdvancedVar('var_mknod', parseInt(e.target.value))}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value={0}>Disabled</option>
+                      <option value={1}>Enabled</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Mount Filesystems
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_mount_fs === 'boolean' ? '' : String(advancedVars.var_mount_fs ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_mount_fs', e.target.value)}
+                      placeholder="nfs,cifs"
+                    />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Protection
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_protection === 'boolean' ? (advancedVars.var_protection ? 'yes' : 'no') : String(advancedVars.var_protection ?? 'no')}
+                      onChange={(e) => updateAdvancedVar('var_protection', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="no">No</option>
+                      <option value="yes">Yes</option>
+                    </select>
+                  </div>
+                </div>
+              </div>
+
+              {/* System Configuration */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">System Configuration</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Timezone
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_timezone === 'boolean' ? '' : String(advancedVars.var_timezone ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_timezone', e.target.value)}
+                      placeholder="System"
+                    />
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Verbose
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_verbose === 'boolean' ? (advancedVars.var_verbose ? 'yes' : 'no') : String(advancedVars.var_verbose ?? 'no')}
+                      onChange={(e) => updateAdvancedVar('var_verbose', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="no">No</option>
+                      <option value="yes">Yes</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      APT Cacher
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_apt_cacher === 'boolean' ? (advancedVars.var_apt_cacher ? 'yes' : 'no') : String(advancedVars.var_apt_cacher ?? 'no')}
+                      onChange={(e) => updateAdvancedVar('var_apt_cacher', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="no">No</option>
+                      <option value="yes">Yes</option>
+                    </select>
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      APT Cacher IP
+                    </label>
+                    <Input
+                      type="text"
+                      value={typeof advancedVars.var_apt_cacher_ip === 'boolean' ? '' : String(advancedVars.var_apt_cacher_ip ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_apt_cacher_ip', e.target.value)}
+                      placeholder="192.168.1.10"
+                      className={errors.var_apt_cacher_ip ? 'border-destructive' : ''}
+                    />
+                    {errors.var_apt_cacher_ip && (
+                      <p className="mt-1 text-xs text-destructive">{errors.var_apt_cacher_ip}</p>
+                    )}
+                  </div>
+                </div>
+              </div>
+
+              {/* Storage Selection */}
+              <div>
+                <h3 className="text-lg font-medium text-foreground mb-4">Storage Selection</h3>
+                <div className="grid grid-cols-2 gap-4">
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Container Storage
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_container_storage === 'boolean' ? '' : String(advancedVars.var_container_storage ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_container_storage', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="">Auto</option>
+                      {rootfsStorages.map((storage) => (
+                        <option key={storage.name} value={storage.name}>
+                          {storage.name} ({storage.type})
+                        </option>
+                      ))}
+                    </select>
+                    {rootfsStorages.length === 0 && (
+                      <p className="mt-1 text-xs text-muted-foreground">
+                        Could not fetch storages. Leave empty for auto selection.
+                      </p>
+                    )}
+                  </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      Template Storage
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_template_storage === 'boolean' ? '' : String(advancedVars.var_template_storage ?? '')}
+                      onChange={(e) => updateAdvancedVar('var_template_storage', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="">Auto</option>
+                      {templateStorages.map((storage) => (
+                        <option key={storage.name} value={storage.name}>
+                          {storage.name} ({storage.type})
+                        </option>
+                      ))}
+                    </select>
+                    {templateStorages.length === 0 && (
+                      <p className="mt-1 text-xs text-muted-foreground">
+                        Could not fetch storages. Leave empty for auto selection.
+                      </p>
+                    )}
+                  </div>
+                </div>
+              </div>
+            </div>
+          )}
+
+          {/* Action Buttons */}
+          <div className="flex justify-end space-x-3 mt-6 pt-6 border-t border-border">
+            <Button onClick={onClose} variant="outline" size="default">
+              Cancel
+            </Button>
+            <Button onClick={handleConfirm} variant="default" size="default">
+              Confirm
+            </Button>
+          </div>
+        </div>
+      </div>
+    </div>
+  );
+}
+
--- a/src/app/_components/DownloadedScriptsTab.tsx
+++ b/src/app/_components/DownloadedScriptsTab.tsx
@@ -8,7 +8,9 @@ import { ScriptDetailModal } from "./ScriptDetailModal";
 import { CategorySidebar } from "./CategorySidebar";
 import { FilterBar, type FilterState } from "./FilterBar";
 import { ViewToggle } from "./ViewToggle";
+import { ConfirmationModal } from "./ConfirmationModal";
 import { Button } from "./ui/button";
+import { RefreshCw } from "lucide-react";
 import type { ScriptCard as ScriptCardType } from "~/types/script";
 import type { Server } from "~/types/server";
 import { getDefaultFilters, mergeFiltersWithDefaults } from "./filterUtils";
@@ -32,8 +34,15 @@ export function DownloadedScriptsTab({
  const [filters, setFilters] = useState<FilterState>(getDefaultFilters());
  const [saveFiltersEnabled, setSaveFiltersEnabled] = useState(false);
  const [isLoadingFilters, setIsLoadingFilters] = useState(true);
+  const [updateAllConfirmOpen, setUpdateAllConfirmOpen] = useState(false);
+  const [updateResult, setUpdateResult] = useState<{
+    successCount: number;
+    failCount: number;
+    failed: { slug: string; error: string }[];
+  } | null>(null);
  const gridRef = useRef<HTMLDivElement>(null);

+  const utils = api.useUtils();
  const {
    data: scriptCardsData,
    isLoading: githubLoading,
@@ -50,6 +59,30 @@ export function DownloadedScriptsTab({
    { enabled: !!selectedSlug },
  );

+  const loadMultipleScriptsMutation = api.scripts.loadMultipleScripts.useMutation({
+    onSuccess: (data) => {
+      void utils.scripts.getAllDownloadedScripts.invalidate();
+      void utils.scripts.getScriptCardsWithCategories.invalidate();
+      setUpdateResult({
+        successCount: data.successful?.length ?? 0,
+        failCount: data.failed?.length ?? 0,
+        failed: (data.failed ?? []).map((f) => ({
+          slug: f.slug,
+          error: f.error ?? "Unknown error",
+        })),
+      });
+      setTimeout(() => setUpdateResult(null), 8000);
+    },
+    onError: (error) => {
+      setUpdateResult({
+        successCount: 0,
+        failCount: 1,
+        failed: [{ slug: "Request failed", error: error.message }],
+      });
+      setTimeout(() => setUpdateResult(null), 8000);
+    },
+  });
+
  // Load SAVE_FILTER setting, saved filters, and view mode on component mount
  useEffect(() => {
    const loadSettings = async () => {
@@ -416,6 +449,21 @@ export function DownloadedScriptsTab({
    setSelectedSlug(null);
  };

+  const handleUpdateAllClick = () => {
+    setUpdateResult(null);
+    setUpdateAllConfirmOpen(true);
+  };
+
+  const handleUpdateAllConfirm = () => {
+    setUpdateAllConfirmOpen(false);
+    const slugs = downloadedScripts
+      .map((s) => s.slug)
+      .filter((slug): slug is string => Boolean(slug));
+    if (slugs.length > 0) {
+      loadMultipleScriptsMutation.mutate({ slugs });
+    }
+  };
+
  if (githubLoading || localLoading) {
    return (
      <div className="flex items-center justify-center py-12">
@@ -508,6 +556,43 @@ export function DownloadedScriptsTab({

        {/* Main Content */}
        <div className="order-1 min-w-0 flex-1 lg:order-2" ref={gridRef}>
+          {/* Update all downloaded scripts */}
+          <div className="mb-4 flex flex-wrap items-center gap-3">
+            <Button
+              onClick={handleUpdateAllClick}
+              disabled={loadMultipleScriptsMutation.isPending}
+              variant="secondary"
+              size="default"
+              className="flex items-center gap-2"
+            >
+              {loadMultipleScriptsMutation.isPending ? (
+                <>
+                  <RefreshCw className="h-4 w-4 animate-spin" />
+                  <span>Updating...</span>
+                </>
+              ) : (
+                <>
+                  <RefreshCw className="h-4 w-4" />
+                  <span>Update all downloaded scripts</span>
+                </>
+              )}
+            </Button>
+            {updateResult && (
+              <span className="text-muted-foreground text-sm">
+                Updated {updateResult.successCount} successfully
+                {updateResult.failCount > 0
+                  ? `, ${updateResult.failCount} failed`
+                  : ""}
+                .
+                {updateResult.failCount > 0 && updateResult.failed.length > 0 && (
+                  <span className="ml-1" title={updateResult.failed.map((f) => `${f.slug}: ${f.error}`).join("\n")}>
+                    (hover for details)
+                  </span>
+                )}
+              </span>
+            )}
+          </div>
+
          {/* Enhanced Filter Bar */}
          <FilterBar
            filters={filters}
@@ -621,6 +706,17 @@ export function DownloadedScriptsTab({
            onClose={handleCloseModal}
            onInstallScript={onInstallScript}
          />
+
+          <ConfirmationModal
+            isOpen={updateAllConfirmOpen}
+            onClose={() => setUpdateAllConfirmOpen(false)}
+            onConfirm={handleUpdateAllConfirm}
+            title="Update all downloaded scripts"
+            message={`Update all ${downloadedScripts.length} downloaded scripts? This may take several minutes.`}
+            variant="simple"
+            confirmButtonText="Update all"
+            cancelButtonText="Cancel"
+          />
        </div>
      </div>
    </div>
--- a/src/app/_components/ExecutionModeModal.tsx
+++ b/src/app/_components/ExecutionModeModal.tsx
@@ -2,26 +2,31 @@

 import { useState, useEffect } from 'react';
 import type { Server } from '../../types/server';
+import type { Script } from '../../types/script';
 import { Button } from './ui/button';
 import { ColorCodedDropdown } from './ColorCodedDropdown';
 import { SettingsModal } from './SettingsModal';
+import { ConfigurationModal, type EnvVars } from './ConfigurationModal';
 import { useRegisterModal } from './modal/ModalStackProvider';


 interface ExecutionModeModalProps {
  isOpen: boolean;
  onClose: () => void;
-  onExecute: (mode: 'local' | 'ssh', server?: Server) => void;
+  onExecute: (mode: 'local' | 'ssh', server?: Server, envVars?: EnvVars) => void;
  scriptName: string;
+  script?: Script | null;
 }

-export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: ExecutionModeModalProps) {
+export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName, script }: ExecutionModeModalProps) {
  useRegisterModal(isOpen, { id: 'execution-mode-modal', allowEscape: true, onClose });
  const [servers, setServers] = useState<Server[]>([]);
  const [loading, setLoading] = useState(false);
  const [error, setError] = useState<string | null>(null);
  const [selectedServer, setSelectedServer] = useState<Server | null>(null);
  const [settingsModalOpen, setSettingsModalOpen] = useState(false);
+  const [configModalOpen, setConfigModalOpen] = useState(false);
+  const [configMode, setConfigMode] = useState<'default' | 'advanced'>('default');

  useEffect(() => {
    if (isOpen) {
@@ -64,19 +69,25 @@ export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: E
    }
  };

-  const handleExecute = () => {
+  const handleConfigModeSelect = (mode: 'default' | 'advanced') => {
    if (!selectedServer) {
-      setError('Please select a server for SSH execution');
+      setError('Please select a server first');
      return;
    }
-    
-    onExecute('ssh', selectedServer);
+    setConfigMode(mode);
+    setConfigModalOpen(true);
+  };
+
+  const handleConfigConfirm = (envVars: EnvVars) => {
+    if (!selectedServer) return;
+    setConfigModalOpen(false);
+    onExecute('ssh', selectedServer, envVars);
    onClose();
  };

-
  const handleServerSelect = (server: Server | null) => {
    setSelectedServer(server);
+    setError(null); // Clear error when server is selected
  };


@@ -164,6 +175,31 @@ export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: E
                  </div>
                </div>

+                {/* Configuration Mode Selection */}
+                <div className="space-y-3">
+                  <p className="text-sm text-muted-foreground text-center">
+                    Choose configuration mode:
+                  </p>
+                  <div className="flex gap-3">
+                    <Button
+                      onClick={() => handleConfigModeSelect('default')}
+                      variant="default"
+                      size="default"
+                      className="flex-1"
+                    >
+                      Default
+                    </Button>
+                    <Button
+                      onClick={() => handleConfigModeSelect('advanced')}
+                      variant="outline"
+                      size="default"
+                      className="flex-1"
+                    >
+                      Advanced (Beta)
+                    </Button>
+                  </div>
+                </div>
+
                {/* Action Buttons */}
                <div className="flex justify-end space-x-3">
                  <Button
@@ -173,13 +209,6 @@ export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: E
                  >
                    Cancel
                  </Button>
-                  <Button
-                    onClick={handleExecute}
-                    variant="default"
-                    size="default"
-                  >
-                    Install
-                  </Button>
                </div>
              </div>
            ) : (
@@ -204,6 +233,33 @@ export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: E
                  />
                </div>

+                {/* Configuration Mode Selection - only show when server is selected */}
+                {selectedServer && (
+                  <div className="space-y-3 pt-4 border-t border-border">
+                    <p className="text-sm text-muted-foreground text-center">
+                      Choose configuration mode:
+                    </p>
+                    <div className="flex gap-3">
+                      <Button
+                        onClick={() => handleConfigModeSelect('default')}
+                        variant="default"
+                        size="default"
+                        className="flex-1"
+                      >
+                        Default
+                      </Button>
+                      <Button
+                        onClick={() => handleConfigModeSelect('advanced')}
+                        variant="outline"
+                        size="default"
+                        className="flex-1"
+                      >
+                        Advanced
+                      </Button>
+                    </div>
+                  </div>
+                )}
+
                {/* Action Buttons */}
                <div className="flex justify-end space-x-3">
                  <Button
@@ -213,15 +269,6 @@ export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: E
                  >
                    Cancel
                  </Button>
-                  <Button
-                    onClick={handleExecute}
-                    disabled={!selectedServer}
-                    variant="default"
-                    size="default"
-                    className={!selectedServer ? 'bg-muted-foreground cursor-not-allowed' : ''}
-                  >
-                    Run on Server
-                  </Button>
                </div>
              </div>
            )}
@@ -234,6 +281,16 @@ export function ExecutionModeModal({ isOpen, onClose, onExecute, scriptName }: E
        isOpen={settingsModalOpen} 
        onClose={handleSettingsModalClose} 
      />
+
+      {/* Configuration Modal */}
+      <ConfigurationModal
+        isOpen={configModalOpen}
+        onClose={() => setConfigModalOpen(false)}
+        onConfirm={handleConfigConfirm}
+        script={script ?? null}
+        server={selectedServer}
+        mode={configMode}
+      />
    </>
  );
 }
--- a/src/app/_components/Footer.tsx
+++ b/src/app/_components/Footer.tsx
@@ -16,7 +16,7 @@ export function Footer({ onOpenReleaseNotes }: FooterProps) {
      <div className="container mx-auto px-4">
        <div className="flex flex-col sm:flex-row items-center justify-between gap-2 text-sm text-muted-foreground">
          <div className="flex items-center gap-2">
-            <span>© 2024 PVE Scripts Local</span>
+            <span>© 2026 PVE Scripts Local</span>
            {versionData?.success && versionData.version && (
              <Button
                variant="ghost"
--- a/src/app/_components/GeneralSettingsModal.tsx
+++ b/src/app/_components/GeneralSettingsModal.tsx
@@ -1617,7 +1617,7 @@ export function GeneralSettingsModal({
                      <Input
                        id="new-repo-url"
                        type="url"
-                        placeholder="https://github.com/owner/repo"
+                        placeholder="https://github.com/owner/repo or https://git.example.com/owner/repo"
                        value={newRepoUrl}
                        onChange={(e: React.ChangeEvent<HTMLInputElement>) =>
                          setNewRepoUrl(e.target.value)
@@ -1626,8 +1626,9 @@ export function GeneralSettingsModal({
                        className="w-full"
                      />
                      <p className="text-muted-foreground mt-1 text-xs">
-                        Enter a GitHub repository URL (e.g.,
-                        https://github.com/owner/repo)
+                        Supported: GitHub, GitLab, Bitbucket, or custom Git
+                        servers (e.g. https://github.com/owner/repo,
+                        https://gitlab.com/owner/repo)
                      </p>
                    </div>
                    <div className="border-border flex items-center justify-between gap-3 rounded-lg border p-3">
--- a/src/app/_components/ScriptDetailModal.tsx
+++ b/src/app/_components/ScriptDetailModal.tsx
@@ -28,6 +28,7 @@ interface ScriptDetailModalProps {
    scriptName: string,
    mode?: "local" | "ssh",
    server?: Server,
+    envVars?: Record<string, string | number | boolean>,
  ) => void;
 }

@@ -183,7 +184,7 @@ export function ScriptDetailModal({
    setExecutionModeOpen(true);
  };

-  const handleExecuteScript = (mode: "local" | "ssh", server?: Server) => {
+  const handleExecuteScript = (mode: "local" | "ssh", server?: Server, envVars?: Record<string, string | number | boolean>) => {
    if (!script || !onInstallScript) return;

    // Find the script path based on selected version type
@@ -197,8 +198,8 @@ export function ScriptDetailModal({
      const scriptPath = `scripts/${scriptMethod.script}`;
      const scriptName = script.name;

-      // Pass execution mode and server info to the parent
-      onInstallScript(scriptPath, scriptName, mode, server);
+      // Pass execution mode, server info, and envVars to the parent
+      onInstallScript(scriptPath, scriptName, mode, server, envVars);

      onClose(); // Close the modal when starting installation
    }
@@ -935,6 +936,7 @@ export function ScriptDetailModal({
      {script && (
        <ExecutionModeModal
          scriptName={script.name}
+          script={script}
          isOpen={executionModeOpen}
          onClose={() => setExecutionModeOpen(false)}
          onExecute={handleExecuteScript}
--- a/src/app/_components/Terminal.tsx
+++ b/src/app/_components/Terminal.tsx
@@ -21,6 +21,7 @@ interface TerminalProps {
  cloneCount?: number;
  hostnames?: string[];
  containerType?: 'lxc' | 'vm';
+  envVars?: Record<string, string | number | boolean>;
 }

 interface TerminalMessage {
@@ -29,7 +30,7 @@ interface TerminalMessage {
  timestamp: number;
 }

-export function Terminal({ scriptPath, onClose, mode = 'local', server, isUpdate = false, isShell = false, isBackup = false, isClone = false, containerId, storage, backupStorage, executionId: propExecutionId, cloneCount, hostnames, containerType }: TerminalProps) {
+export function Terminal({ scriptPath, onClose, mode = 'local', server, isUpdate = false, isShell = false, isBackup = false, isClone = false, containerId, storage, backupStorage, executionId: propExecutionId, cloneCount, hostnames, containerType, envVars }: TerminalProps) {
  const [isConnected, setIsConnected] = useState(false);
  const [isRunning, setIsRunning] = useState(false);
  const [isClient, setIsClient] = useState(false);
@@ -360,7 +361,8 @@ export function Terminal({ scriptPath, onClose, mode = 'local', server, isUpdate
            backupStorage,
            cloneCount,
            hostnames,
-            containerType
+            containerType,
+            envVars
          };
          ws.send(JSON.stringify(message));
        }
@@ -400,7 +402,7 @@ export function Terminal({ scriptPath, onClose, mode = 'local', server, isUpdate
        wsRef.current.close();
      }
    };
-  }, [scriptPath, mode, server, isUpdate, isShell, containerId, isMobile]);  
+  }, [scriptPath, mode, server, isUpdate, isShell, containerId, isMobile, envVars]);  

  const startScript = () => {
    if (wsRef.current && wsRef.current.readyState === WebSocket.OPEN && !isRunning) {
@@ -417,6 +419,7 @@ export function Terminal({ scriptPath, onClose, mode = 'local', server, isUpdate
        executionId: newExecutionId,
        mode,
        server,
+        envVars,
        isUpdate,
        isShell,
        isBackup,
--- a/src/app/_components/VersionDisplay.tsx
+++ b/src/app/_components/VersionDisplay.tsx
@@ -416,11 +416,20 @@ export function VersionDisplay({ onOpenReleaseNotes }: VersionDisplayProps = {})
    setShowUpdateConfirmation(true);
  };

+  // Helper to generate secure random string
+  function getSecureRandomString(length: number): string {
+    const array = new Uint8Array(length);
+    window.crypto.getRandomValues(array);
+    // Convert to base36 string (alphanumeric)
+    return Array.from(array, b => b.toString(36)).join('').substr(0, length);
+  }
+
  const handleConfirmUpdate = () => {
    // Close the confirmation modal
    setShowUpdateConfirmation(false);
    // Start the actual update process
-    const sessionId = `update_${Date.now()}_${Math.random().toString(36).substr(2, 9)}`;
+    const randomSuffix = getSecureRandomString(9);
+    const sessionId = `update_${Date.now()}_${randomSuffix}`;
    const startTime = Date.now();
    
    setIsUpdating(true);
--- a/src/app/api/servers/[id]/discover-ssh-keys/route.ts
+++ b/src/app/api/servers/[id]/discover-ssh-keys/route.ts
@@ -0,0 +1,96 @@
+import type { NextRequest } from 'next/server';
+import { NextResponse } from 'next/server';
+import { getDatabase } from '../../../../../server/database-prisma';
+import { getSSHExecutionService } from '../../../../../server/ssh-execution-service';
+import type { Server } from '~/types/server';
+
+const DISCOVER_TIMEOUT_MS = 10_000;
+
+/** Match lines that look like SSH public keys (same as build.func) */
+const SSH_PUBKEY_RE = /^(ssh-(rsa|ed25519)|ecdsa-sha2-nistp256|sk-(ssh-ed25519|ecdsa-sha2-nistp256))\s+/;
+
+/**
+ * Run a command on the Proxmox host and return buffered stdout.
+ * Resolves when the process exits or rejects on timeout/spawn error.
+ */
+function runRemoteCommand(
+  server: Server,
+  command: string,
+  timeoutMs: number
+): Promise<{ stdout: string; exitCode: number }> {
+  const ssh = getSSHExecutionService();
+  return new Promise((resolve, reject) => {
+    const chunks: string[] = [];
+    let settled = false;
+
+    const finish = (stdout: string, exitCode: number) => {
+      if (settled) return;
+      settled = true;
+      clearTimeout(timer);
+      resolve({ stdout, exitCode });
+    };
+
+    const timer = setTimeout(() => {
+      if (settled) return;
+      settled = true;
+      reject(new Error('SSH discover keys timeout'));
+    }, timeoutMs);
+
+    ssh
+      .executeCommand(
+        server,
+        command,
+        (data: string) => chunks.push(data),
+        () => {},
+        (code: number) => finish(chunks.join(''), code)
+      )
+      .catch((err) => {
+        if (!settled) {
+          settled = true;
+          clearTimeout(timer);
+          reject(err);
+        }
+      });
+  });
+}
+
+export async function GET(
+  _request: NextRequest,
+  { params }: { params: Promise<{ id: string }> }
+) {
+  try {
+    const { id: idParam } = await params;
+    const id = parseInt(idParam);
+    if (isNaN(id)) {
+      return NextResponse.json({ error: 'Invalid server ID' }, { status: 400 });
+    }
+
+    const db = getDatabase();
+    const server = await db.getServerById(id) as Server | null;
+
+    if (!server) {
+      return NextResponse.json({ error: 'Server not found' }, { status: 404 });
+    }
+
+    // Same paths as native build.func ssh_discover_default_files()
+    const remoteScript = `bash -c 'for f in /root/.ssh/authorized_keys /root/.ssh/authorized_keys2 /root/.ssh/*.pub /etc/ssh/authorized_keys /etc/ssh/authorized_keys.d/* 2>/dev/null; do [ -f "$f" ] && [ -r "$f" ] && grep -E "^(ssh-(rsa|ed25519)|ecdsa-sha2-nistp256|sk-)" "$f" 2>/dev/null; done | sort -u'`;
+
+    const { stdout } = await runRemoteCommand(server, remoteScript, DISCOVER_TIMEOUT_MS);
+
+    const keys = stdout
+      .split(/\r?\n/)
+      .map((line) => line.trim())
+      .filter((line) => line.length > 0 && SSH_PUBKEY_RE.test(line));
+
+    return NextResponse.json({ keys });
+  } catch (error) {
+    console.error('Error discovering SSH keys:', error);
+    return NextResponse.json(
+      {
+        success: false,
+        error: error instanceof Error ? error.message : String(error),
+      },
+      { status: 500 }
+    );
+  }
+}
--- a/src/app/page.tsx
+++ b/src/app/page.tsx
@@ -32,6 +32,7 @@ export default function Home() {
    name: string;
    mode?: "local" | "ssh";
    server?: Server;
+    envVars?: Record<string, string | number | boolean>;
  } | null>(null);
  const [activeTab, setActiveTab] = useState<
    "scripts" | "downloaded" | "installed" | "backups"
@@ -209,8 +210,9 @@ export default function Home() {
    scriptName: string,
    mode?: "local" | "ssh",
    server?: Server,
+    envVars?: Record<string, string | number | boolean>,
  ) => {
-    setRunningScript({ path: scriptPath, name: scriptName, mode, server });
+    setRunningScript({ path: scriptPath, name: scriptName, mode, server, envVars });
    // Scroll to terminal after a short delay to ensure it's rendered
    setTimeout(scrollToTerminal, 100);
  };
@@ -360,6 +362,7 @@ export default function Home() {
              onClose={handleCloseTerminal}
              mode={runningScript.mode}
              server={runningScript.server}
+              envVars={runningScript.envVars}
            />
          </div>
        )}
--- a/src/env.js
+++ b/src/env.js
@@ -23,8 +23,11 @@ export const env = createEnv({
    ALLOWED_SCRIPT_PATHS: z.string().default("scripts/"),
    // WebSocket Configuration
    WEBSOCKET_PORT: z.string().default("3001"),
-    // GitHub Configuration
+    // Git provider tokens (optional, for private repos)
    GITHUB_TOKEN: z.string().optional(),
+    GITLAB_TOKEN: z.string().optional(),
+    BITBUCKET_APP_PASSWORD: z.string().optional(),
+    BITBUCKET_TOKEN: z.string().optional(),
    // Authentication Configuration
    AUTH_USERNAME: z.string().optional(),
    AUTH_PASSWORD_HASH: z.string().optional(),
@@ -62,8 +65,10 @@ export const env = createEnv({
    ALLOWED_SCRIPT_PATHS: process.env.ALLOWED_SCRIPT_PATHS,
    // WebSocket Configuration
    WEBSOCKET_PORT: process.env.WEBSOCKET_PORT,
-    // GitHub Configuration
    GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+    GITLAB_TOKEN: process.env.GITLAB_TOKEN,
+    BITBUCKET_APP_PASSWORD: process.env.BITBUCKET_APP_PASSWORD,
+    BITBUCKET_TOKEN: process.env.BITBUCKET_TOKEN,
    // Authentication Configuration
    AUTH_USERNAME: process.env.AUTH_USERNAME,
    AUTH_PASSWORD_HASH: process.env.AUTH_PASSWORD_HASH,
--- a/src/server/api/routers/scripts.ts
+++ b/src/server/api/routers/scripts.ts
@@ -7,7 +7,10 @@ import { localScriptsService } from "~/server/services/localScripts";
 import { scriptDownloaderService } from "~/server/services/scriptDownloader.js";
 import { AutoSyncService } from "~/server/services/autoSyncService";
 import { repositoryService } from "~/server/services/repositoryService";
+import { getStorageService } from "~/server/services/storageService";
+import { getDatabase } from "~/server/database-prisma";
 import type { ScriptCard } from "~/types/script";
+import type { Server } from "~/types/server";

 export const scriptsRouter = createTRPCRouter({
  // Get all available scripts
@@ -637,5 +640,194 @@ export const scriptsRouter = createTRPCRouter({
          status: null
        };
      }
+    }),
+
+  // Get rootfs storages for a server (for container creation)
+  getRootfsStorages: publicProcedure
+    .input(z.object({ 
+      serverId: z.number(),
+      forceRefresh: z.boolean().optional().default(false)
+    }))
+    .query(async ({ input }) => {
+      try {
+        const db = getDatabase();
+        const server = await db.getServerById(input.serverId);
+        
+        if (!server) {
+          return {
+            success: false,
+            error: 'Server not found',
+            storages: []
+          };
+        }
+
+        // Get server hostname to filter storages by node assignment
+        const { getSSHExecutionService } = await import('~/server/ssh-execution-service');
+        const sshExecutionService = getSSHExecutionService();
+        let serverHostname = '';
+        try {
+          await new Promise<void>((resolve, reject) => {
+            void sshExecutionService.executeCommand(
+              server as Server,
+              'hostname',
+              (data: string) => {
+                serverHostname += data;
+              },
+              (error: string) => {
+                reject(new Error(`Failed to get hostname: ${error}`));
+              },
+              (exitCode: number) => {
+                if (exitCode === 0) {
+                  resolve();
+                } else {
+                  reject(new Error(`hostname command failed with exit code ${exitCode}`));
+                }
+              }
+            );
+          });
+        } catch (error) {
+          console.error('Error getting server hostname:', error);
+          // Continue without filtering if hostname can't be retrieved
+        }
+        
+        const normalizedHostname = serverHostname.trim().toLowerCase();
+
+        const storageService = getStorageService();
+        const allStorages = await storageService.getStorages(server as Server, input.forceRefresh);
+        
+        // Filter storages by node hostname matching and content type (rootdir for containers)
+        const rootfsStorages = allStorages.filter(storage => {
+          // Check content type - must have rootdir for containers
+          const hasRootdir = storage.content.includes('rootdir');
+          if (!hasRootdir) {
+            return false;
+          }
+          
+          // If storage has no nodes specified, it's available on all nodes
+          if (!storage.nodes || storage.nodes.length === 0) {
+            return true;
+          }
+          
+          // If we couldn't get hostname, include all storages (fallback)
+          if (!normalizedHostname) {
+            return true;
+          }
+          
+          // Check if server hostname is in the nodes array (case-insensitive, trimmed)
+          const normalizedNodes = storage.nodes.map(node => node.trim().toLowerCase());
+          return normalizedNodes.includes(normalizedHostname);
+        });
+
+        return {
+          success: true,
+          storages: rootfsStorages.map(s => ({
+            name: s.name,
+            type: s.type,
+            content: s.content
+          }))
+        };
+      } catch (error) {
+        console.error('Error fetching rootfs storages:', error);
+        // Return empty array on error (as per plan requirement)
+        return {
+          success: false,
+          error: error instanceof Error ? error.message : 'Failed to fetch storages',
+          storages: []
+        };
+      }
+    }),
+
+  // Get template storages for a server (for template storage selection)
+  getTemplateStorages: publicProcedure
+    .input(z.object({ 
+      serverId: z.number(),
+      forceRefresh: z.boolean().optional().default(false)
+    }))
+    .query(async ({ input }) => {
+      try {
+        const db = getDatabase();
+        const server = await db.getServerById(input.serverId);
+        
+        if (!server) {
+          return {
+            success: false,
+            error: 'Server not found',
+            storages: []
+          };
+        }
+
+        // Get server hostname to filter storages by node assignment
+        const { getSSHExecutionService } = await import('~/server/ssh-execution-service');
+        const sshExecutionService = getSSHExecutionService();
+        let serverHostname = '';
+        try {
+          await new Promise<void>((resolve, reject) => {
+            void sshExecutionService.executeCommand(
+              server as Server,
+              'hostname',
+              (data: string) => {
+                serverHostname += data;
+              },
+              (error: string) => {
+                reject(new Error(`Failed to get hostname: ${error}`));
+              },
+              (exitCode: number) => {
+                if (exitCode === 0) {
+                  resolve();
+                } else {
+                  reject(new Error(`hostname command failed with exit code ${exitCode}`));
+                }
+              }
+            );
+          });
+        } catch (error) {
+          console.error('Error getting server hostname:', error);
+          // Continue without filtering if hostname can't be retrieved
+        }
+        
+        const normalizedHostname = serverHostname.trim().toLowerCase();
+
+        const storageService = getStorageService();
+        const allStorages = await storageService.getStorages(server as Server, input.forceRefresh);
+        
+        // Filter storages by node hostname matching and content type (vztmpl for templates)
+        const templateStorages = allStorages.filter(storage => {
+          // Check content type - must have vztmpl for templates
+          const hasVztmpl = storage.content.includes('vztmpl');
+          if (!hasVztmpl) {
+            return false;
+          }
+          
+          // If storage has no nodes specified, it's available on all nodes
+          if (!storage.nodes || storage.nodes.length === 0) {
+            return true;
+          }
+          
+          // If we couldn't get hostname, include all storages (fallback)
+          if (!normalizedHostname) {
+            return true;
+          }
+          
+          // Check if server hostname is in the nodes array (case-insensitive, trimmed)
+          const normalizedNodes = storage.nodes.map(node => node.trim().toLowerCase());
+          return normalizedNodes.includes(normalizedHostname);
+        });
+
+        return {
+          success: true,
+          storages: templateStorages.map(s => ({
+            name: s.name,
+            type: s.type,
+            content: s.content
+          }))
+        };
+      } catch (error) {
+        console.error('Error fetching template storages:', error);
+        return {
+          success: false,
+          error: error instanceof Error ? error.message : 'Failed to fetch storages',
+          storages: []
+        };
+      }
    })
 });
--- a/src/server/api/routers/version.ts
+++ b/src/server/api/routers/version.ts
@@ -238,6 +238,27 @@ export const versionRouter = createTRPCRouter({
        // Clear/create the log file
        await writeFile(logPath, '', 'utf-8');
        
+        // Always fetch the latest update.sh from GitHub before running
+        // This ensures we always use the newest update script, avoiding
+        // the "chicken-and-egg" problem where old scripts can't update properly
+        const updateScriptUrl = 'https://raw.githubusercontent.com/community-scripts/ProxmoxVE-Local/main/update.sh';
+        try {
+          const response = await fetch(updateScriptUrl);
+          if (response.ok) {
+            const latestScript = await response.text();
+            await writeFile(updateScriptPath, latestScript, { mode: 0o755 });
+            // Log that we fetched the latest script
+            await writeFile(logPath, '[INFO] Fetched latest update.sh from GitHub\n', { flag: 'a' });
+          } else {
+            // If fetch fails, log warning but continue with local script
+            await writeFile(logPath, `[WARNING] Could not fetch latest update.sh (HTTP ${response.status}), using local version\n`, { flag: 'a' });
+          }
+        } catch (fetchError) {
+          // If fetch fails, log warning but continue with local script
+          const errorMsg = fetchError instanceof Error ? fetchError.message : 'Unknown error';
+          await writeFile(logPath, `[WARNING] Could not fetch latest update.sh: ${errorMsg}, using local version\n`, { flag: 'a' });
+        }
+        
        // Spawn the update script as a detached process using nohup
        // This allows it to run independently and kill the parent Node.js process
        // Redirect output to log file
--- a/src/server/db.js
+++ b/src/server/db.js
@@ -1,9 +1,22 @@
 import 'dotenv/config'
 import { PrismaClient } from '../../prisma/generated/prisma/client.ts'
 import { PrismaBetterSqlite3 } from '@prisma/adapter-better-sqlite3'
+import { existsSync, mkdirSync } from 'fs'
+import { dirname } from 'path'

 const globalForPrisma = globalThis;

+// Ensure database directory exists before initializing Prisma
+// DATABASE_URL format: file:/path/to/database.db
+const dbUrl = process.env.DATABASE_URL || 'file:./data/settings.db';
+const dbPath = dbUrl.replace(/^file:/, '');
+const dbDir = dirname(dbPath);
+
+if (!existsSync(dbDir)) {
+  console.log(`Creating database directory: ${dbDir}`);
+  mkdirSync(dbDir, { recursive: true });
+}
+
 const adapter = new PrismaBetterSqlite3({ url: process.env.DATABASE_URL });

 export const prisma = globalForPrisma.prisma ?? new PrismaClient({ adapter });
--- a/src/server/db.ts
+++ b/src/server/db.ts
@@ -1,9 +1,22 @@
 import 'dotenv/config'
 import { PrismaClient } from '../../prisma/generated/prisma/client'
 import { PrismaBetterSqlite3 } from '@prisma/adapter-better-sqlite3'
+import { existsSync, mkdirSync } from 'fs'
+import { dirname } from 'path'

 const globalForPrisma = globalThis as { prisma?: PrismaClient };

+// Ensure database directory exists before initializing Prisma
+// DATABASE_URL format: file:/path/to/database.db
+const dbUrl = process.env.DATABASE_URL || 'file:./data/settings.db';
+const dbPath = dbUrl.replace(/^file:/, '');
+const dbDir = dirname(dbPath);
+
+if (!existsSync(dbDir)) {
+  console.log(`Creating database directory: ${dbDir}`);
+  mkdirSync(dbDir, { recursive: true });
+}
+
 const adapter = new PrismaBetterSqlite3({ url: process.env.DATABASE_URL! });

 export const prisma: PrismaClient = globalForPrisma.prisma ?? new PrismaClient({
--- a/src/server/lib/gitProvider/bitbucket.ts
+++ b/src/server/lib/gitProvider/bitbucket.ts
@@ -0,0 +1,55 @@
+import type { DirEntry, GitProvider } from './types';
+import { parseRepoUrl } from '../repositoryUrlValidation';
+
+export class BitbucketProvider implements GitProvider {
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const listUrl = `https://api.bitbucket.org/2.0/repositories/${owner}/${repo}/src/${encodeURIComponent(branch)}/${path}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.BITBUCKET_APP_PASSWORD ?? process.env.BITBUCKET_TOKEN;
+    if (token) {
+      const auth = Buffer.from(`:${token}`).toString('base64');
+      headers.Authorization = `Basic ${auth}`;
+    }
+
+    const response = await fetch(listUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Bitbucket API error: ${response.status} ${response.statusText}`);
+    }
+
+    const body = (await response.json()) as { values?: { path: string; type: string }[] };
+    const data = body.values ?? (Array.isArray(body) ? body : []);
+    if (!Array.isArray(data)) {
+      throw new Error('Bitbucket API returned unexpected response');
+    }
+    return data.map((item: { path: string; type: string }) => {
+      const name = item.path.split('/').pop() ?? item.path;
+      return {
+        name,
+        path: item.path,
+        type: item.type === 'commit_directory' ? ('dir' as const) : ('file' as const),
+      };
+    });
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const rawUrl = `https://api.bitbucket.org/2.0/repositories/${owner}/${repo}/src/${encodeURIComponent(branch)}/${filePath}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.BITBUCKET_APP_PASSWORD ?? process.env.BITBUCKET_TOKEN;
+    if (token) {
+      const auth = Buffer.from(`:${token}`).toString('base64');
+      headers.Authorization = `Basic ${auth}`;
+    }
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
+    }
+    return response.text();
+  }
+}
--- a/src/server/lib/gitProvider/custom.ts
+++ b/src/server/lib/gitProvider/custom.ts
@@ -0,0 +1,44 @@
+import type { DirEntry, GitProvider } from "./types";
+import { parseRepoUrl } from "../repositoryUrlValidation";
+
+export class CustomProvider implements GitProvider {
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const { origin, owner, repo } = parseRepoUrl(repoUrl);
+    const apiUrl = `${origin}/api/v1/repos/${owner}/${repo}/contents/${path}?ref=${encodeURIComponent(branch)}`;
+    const headers: Record<string, string> = { "User-Agent": "PVEScripts-Local/1.0" };
+    const token = process.env.GITEA_TOKEN ?? process.env.GIT_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(apiUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Custom Git server: list directory failed (${response.status}).`);
+    }
+    const data = (await response.json()) as { type: string; name: string; path: string }[];
+    if (!Array.isArray(data)) {
+      const single = data as unknown as { type?: string; name?: string; path?: string };
+      if (single?.name) {
+        return [{ name: single.name, path: single.path ?? path, type: single.type === "dir" ? "dir" : "file" }];
+      }
+      throw new Error("Custom Git server returned unexpected response");
+    }
+    return data.map((item) => ({
+      name: item.name,
+      path: item.path,
+      type: item.type === "dir" ? ("dir" as const) : ("file" as const),
+    }));
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const { origin, owner, repo } = parseRepoUrl(repoUrl);
+    const rawUrl = `${origin}/${owner}/${repo}/raw/${encodeURIComponent(branch)}/${filePath}`;
+    const headers: Record<string, string> = { "User-Agent": "PVEScripts-Local/1.0" };
+    const token = process.env.GITEA_TOKEN ?? process.env.GIT_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Failed to download ${filePath} from custom Git server (${response.status}).`);
+    }
+    return response.text();
+  }
+}
--- a/src/server/lib/gitProvider/github.ts
+++ b/src/server/lib/gitProvider/github.ts
@@ -0,0 +1,60 @@
+import type { DirEntry, GitProvider } from './types';
+import { parseRepoUrl } from '../repositoryUrlValidation';
+
+export class GitHubProvider implements GitProvider {
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const apiUrl = `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${encodeURIComponent(branch)}`;
+    const headers: Record<string, string> = {
+      Accept: 'application/vnd.github.v3+json',
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITHUB_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(apiUrl, { headers });
+    if (!response.ok) {
+      if (response.status === 403) {
+        const err = new Error(
+          `GitHub API rate limit exceeded. Consider setting GITHUB_TOKEN. Status: ${response.status} ${response.statusText}`
+        );
+        (err as Error & { name: string }).name = 'RateLimitError';
+        throw err;
+      }
+      throw new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+    }
+
+    const data = (await response.json()) as { type: string; name: string; path: string }[];
+    if (!Array.isArray(data)) {
+      throw new Error('GitHub API returned unexpected response');
+    }
+    return data.map((item) => ({
+      name: item.name,
+      path: item.path,
+      type: item.type === 'dir' ? ('dir' as const) : ('file' as const),
+    }));
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/${encodeURIComponent(branch)}/${filePath}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITHUB_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      if (response.status === 403) {
+        const err = new Error(
+          `GitHub rate limit exceeded while downloading ${filePath}. Consider setting GITHUB_TOKEN.`
+        );
+        (err as Error & { name: string }).name = 'RateLimitError';
+        throw err;
+      }
+      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
+    }
+    return response.text();
+  }
+}
--- a/src/server/lib/gitProvider/gitlab.ts
+++ b/src/server/lib/gitProvider/gitlab.ts
@@ -0,0 +1,58 @@
+import type { DirEntry, GitProvider } from './types';
+import { parseRepoUrl } from '../repositoryUrlValidation';
+
+export class GitLabProvider implements GitProvider {
+  private getBaseUrl(repoUrl: string): string {
+    const { origin } = parseRepoUrl(repoUrl);
+    return origin;
+  }
+
+  private getProjectId(repoUrl: string): string {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    return encodeURIComponent(`${owner}/${repo}`);
+  }
+
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const baseUrl = this.getBaseUrl(repoUrl);
+    const projectId = this.getProjectId(repoUrl);
+    const apiUrl = `${baseUrl}/api/v4/projects/${projectId}/repository/tree?path=${encodeURIComponent(path)}&ref=${encodeURIComponent(branch)}&per_page=100`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITLAB_TOKEN;
+    if (token) headers['PRIVATE-TOKEN'] = token;
+
+    const response = await fetch(apiUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`GitLab API error: ${response.status} ${response.statusText}`);
+    }
+
+    const data = (await response.json()) as { type: string; name: string; path: string }[];
+    if (!Array.isArray(data)) {
+      throw new Error('GitLab API returned unexpected response');
+    }
+    return data.map((item) => ({
+      name: item.name,
+      path: item.path,
+      type: item.type === 'tree' ? ('dir' as const) : ('file' as const),
+    }));
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const baseUrl = this.getBaseUrl(repoUrl);
+    const projectId = this.getProjectId(repoUrl);
+    const encodedPath = encodeURIComponent(filePath);
+    const rawUrl = `${baseUrl}/api/v4/projects/${projectId}/repository/files/${encodedPath}/raw?ref=${encodeURIComponent(branch)}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITLAB_TOKEN;
+    if (token) headers['PRIVATE-TOKEN'] = token;
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
+    }
+    return response.text();
+  }
+}
--- a/src/server/lib/gitProvider/index.js
+++ b/src/server/lib/gitProvider/index.js
@@ -0,0 +1 @@
+export { listDirectory, downloadRawFile, getRepoProvider } from "./index.ts";
--- a/src/server/lib/gitProvider/index.ts
+++ b/src/server/lib/gitProvider/index.ts
@@ -0,0 +1,28 @@
+import type { DirEntry, GitProvider } from "./types";
+import { getRepoProvider } from "../repositoryUrlValidation";
+import { GitHubProvider } from "./github";
+import { GitLabProvider } from "./gitlab";
+import { BitbucketProvider } from "./bitbucket";
+import { CustomProvider } from "./custom";
+
+const providers: Record<string, GitProvider> = {
+  github: new GitHubProvider(),
+  gitlab: new GitLabProvider(),
+  bitbucket: new BitbucketProvider(),
+  custom: new CustomProvider(),
+};
+
+export type { DirEntry, GitProvider };
+export { getRepoProvider };
+
+export function getGitProvider(repoUrl: string): GitProvider {
+  return providers[getRepoProvider(repoUrl)]!;
+}
+
+export async function listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+  return getGitProvider(repoUrl).listDirectory(repoUrl, path, branch);
+}
+
+export async function downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+  return getGitProvider(repoUrl).downloadRawFile(repoUrl, filePath, branch);
+}
--- a/src/server/lib/gitProvider/types.ts
+++ b/src/server/lib/gitProvider/types.ts
@@ -0,0 +1,14 @@
+/**
+ * Git provider interface for listing and downloading repository files.
+ */
+
+export type DirEntry = {
+  name: string;
+  path: string;
+  type: 'file' | 'dir';
+};
+
+export interface GitProvider {
+  listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]>;
+  downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string>;
+}
--- a/src/server/lib/repositoryUrlValidation.js
+++ b/src/server/lib/repositoryUrlValidation.js
@@ -0,0 +1,37 @@
+/**
+ * Repository URL validation (JS mirror for server.js).
+ */
+const VALID_REPO_URL =
+  /^(https?:\/\/)(github\.com|gitlab\.com|bitbucket\.org|[^/]+)\/[^/]+\/[^/]+$/;
+
+export const REPO_URL_ERROR_MESSAGE =
+  'Invalid repository URL. Supported: GitHub, GitLab, Bitbucket, and custom Git servers (e.g. https://host/owner/repo).';
+
+export function isValidRepositoryUrl(url) {
+  if (typeof url !== 'string' || !url.trim()) return false;
+  return VALID_REPO_URL.test(url.trim());
+}
+
+export function getRepoProvider(url) {
+  if (!isValidRepositoryUrl(url)) throw new Error(REPO_URL_ERROR_MESSAGE);
+  const normalized = url.trim().toLowerCase();
+  if (normalized.includes('github.com')) return 'github';
+  if (normalized.includes('gitlab.com')) return 'gitlab';
+  if (normalized.includes('bitbucket.org')) return 'bitbucket';
+  return 'custom';
+}
+
+export function parseRepoUrl(url) {
+  if (!isValidRepositoryUrl(url)) throw new Error(REPO_URL_ERROR_MESSAGE);
+  try {
+    const u = new URL(url.trim());
+    const pathParts = u.pathname.replace(/^\/+/, '').replace(/\.git\/?$/, '').split('/');
+    return {
+      origin: u.origin,
+      owner: pathParts[0] ?? '',
+      repo: pathParts[1] ?? '',
+    };
+  } catch {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+}
--- a/src/server/lib/repositoryUrlValidation.ts
+++ b/src/server/lib/repositoryUrlValidation.ts
@@ -0,0 +1,57 @@
+/**
+ * Repository URL validation and provider detection.
+ * Supports GitHub, GitLab, Bitbucket, and custom Git servers.
+ */
+
+const VALID_REPO_URL =
+  /^(https?:\/\/)(github\.com|gitlab\.com|bitbucket\.org|[^/]+)\/[^/]+\/[^/]+$/;
+
+export const REPO_URL_ERROR_MESSAGE =
+  'Invalid repository URL. Supported: GitHub, GitLab, Bitbucket, and custom Git servers (e.g. https://host/owner/repo).';
+
+export type RepoProvider = 'github' | 'gitlab' | 'bitbucket' | 'custom';
+
+/**
+ * Check if a string is a valid repository URL (format only).
+ */
+export function isValidRepositoryUrl(url: string): boolean {
+  if (typeof url !== 'string' || !url.trim()) return false;
+  return VALID_REPO_URL.test(url.trim());
+}
+
+/**
+ * Detect the Git provider from a repository URL.
+ */
+export function getRepoProvider(url: string): RepoProvider {
+  if (!isValidRepositoryUrl(url)) {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+  const normalized = url.trim().toLowerCase();
+  if (normalized.includes('github.com')) return 'github';
+  if (normalized.includes('gitlab.com')) return 'gitlab';
+  if (normalized.includes('bitbucket.org')) return 'bitbucket';
+  return 'custom';
+}
+
+/**
+ * Parse owner and repo from a repository URL (path segments).
+ * Works for GitHub, GitLab, Bitbucket, and custom (host/owner/repo).
+ */
+export function parseRepoUrl(url: string): { origin: string; owner: string; repo: string } {
+  if (!isValidRepositoryUrl(url)) {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+  try {
+    const u = new URL(url.trim());
+    const pathParts = u.pathname.replace(/^\/+/, '').replace(/\.git\/?$/, '').split('/');
+    const owner = pathParts[0] ?? '';
+    const repo = pathParts[1] ?? '';
+    return {
+      origin: u.origin,
+      owner,
+      repo,
+    };
+  } catch {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+}
--- a/src/server/services/githubJsonService.js
+++ b/src/server/services/githubJsonService.js
@@ -2,6 +2,7 @@
 import { writeFile, mkdir, readdir, readFile } from 'fs/promises';
 import { join } from 'path';
 import { repositoryService } from './repositoryService.js';
+import { listDirectory, downloadRawFile } from '../lib/gitProvider/index.js';

 // Get environment variables
 const getEnv = () => ({
@@ -28,76 +29,9 @@ class GitHubJsonService {
    }
  }

-  getBaseUrl(repoUrl) {
-    const urlMatch = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!urlMatch) {
-      throw new Error(`Invalid GitHub repository URL: ${repoUrl}`);
-    }
-    
-    const [, owner, repo] = urlMatch;
-    return `https://api.github.com/repos/${owner}/${repo}`;
-  }
-
-  extractRepoPath(repoUrl) {
-    const match = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!match) {
-      throw new Error('Invalid GitHub repository URL');
-    }
-    return `${match[1]}/${match[2]}`;
-  }
-
-  async fetchFromGitHub(repoUrl, endpoint) {
-    const baseUrl = this.getBaseUrl(repoUrl);
-    const env = getEnv();
-    
-    const headers = {
-      'Accept': 'application/vnd.github.v3+json',
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(`${baseUrl}${endpoint}`, { headers });
-
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub API rate limit exceeded. Consider setting GITHUB_TOKEN for higher limits. Status: ${response.status} ${response.statusText}`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`GitHub API error: ${response.status} ${response.statusText}`);
-    }
-
-    return response.json();
-  }
-
  async downloadJsonFile(repoUrl, filePath) {
    this.initializeConfig();
-    const repoPath = this.extractRepoPath(repoUrl);
-    const rawUrl = `https://raw.githubusercontent.com/${repoPath}/${this.branch}/${filePath}`;
-    const env = getEnv();
-    
-    const headers = {
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(rawUrl, { headers });
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub rate limit exceeded while downloading ${filePath}. Consider setting GITHUB_TOKEN for higher limits.`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
-    }
-
-    const content = await response.text();
+    const content = await downloadRawFile(repoUrl, filePath, this.branch);
    const script = JSON.parse(content);
    script.repository_url = repoUrl;
    return script;
@@ -105,16 +39,13 @@ class GitHubJsonService {

  async getJsonFiles(repoUrl) {
    this.initializeConfig();
-    
    try {
-      const files = await this.fetchFromGitHub(
-        repoUrl,
-        `/contents/${this.jsonFolder}?ref=${this.branch}`
-      );
-      
-      return files.filter(file => file.name.endsWith('.json'));
+      const entries = await listDirectory(repoUrl, this.jsonFolder, this.branch);
+      return entries
+        .filter((e) => e.type === 'file' && e.name.endsWith('.json'))
+        .map((e) => ({ name: e.name, path: e.path }));
    } catch (error) {
-      console.error(`Error fetching JSON files from GitHub (${repoUrl}):`, error);
+      console.error(`Error fetching JSON files from repository (${repoUrl}):`, error);
      throw new Error(`Failed to fetch script files from repository: ${repoUrl}`);
    }
  }
--- a/src/server/services/githubJsonService.ts
+++ b/src/server/services/githubJsonService.ts
@@ -3,6 +3,7 @@ import { join } from 'path';
 import { env } from '../../env.js';
 import type { Script, ScriptCard, GitHubFile } from '../../types/script';
 import { repositoryService } from './repositoryService';
+import { listDirectory, downloadRawFile } from '~/server/lib/gitProvider';

 export class GitHubJsonService {
  private branch: string | null = null;
@@ -22,96 +23,24 @@ export class GitHubJsonService {
    }
  }

-  private getBaseUrl(repoUrl: string): string {
-    const urlMatch = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!urlMatch) {
-      throw new Error(`Invalid GitHub repository URL: ${repoUrl}`);
-    }
-    
-    const [, owner, repo] = urlMatch;
-    return `https://api.github.com/repos/${owner}/${repo}`;
-  }
-
-  private extractRepoPath(repoUrl: string): string {
-    const match = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!match) {
-      throw new Error('Invalid GitHub repository URL');
-    }
-    return `${match[1]}/${match[2]}`;
-  }
-
-  private async fetchFromGitHub<T>(repoUrl: string, endpoint: string): Promise<T> {
-    const baseUrl = this.getBaseUrl(repoUrl);
-    
-    const headers: HeadersInit = {
-      'Accept': 'application/vnd.github.v3+json',
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    // Add GitHub token authentication if available
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(`${baseUrl}${endpoint}`, { headers });
-
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub API rate limit exceeded. Consider setting GITHUB_TOKEN for higher limits. Status: ${response.status} ${response.statusText}`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`GitHub API error: ${response.status} ${response.statusText}`);
-    }
-
-    const data = await response.json();
-    return data as T;
-  }
-
  private async downloadJsonFile(repoUrl: string, filePath: string): Promise<Script> {
    this.initializeConfig();
-    const repoPath = this.extractRepoPath(repoUrl);
-    const rawUrl = `https://raw.githubusercontent.com/${repoPath}/${this.branch!}/${filePath}`;
-    
-    const headers: HeadersInit = {
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    // Add GitHub token authentication if available
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(rawUrl, { headers });
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub rate limit exceeded while downloading ${filePath}. Consider setting GITHUB_TOKEN for higher limits. Status: ${response.status} ${response.statusText}`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
-    }
-
-    const content = await response.text();
+    const content = await downloadRawFile(repoUrl, filePath, this.branch!);
    const script = JSON.parse(content) as Script;
-    // Add repository_url to script
    script.repository_url = repoUrl;
    return script;
  }

  async getJsonFiles(repoUrl: string): Promise<GitHubFile[]> {
    this.initializeConfig();
-    
    try {
-      const files = await this.fetchFromGitHub<GitHubFile[]>(
-        repoUrl,
-        `/contents/${this.jsonFolder!}?ref=${this.branch!}`
-      );
-      
-      // Filter for JSON files only
-      return files.filter(file => file.name.endsWith('.json'));
+      const entries = await listDirectory(repoUrl, this.jsonFolder!, this.branch!);
+      const files: GitHubFile[] = entries
+        .filter((e) => e.type === 'file' && e.name.endsWith('.json'))
+        .map((e) => ({ name: e.name, path: e.path } as GitHubFile));
+      return files;
    } catch (error) {
-      console.error(`Error fetching JSON files from GitHub (${repoUrl}):`, error);
+      console.error(`Error fetching JSON files from repository (${repoUrl}):`, error);
      throw new Error(`Failed to fetch script files from repository: ${repoUrl}`);
    }
  }
@@ -233,8 +162,7 @@ export class GitHubJsonService {
    try {
      console.log(`Starting JSON sync from repository: ${repoUrl}`);
      
-      // Get file list from GitHub
-      console.log(`Fetching file list from GitHub (${repoUrl})...`);
+      console.log(`Fetching file list from repository (${repoUrl})...`);
      const githubFiles = await this.getJsonFiles(repoUrl);
      console.log(`Found ${githubFiles.length} JSON files in repository ${repoUrl}`);
      
--- a/src/server/services/repositoryService.js
+++ b/src/server/services/repositoryService.js
@@ -1,5 +1,6 @@
 // JavaScript wrapper for repositoryService (for use with node server.js)
 import { prisma } from '../db.js';
+import { isValidRepositoryUrl, REPO_URL_ERROR_MESSAGE } from '../lib/repositoryUrlValidation.js';

 class RepositoryService {
  /**
@@ -89,9 +90,8 @@ class RepositoryService {
   * Create a new repository
   */
  async createRepository(data) {
-    // Validate GitHub URL
-    if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-      throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+    if (!isValidRepositoryUrl(data.url)) {
+      throw new Error(REPO_URL_ERROR_MESSAGE);
    }

    // Check for duplicates
@@ -122,10 +122,9 @@ class RepositoryService {
   * Update repository
   */
  async updateRepository(id, data) {
-    // If updating URL, validate it
    if (data.url) {
-      if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-        throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+      if (!isValidRepositoryUrl(data.url)) {
+        throw new Error(REPO_URL_ERROR_MESSAGE);
      }

      // Check for duplicates (excluding current repo)
--- a/src/server/services/repositoryService.ts
+++ b/src/server/services/repositoryService.ts
@@ -1,5 +1,5 @@
-/* eslint-disable @typescript-eslint/prefer-regexp-exec */
 import { prisma } from '../db';
+import { isValidRepositoryUrl, REPO_URL_ERROR_MESSAGE } from '../lib/repositoryUrlValidation';

 export class RepositoryService {
  /**
@@ -93,9 +93,8 @@ export class RepositoryService {
    enabled?: boolean;
    priority?: number;
  }) {
-    // Validate GitHub URL
-    if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-      throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+    if (!isValidRepositoryUrl(data.url)) {
+      throw new Error(REPO_URL_ERROR_MESSAGE);
    }

    // Check for duplicates
@@ -130,10 +129,9 @@ export class RepositoryService {
    url?: string;
    priority?: number;
  }) {
-    // If updating URL, validate it
    if (data.url) {
-      if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-        throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+      if (!isValidRepositoryUrl(data.url)) {
+        throw new Error(REPO_URL_ERROR_MESSAGE);
      }

      // Check for duplicates (excluding current repo)
--- a/src/server/services/scriptDownloader.js
+++ b/src/server/services/scriptDownloader.js
@@ -1,6 +1,7 @@
 // Real JavaScript implementation for script downloading
 import { join } from 'path';
 import { writeFile, mkdir, access, readFile, unlink } from 'fs/promises';
+import { downloadRawFile } from '../lib/gitProvider/index.js';

 export class ScriptDownloaderService {
  constructor() {
@@ -82,51 +83,18 @@ export class ScriptDownloaderService {
  }

  /**
-   * Extract repository path from GitHub URL
-   * @param {string} repoUrl - The GitHub repository URL
-   * @returns {string}
-   */
-  extractRepoPath(repoUrl) {
-    const match = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!match) {
-      throw new Error(`Invalid GitHub repository URL: ${repoUrl}`);
-    }
-    return `${match[1]}/${match[2]}`;
-  }
-
-  /**
-   * Download a file from GitHub
-   * @param {string} repoUrl - The GitHub repository URL
+   * Download a file from the repository (GitHub, GitLab, Bitbucket, or custom)
+   * @param {string} repoUrl - The repository URL
   * @param {string} filePath - The file path within the repository
   * @param {string} [branch] - The branch to download from
   * @returns {Promise<string>}
   */
-  async downloadFileFromGitHub(repoUrl, filePath, branch = 'main') {
-    this.initializeConfig();
+  async downloadFileFromRepo(repoUrl, filePath, branch = 'main') {
    if (!repoUrl) {
      throw new Error('Repository URL is not set');
    }
-
-    const repoPath = this.extractRepoPath(repoUrl);
-    const url = `https://raw.githubusercontent.com/${repoPath}/${branch}/${filePath}`;
-    
-    /** @type {Record<string, string>} */
-    const headers = {
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    // Add GitHub token authentication if available
-    if (process.env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${process.env.GITHUB_TOKEN}`;
-    }
-    
-    console.log(`Downloading from GitHub: ${url}`);
-    const response = await fetch(url, { headers });
-    if (!response.ok) {
-      throw new Error(`Failed to download ${filePath} from ${repoUrl}: ${response.status} ${response.statusText}`);
-    }
-
-    return response.text();
+    console.log(`Downloading from repository: ${repoUrl} (${filePath})`);
+    return downloadRawFile(repoUrl, filePath, branch);
  }

  /**
@@ -184,9 +152,8 @@ export class ScriptDownloaderService {
            const fileName = scriptPath.split('/').pop();
            
            if (fileName) {
-              // Download from GitHub using the script's repository URL
              console.log(`Downloading script file: ${scriptPath} from ${repoUrl}`);
-              const content = await this.downloadFileFromGitHub(repoUrl, scriptPath, branch);
+              const content = await this.downloadFileFromRepo(repoUrl, scriptPath, branch);
              
              // Determine target directory based on script path
              let targetDir;
@@ -250,7 +217,7 @@ export class ScriptDownloaderService {
        const installScriptName = `${script.slug}-install.sh`;
        try {
          console.log(`Downloading install script: install/${installScriptName} from ${repoUrl}`);
-          const installContent = await this.downloadFileFromGitHub(repoUrl, `install/${installScriptName}`, branch);
+          const installContent = await this.downloadFileFromRepo(repoUrl, `install/${installScriptName}`, branch);
          const localInstallPath = join(this.scriptsDirectory, 'install', installScriptName);
          await writeFile(localInstallPath, installContent, 'utf-8');
          files.push(`install/${installScriptName}`);
@@ -274,7 +241,7 @@ export class ScriptDownloaderService {
        const alpineInstallScriptName = `alpine-${script.slug}-install.sh`;
        try {
          console.log(`[${script.slug}] Downloading alpine install script: install/${alpineInstallScriptName} from ${repoUrl}`);
-          const alpineInstallContent = await this.downloadFileFromGitHub(repoUrl, `install/${alpineInstallScriptName}`, branch);
+          const alpineInstallContent = await this.downloadFileFromRepo(repoUrl, `install/${alpineInstallScriptName}`, branch);
          const localAlpineInstallPath = join(this.scriptsDirectory, 'install', alpineInstallScriptName);
          await writeFile(localAlpineInstallPath, alpineInstallContent, 'utf-8');
          files.push(`install/${alpineInstallScriptName}`);
@@ -681,7 +648,7 @@ export class ScriptDownloaderService {
      console.log(`[Comparison] Local file size: ${localContent.length} bytes`);
      
      // Download remote content from the script's repository
-      const remoteContent = await this.downloadFileFromGitHub(repoUrl, remotePath, branch);
+      const remoteContent = await this.downloadFileFromRepo(repoUrl, remotePath, branch);
      console.log(`[Comparison] Remote file size: ${remoteContent.length} bytes`);
      
      // Apply modification only for CT scripts, not for other script types
@@ -739,7 +706,7 @@ export class ScriptDownloaderService {
            // Find the corresponding script path in install_methods
            const method = script.install_methods?.find(m => m.script === filePath);
            if (method?.script) {
-              const downloadedContent = await this.downloadFileFromGitHub(repoUrl, method.script, branch);
+              const downloadedContent = await this.downloadFileFromRepo(repoUrl, method.script, branch);
              remoteContent = this.modifyScriptContent(downloadedContent);
            }
          } catch {
@@ -756,7 +723,7 @@ export class ScriptDownloaderService {
        }

        try {
-          remoteContent = await this.downloadFileFromGitHub(repoUrl, filePath, branch);
+          remoteContent = await this.downloadFileFromRepo(repoUrl, filePath, branch);
        } catch {
          // Error downloading remote install script
        }
--- a/src/server/ssh-execution-service.js
+++ b/src/server/ssh-execution-service.js
@@ -85,9 +85,10 @@ class SSHExecutionService {
   * @param {Function} onData - Callback for data output
   * @param {Function} onError - Callback for errors
   * @param {Function} onExit - Callback for process exit
+   * @param {Object} [envVars] - Optional environment variables to pass to the script
   * @returns {Promise<Object>} Process information
   */
-  async executeScript(server, scriptPath, onData, onError, onExit) {
+  async executeScript(server, scriptPath, onData, onError, onExit, envVars = {}) {
    try {
      await this.transferScriptsFolder(server, onData, onError);
      
@@ -98,8 +99,43 @@ class SSHExecutionService {
          // Build SSH command based on authentication type
          const { command, args } = this.buildSSHCommand(server);
          
+          // Format environment variables as var_name=value pairs
+          const envVarsString = Object.entries(envVars)
+            .map(([key, value]) => {
+              // Escape special characters in values
+              const escapedValue = String(value).replace(/'/g, "'\\''");
+              return `${key}='${escapedValue}'`;
+            })
+            .join(' ');
+          
+          // Build the command with environment variables
+          let scriptCommand = `cd /tmp/scripts && chmod +x ${relativeScriptPath} && export TERM=xterm-256color && export COLUMNS=120 && export LINES=30 && export COLORTERM=truecolor && export FORCE_COLOR=1 && export NO_COLOR=0 && export CLICOLOR=1 && export CLICOLOR_FORCE=1`;
+          
+          if (envVarsString) {
+            scriptCommand += ` && ${envVarsString} bash ${relativeScriptPath}`;
+          } else {
+            scriptCommand += ` && bash ${relativeScriptPath}`;
+          }
+          
+          // Log the full command that will be executed
+          console.log('='.repeat(80));
+          console.log(`[SSH Execution] Executing on host: ${server.ip} (${server.name || 'Unnamed'})`);
+          console.log(`[SSH Execution] Script path: ${scriptPath}`);
+          console.log(`[SSH Execution] Relative script path: ${relativeScriptPath}`);
+          if (Object.keys(envVars).length > 0) {
+            console.log(`[SSH Execution] Environment variables (${Object.keys(envVars).length} vars):`);
+            Object.entries(envVars).forEach(([key, value]) => {
+              console.log(`  ${key}=${String(value)}`);
+            });
+          } else {
+            console.log(`[SSH Execution] No environment variables provided`);
+          }
+          console.log(`[SSH Execution] Full command:`);
+          console.log(scriptCommand);
+          console.log('='.repeat(80));
+          
          // Add the script execution command to the args
-          args.push(`cd /tmp/scripts && chmod +x ${relativeScriptPath} && export TERM=xterm-256color && export COLUMNS=120 && export LINES=30 && export COLORTERM=truecolor && export FORCE_COLOR=1 && export NO_COLOR=0 && export CLICOLOR=1 && export CLICOLOR_FORCE=1 && bash ${relativeScriptPath}`);
+          args.push(scriptCommand);
          
          // Use ptySpawn for proper terminal emulation and color support
          const sshCommand = ptySpawn(command, args, {
--- a/update.sh
+++ b/update.sh
@@ -4,7 +4,7 @@
 # Enhanced update script for ProxmoxVE-Local
 # Fetches latest release from GitHub and backs up data directory

-set -euo pipefail  # Exit on error, undefined vars, pipe failures
+set -euo pipefail # Exit on error, undefined vars, pipe failures

 # Add error trap for debugging
 trap 'echo "Error occurred at line $LINENO, command: $BASH_COMMAND"' ERR
@@ -38,7 +38,7 @@ load_github_token() {
        log "Using GitHub token from environment variable"
        return 0
    fi
-    
+
    # Try .env file
    if [ -f ".env" ]; then
        local env_token
@@ -49,21 +49,21 @@ load_github_token() {
            return 0
        fi
    fi
-    
+
    # Try .github_token file
    if [ -f ".github_token" ]; then
        GITHUB_TOKEN=$(cat .github_token | tr -d '\n\r')
        log "Using GitHub token from .github_token file"
        return 0
    fi
-    
+
    # Try ~/.github_token file
    if [ -f "$HOME/.github_token" ]; then
        GITHUB_TOKEN=$(cat "$HOME/.github_token" | tr -d '\n\r')
        log "Using GitHub token from ~/.github_token file"
        return 0
    fi
-    
+
    log_warning "No GitHub token found. Using unauthenticated requests (lower rate limits)"
    log_warning "To use a token, add GITHUB_TOKEN=your_token to .env file or set GITHUB_TOKEN environment variable"
    return 1
@@ -72,7 +72,7 @@ load_github_token() {
 # Initialize log file
 init_log() {
    # Clear/create log file
-    > "$LOG_FILE"
+    >"$LOG_FILE"
    log "Starting ProxmoxVE-Local update process..."
    log "Log file: $LOG_FILE"
 }
@@ -97,40 +97,40 @@ log_warning() {
 # Check if required tools are available
 check_dependencies() {
    log "Checking dependencies..."
-    
+
    local missing_deps=()
-    
-    if ! command -v curl &> /dev/null; then
+
+    if ! command -v curl &>/dev/null; then
        missing_deps+=("curl")
    fi
-    
-    if ! command -v jq &> /dev/null; then
+
+    if ! command -v jq &>/dev/null; then
        missing_deps+=("jq")
    fi
-    
-    if ! command -v npm &> /dev/null; then
+
+    if ! command -v npm &>/dev/null; then
        missing_deps+=("npm")
    fi
-    
-    if ! command -v node &> /dev/null; then
+
+    if ! command -v node &>/dev/null; then
        missing_deps+=("node")
    fi
-    
+
    if [ ${#missing_deps[@]} -ne 0 ]; then
        log_error "Missing dependencies: ${missing_deps[*]}"
        log_error "Please install the missing dependencies and try again."
        exit 1
    fi
-    
+
    log_success "All dependencies are available"
 }

 # Get latest release info from GitHub API
 get_latest_release() {
    log "Fetching latest release information from GitHub..."
-    
+
    local curl_opts="-s --connect-timeout 15 --max-time 60 --retry 2 --retry-delay 3"
-    
+
    # Add authentication header if token is available
    if [ -n "$GITHUB_TOKEN" ]; then
        curl_opts="$curl_opts -H \"Authorization: token $GITHUB_TOKEN\""
@@ -138,35 +138,35 @@ get_latest_release() {
    else
        log "Using unauthenticated GitHub API request (lower rate limits)"
    fi
-    
+
    local release_info
    if ! release_info=$(eval "curl $curl_opts \"$GITHUB_API/releases/latest\""); then
        log_error "Failed to fetch release information from GitHub API (timeout or network error)"
        exit 1
    fi
-    
+
    # Check if response is valid JSON
    if ! echo "$release_info" | jq empty 2>/dev/null; then
        log_error "Invalid JSON response from GitHub API"
        log "Response: $release_info"
        exit 1
    fi
-    
+
    local tag_name
    local download_url
    local published_at
-    
+
    tag_name=$(echo "$release_info" | jq -r '.tag_name')
    download_url=$(echo "$release_info" | jq -r '.tarball_url')
    published_at=$(echo "$release_info" | jq -r '.published_at')
-    
+
    if [ "$tag_name" = "null" ] || [ "$download_url" = "null" ] || [ -z "$tag_name" ] || [ -z "$download_url" ]; then
        log_error "Failed to parse release information from API response"
        log "Tag name: $tag_name"
        log "Download URL: $download_url"
        exit 1
    fi
-    
+
    log_success "Latest release: $tag_name (published: $published_at)"
    echo "$tag_name|$download_url"
 }
@@ -174,16 +174,16 @@ get_latest_release() {
 # Backup data directory, .env file, and scripts directories
 backup_data() {
    log "Creating backup directory at $BACKUP_DIR..."
-    
+
    if ! mkdir -p "$BACKUP_DIR"; then
        log_error "Failed to create backup directory"
        exit 1
    fi
-    
+
    # Backup data directory
    if [ -d "$DATA_DIR" ]; then
        log "Backing up data directory..."
-        
+
        if ! cp -r "$DATA_DIR" "$BACKUP_DIR/data"; then
            log_error "Failed to backup data directory"
            exit 1
@@ -193,7 +193,7 @@ backup_data() {
    else
        log_warning "Data directory not found, skipping backup"
    fi
-    
+
    # Backup .env file
    if [ -f ".env" ]; then
        log "Backing up .env file..."
@@ -206,7 +206,7 @@ backup_data() {
    else
        log_warning ".env file not found, skipping backup"
    fi
-    
+
    # Backup scripts directories
    local scripts_dirs=("scripts/ct" "scripts/install" "scripts/tools" "scripts/vm")
    for scripts_dir in "${scripts_dirs[@]}"; do
@@ -230,60 +230,60 @@ download_release() {
    local release_info="$1"
    local tag_name="${release_info%|*}"
    local download_url="${release_info#*|}"
-    
+
    log "Downloading release $tag_name..."
-    
+
    local temp_dir="/tmp/pve-update-$$"
    local archive_file="$temp_dir/release.tar.gz"
-    
+
    # Create temporary directory
    if ! mkdir -p "$temp_dir"; then
        log_error "Failed to create temporary directory"
        exit 1
    fi
-    
+
    # Download release with timeout and progress
    if ! curl -L --connect-timeout 30 --max-time 300 --retry 3 --retry-delay 5 -o "$archive_file" "$download_url" 2>/dev/null; then
        log_error "Failed to download release from GitHub"
        rm -rf "$temp_dir"
        exit 1
    fi
-    
+
    # Verify download
    if [ ! -f "$archive_file" ] || [ ! -s "$archive_file" ]; then
        log_error "Downloaded file is empty or missing"
        rm -rf "$temp_dir"
        exit 1
    fi
-    
+
    log_success "Downloaded release"
-    
+
    # Extract release
    if ! tar -xzf "$archive_file" -C "$temp_dir" 2>/dev/null; then
        log_error "Failed to extract release"
        rm -rf "$temp_dir"
        exit 1
    fi
-    
+
    # Find the extracted directory (GitHub tarballs have a root directory)
    local extracted_dir
    extracted_dir=$(find "$temp_dir" -maxdepth 1 -type d -name "community-scripts-ProxmoxVE-Local-*" 2>/dev/null | head -1)
-    
+
    # Try alternative patterns if not found
    if [ -z "$extracted_dir" ]; then
        extracted_dir=$(find "$temp_dir" -maxdepth 1 -type d -name "${REPO_NAME}-*" 2>/dev/null | head -1)
    fi
-    
+
    if [ -z "$extracted_dir" ]; then
        extracted_dir=$(find "$temp_dir" -maxdepth 1 -type d ! -name "$temp_dir" 2>/dev/null | head -1)
    fi
-    
+
    if [ -z "$extracted_dir" ]; then
        log_error "Could not find extracted directory"
        rm -rf "$temp_dir"
        exit 1
    fi
-    
+
    log_success "Release extracted successfully"
    echo "$extracted_dir"
 }
@@ -291,11 +291,11 @@ download_release() {
 # Clear the original directory before updating
 clear_original_directory() {
    log "Clearing original directory..."
-    
+
    # Remove old lock files and node_modules before update
    rm -f package-lock.json 2>/dev/null
    rm -rf node_modules 2>/dev/null
-    
+
    # List of files/directories to preserve (already backed up)
    local preserve_patterns=(
        "data"
@@ -308,48 +308,48 @@ clear_original_directory() {
        ".git"
        "scripts"
    )
-    
+
    # Remove all files except preserved ones
    while IFS= read -r file; do
        local should_preserve=false
        local filename=$(basename "$file")
-        
+
        for pattern in "${preserve_patterns[@]}"; do
            if [[ "$filename" == $pattern ]]; then
                should_preserve=true
                break
            fi
        done
-        
+
        if [ "$should_preserve" = false ]; then
            rm -f "$file"
        fi
    done < <(find . -maxdepth 1 -type f ! -name ".*")
-    
+
    # Remove all directories except preserved ones
    while IFS= read -r dir; do
        local should_preserve=false
        local dirname=$(basename "$dir")
-        
+
        for pattern in "${preserve_patterns[@]}"; do
            if [[ "$dirname" == $pattern ]]; then
                should_preserve=true
                break
            fi
        done
-        
+
        if [ "$should_preserve" = false ]; then
            rm -rf "$dir"
        fi
    done < <(find . -maxdepth 1 -type d ! -name "." ! -name "..")
-    
+
    log_success "Original directory cleared"
 }

 # Restore backup files before building
 restore_backup_files() {
    log "Restoring .env, data directory, and scripts directories from backup..."
-    
+
    if [ -d "$BACKUP_DIR" ]; then
        # Restore .env file
        if [ -f "$BACKUP_DIR/.env" ]; then
@@ -365,7 +365,7 @@ restore_backup_files() {
        else
            log_warning "No .env file backup found"
        fi
-        
+
        # Restore data directory
        if [ -d "$BACKUP_DIR/data" ]; then
            if [ -d "data" ]; then
@@ -380,24 +380,24 @@ restore_backup_files() {
        else
            log_warning "No data directory backup found"
        fi
-        
+
        # Restore scripts directories
        local scripts_dirs=("ct" "install" "tools" "vm")
        for backup_name in "${scripts_dirs[@]}"; do
            if [ -d "$BACKUP_DIR/$backup_name" ]; then
                local target_dir="scripts/$backup_name"
                log "Restoring $target_dir directory from backup..."
-                
+
                # Ensure scripts directory exists
                if [ ! -d "scripts" ]; then
                    mkdir -p "scripts"
                fi
-                
+
                # Remove existing directory if it exists
                if [ -d "$target_dir" ]; then
                    rm -rf "$target_dir"
                fi
-                
+
                if cp -r "$BACKUP_DIR/$backup_name" "$target_dir"; then
                    log_success "$target_dir directory restored from backup"
                else
@@ -417,7 +417,13 @@ restore_backup_files() {
 # Verify database was restored correctly
 verify_database_restored() {
    log "Verifying database was restored correctly..."
-    
+
+    # Ensure data directory exists (will be auto-created by app if needed)
+    if [ ! -d "data" ]; then
+        log "Creating data directory..."
+        mkdir -p data
+    fi
+
    # Check for both possible database filenames
    local db_file=""
    if [ -f "data/database.sqlite" ]; then
@@ -425,23 +431,25 @@ verify_database_restored() {
    elif [ -f "data/settings.db" ]; then
        db_file="data/settings.db"
    else
-        log_error "Database file not found after restore! (checked database.sqlite and settings.db)"
-        return 1
+        # Database doesn't exist yet - this is OK for new installations
+        # The app will create it automatically via Prisma migrations
+        log_warning "No existing database file found - will be created automatically on first start"
+        return 0
    fi
-    
+
    local db_size=$(stat -f%z "$db_file" 2>/dev/null || stat -c%s "$db_file" 2>/dev/null)
    if [ "$db_size" -eq 0 ]; then
        log_warning "Database file is empty - will be recreated by Prisma migrations"
-        return 0  # Don't fail the update, let Prisma recreate the database
+        return 0 # Don't fail the update, let Prisma recreate the database
    fi
-    
+
    log_success "Database verified (file: $db_file, size: $db_size bytes)"
 }

 # Ensure DATABASE_URL is set in .env file for Prisma
 ensure_database_url() {
    log "Ensuring DATABASE_URL is set in .env file..."
-    
+
    # Check if .env file exists
    if [ ! -f ".env" ]; then
        log_warning ".env file not found, creating from .env.example..."
@@ -452,19 +460,19 @@ ensure_database_url() {
            return 1
        fi
    fi
-    
+
    # Check if DATABASE_URL is already set
    if grep -q "^DATABASE_URL=" .env; then
        log "DATABASE_URL already exists in .env file"
        return 0
    fi
-    
+
    # Add DATABASE_URL to .env file
    log "Adding DATABASE_URL to .env file..."
-    echo "" >> .env
-    echo "# Database" >> .env
-    echo "DATABASE_URL=\"file:./data/settings.db\"" >> .env
-    
+    echo "" >>.env
+    echo "# Database" >>.env
+    echo "DATABASE_URL=\"file:./data/settings.db\"" >>.env
+
    log_success "DATABASE_URL added to .env file"
 }

@@ -481,11 +489,9 @@ check_service() {
    fi
 }

-
 # Stop the application before updating
 stop_application() {
-    
-    
+
    # Change to the application directory if we're not already there
    local app_dir
    if [ -f "package.json" ] && [ -f "server.js" ]; then
@@ -503,9 +509,9 @@ stop_application() {
            return 1
        fi
    fi
-    
+
    log "Working from application directory: $(pwd)"
-    
+
    # Check if systemd service is running and disable it temporarily
    if check_service && systemctl is-active --quiet pvescriptslocal.service; then
        log "Disabling systemd service temporarily to prevent auto-restart..."
@@ -518,7 +524,7 @@ stop_application() {
    else
        log "No running systemd service found"
    fi
-    
+
    # Kill any remaining npm/node processes
    log "Killing any remaining npm/node processes..."
    local pids
@@ -537,9 +543,9 @@ stop_application() {
 # Update application files
 update_files() {
    local source_dir="$1"
-    
+
    log "Updating application files..."
-    
+
    # List of files/directories to exclude from update
    local exclude_patterns=(
        "data"
@@ -555,48 +561,48 @@ update_files() {
        "scripts/tools"
        "scripts/vm"
    )
-    
+
    # Find the actual source directory (strip the top-level directory)
    local actual_source_dir
    actual_source_dir=$(find "$source_dir" -maxdepth 1 -type d -name "community-scripts-ProxmoxVE-Local-*" | head -1)
-    
+
    if [ -z "$actual_source_dir" ]; then
        log_error "Could not find the actual source directory in $source_dir"
        return 1
    fi
-    
+
    # Verify critical files exist in source
    if [ ! -f "$actual_source_dir/package.json" ]; then
        log_error "package.json not found in source directory!"
        return 1
    fi
-    
+
    # Use process substitution instead of pipe to avoid subshell issues
    local files_copied=0
    local files_excluded=0
-    
+
    # Create a temporary file list to avoid process substitution issues
    local file_list="/tmp/file_list_$$.txt"
-    find "$actual_source_dir" -type f > "$file_list"
-    
+    find "$actual_source_dir" -type f >"$file_list"
+
    while IFS= read -r file; do
        local rel_path="${file#$actual_source_dir/}"
        local should_exclude=false
-        
+
        for pattern in "${exclude_patterns[@]}"; do
            if [[ "$rel_path" == $pattern ]] || [[ "$rel_path" == $pattern/* ]]; then
                should_exclude=true
                break
            fi
        done
-        
+
        if [ "$should_exclude" = false ]; then
            local target_dir
            target_dir=$(dirname "$rel_path")
            if [ "$target_dir" != "." ]; then
                mkdir -p "$target_dir"
            fi
-            
+
            if ! cp "$file" "$rel_path"; then
                log_error "Failed to copy $rel_path"
                rm -f "$file_list"
@@ -606,48 +612,47 @@ update_files() {
        else
            files_excluded=$((files_excluded + 1))
        fi
-    done < "$file_list"
-    
+    done <"$file_list"
+
    # Clean up temporary file
    rm -f "$file_list"
-    
+
    # Verify critical files were copied
    if [ ! -f "package.json" ]; then
        log_error "package.json was not copied to target directory!"
        return 1
    fi
-    
+
    if [ ! -f "package-lock.json" ]; then
        log_warning "package-lock.json was not copied!"
    fi
-    
+
    log_success "Application files updated successfully ($files_copied files)"
 }

-
 # Install dependencies and build
 install_and_build() {
    log "Installing dependencies..."
-    
+
    # Verify package.json exists
    if [ ! -f "package.json" ]; then
        log_error "package.json not found! Cannot install dependencies."
        return 1
    fi
-    
+
    if [ ! -f "package-lock.json" ]; then
        log_warning "No package-lock.json found, npm will generate one"
    fi
-    
+
    # Create temporary file for npm output
    local npm_log="/tmp/npm_install_$$.log"
-    
+
    # Ensure NODE_ENV is not set to production during install (we need devDependencies for build)
    local old_node_env="${NODE_ENV:-}"
    export NODE_ENV=development
-    
+
    # Run npm install to get ALL dependencies including devDependencies
-    if ! npm install --include=dev > "$npm_log" 2>&1; then
+    if ! npm install --include=dev >"$npm_log" 2>&1; then
        log_error "Failed to install dependencies"
        log_error "npm install output (last 30 lines):"
        tail -30 "$npm_log" | while read -r line; do
@@ -656,20 +661,20 @@ install_and_build() {
        rm -f "$npm_log"
        return 1
    fi
-    
+
    # Restore NODE_ENV
    if [ -n "$old_node_env" ]; then
        export NODE_ENV="$old_node_env"
    else
        unset NODE_ENV
    fi
-    
+
    log_success "Dependencies installed successfully"
    rm -f "$npm_log"
-    
+
    # Generate Prisma client
    log "Generating Prisma client..."
-    if ! npx prisma generate > "$npm_log" 2>&1; then
+    if ! npx prisma generate >"$npm_log" 2>&1; then
        log_error "Failed to generate Prisma client"
        log_error "Prisma generate output:"
        cat "$npm_log" | while read -r line; do
@@ -679,7 +684,7 @@ install_and_build() {
        return 1
    fi
    log_success "Prisma client generated successfully"
-    
+
    # Check if Prisma migrations exist and are compatible
    if [ -d "prisma/migrations" ]; then
        log "Existing migration history detected"
@@ -688,10 +693,10 @@ install_and_build() {
    else
        log_warning "No existing migration history found - this may be a fresh install"
    fi
-    
+
    # Run Prisma migrations
    log "Running Prisma migrations..."
-    if ! npx prisma migrate deploy > "$npm_log" 2>&1; then
+    if ! npx prisma migrate deploy >"$npm_log" 2>&1; then
        log_warning "Prisma migrations failed or no migrations to run"
        log "Prisma migrate output:"
        cat "$npm_log" | while read -r line; do
@@ -701,15 +706,18 @@ install_and_build() {
        log_success "Prisma migrations completed successfully"
    fi
    rm -f "$npm_log"
-    
+
    log "Building application..."
    # Set NODE_ENV to production for build
    export NODE_ENV=production
-    
+    # Unset TURBOPACK to prevent "Multiple bundler flags" error with --webpack
+    unset TURBOPACK 2>/dev/null || true
+    export TURBOPACK=''
+
    # Create temporary file for npm build output
    local build_log="/tmp/npm_build_$$.log"
-    
-    if ! npm run build > "$build_log" 2>&1; then
+
+    if ! TURBOPACK='' npm run build >"$build_log" 2>&1; then
        log_error "Failed to build application"
        log_error "npm run build output:"
        cat "$build_log" | while read -r line; do
@@ -718,18 +726,18 @@ install_and_build() {
        rm -f "$build_log"
        return 1
    fi
-    
+
    # Log success and clean up
    log_success "Application built successfully"
    rm -f "$build_log"
-    
+
    log_success "Dependencies installed and application built successfully"
 }

 # Start the application after updating
 start_application() {
    log "Starting application..."
-    
+
    # Use the global variable to determine how to start
    if [ "$SERVICE_WAS_RUNNING" = true ] && check_service; then
        log "Service was running before update, re-enabling and starting systemd service..."
@@ -761,11 +769,11 @@ start_application() {
 # Start application with npm
 start_with_npm() {
    log "Starting application with npm start..."
-    
+
    # Start in background
-    nohup npm start > server.log 2>&1 &
+    nohup npm start >server.log 2>&1 &
    local npm_pid=$!
-    
+
    # Wait a moment and check if it started
    sleep 3
    if kill -0 $npm_pid 2>/dev/null; then
@@ -776,13 +784,30 @@ start_with_npm() {
    fi
 }

+# Re-enable the systemd service on failure to prevent users from being locked out
+re_enable_service_on_failure() {
+    if check_service; then
+        log "Re-enabling systemd service after failure..."
+        if systemctl enable pvescriptslocal.service 2>/dev/null; then
+            log_success "Service re-enabled"
+            if systemctl start pvescriptslocal.service 2>/dev/null; then
+                log_success "Service started"
+            else
+                log_warning "Failed to start service - manual intervention may be required"
+            fi
+        else
+            log_warning "Failed to re-enable service - manual intervention may be required"
+        fi
+    fi
+}
+
 # Rollback function
 rollback() {
    log_warning "Rolling back to previous version..."
-    
+
    if [ -d "$BACKUP_DIR" ]; then
        log "Restoring from backup directory: $BACKUP_DIR"
-        
+
        # Restore data directory
        if [ -d "$BACKUP_DIR/data" ]; then
            log "Restoring data directory..."
@@ -797,7 +822,7 @@ rollback() {
        else
            log_warning "No data directory backup found"
        fi
-        
+
        # Restore .env file
        if [ -f "$BACKUP_DIR/.env" ]; then
            log "Restoring .env file..."
@@ -812,24 +837,24 @@ rollback() {
        else
            log_warning "No .env file backup found"
        fi
-        
+
        # Restore scripts directories
        local scripts_dirs=("ct" "install" "tools" "vm")
        for backup_name in "${scripts_dirs[@]}"; do
            if [ -d "$BACKUP_DIR/$backup_name" ]; then
                local target_dir="scripts/$backup_name"
                log "Restoring $target_dir directory from backup..."
-                
+
                # Ensure scripts directory exists
                if [ ! -d "scripts" ]; then
                    mkdir -p "scripts"
                fi
-                
+
                # Remove existing directory if it exists
                if [ -d "$target_dir" ]; then
                    rm -rf "$target_dir"
                fi
-                
+
                if mv "$BACKUP_DIR/$backup_name" "$target_dir"; then
                    log_success "$target_dir directory restored from backup"
                else
@@ -839,14 +864,17 @@ rollback() {
                log_warning "No $backup_name directory backup found"
            fi
        done
-        
+
        # Clean up backup directory
        log "Cleaning up backup directory..."
        rm -rf "$BACKUP_DIR"
    else
        log_error "No backup directory found for rollback"
    fi
-    
+
+    # Re-enable the service so users aren't locked out
+    re_enable_service_on_failure
+
    log_error "Update failed. Please check the logs and try again."
    exit 1
 }
@@ -865,14 +893,14 @@ check_node_version() {

    log "Detected Node.js version: $current"

-    if (( major_version < 24 )); then
+    if ((major_version == 24)); then
+        log_success "Node.js 24 already installed"
+    elif ((major_version < 24)); then
        log_warning "Node.js < 24 detected → upgrading to Node.js 24 LTS..."
        upgrade_node_to_24
-    elif (( major_version > 24 )); then
+    else
        log_warning "Node.js > 24 detected → script tested only up to Node 24"
        log "Continuing anyway…"
-    else
-        log_success "Node.js 24 already installed"
    fi
 }

@@ -880,22 +908,39 @@ check_node_version() {
 upgrade_node_to_24() {
    log "Preparing Node.js 24 upgrade…"

-    # Remove old nodesource repo if it exists
+    # Remove old nodesource repo files if they exist
    if [ -f /etc/apt/sources.list.d/nodesource.list ]; then
+        log "Removing old nodesource.list file..."
        rm -f /etc/apt/sources.list.d/nodesource.list
    fi
+    if [ -f /etc/apt/sources.list.d/nodesource.sources ]; then
+        log "Removing old nodesource.sources file..."
+        rm -f /etc/apt/sources.list.d/nodesource.sources
+    fi
+
+    # Update apt cache first
+    log "Updating apt cache..."
+    apt-get update >>"$LOG_FILE" 2>&1 || true

    # Install NodeSource repo for Node.js 24
-    curl -fsSL https://deb.nodesource.com/setup_24.x -o /tmp/node24_setup.sh
-    if ! bash /tmp/node24_setup.sh > /tmp/node24_setup.log 2>&1; then
+    log "Downloading Node.js 24 setup script..."
+    if ! curl -fsSL https://deb.nodesource.com/setup_24.x -o /tmp/node24_setup.sh; then
+        log_error "Failed to download Node.js 24 setup script"
+        re_enable_service_on_failure
+        exit 1
+    fi
+
+    if ! bash /tmp/node24_setup.sh >/tmp/node24_setup.log 2>&1; then
        log_error "Failed to configure Node.js 24 repository"
        tail -20 /tmp/node24_setup.log | while read -r line; do log_error "$line"; done
+        re_enable_service_on_failure
        exit 1
    fi

    log "Installing Node.js 24…"
-    if ! apt-get install -y nodejs >> "$LOG_FILE" 2>&1; then
+    if ! apt-get install -y nodejs >>"$LOG_FILE" 2>&1; then
        log_error "Failed to install Node.js 24"
+        re_enable_service_on_failure
        exit 1
    fi

@@ -912,21 +957,21 @@ main() {
        init_log
        log "Running as detached process"
        sleep 3
-        
+
    else
        init_log
    fi
-    
+
    # Check if we're running from the application directory and not already relocated
    if [ -z "${PVE_UPDATE_RELOCATED:-}" ] && [ -f "package.json" ] && [ -f "server.js" ]; then
        log "Detected running from application directory"
        bash "$0" --relocated
        exit $?
    fi
-    
+
    # Ensure we're in the application directory
    local app_dir
-    
+
    # First check if we're already in the right directory
    if [ -f "package.json" ] && [ -f "server.js" ]; then
        app_dir="$(pwd)"
@@ -943,79 +988,76 @@ main() {
            exit 1
        fi
    fi
-    
+
    # Check dependencies
    check_dependencies
-    
+
    # Load GitHub token for higher rate limits
    load_github_token
-    
+
    # Check if service was running before update
    if check_service && systemctl is-active --quiet pvescriptslocal.service; then
        SERVICE_WAS_RUNNING=true
    else
        SERVICE_WAS_RUNNING=false
    fi
-    
+
    # Get latest release info
    local release_info
    release_info=$(get_latest_release)
-    
+
    # Backup data directory
    backup_data
-    
+
    # Stop the application before updating
    stop_application

    # Check Node.js version
    check_node_version

-    #Update Node.js to 24
-    upgrade_node_to_24
-    
    # Download and extract release
    local source_dir
    source_dir=$(download_release "$release_info")
-    
+
    # Clear the original directory before updating
    clear_original_directory
-    
+
    # Update files
    if ! update_files "$source_dir"; then
        log_error "File update failed, rolling back..."
        rollback
    fi
-    
+
    # Restore .env and data directory before building
    restore_backup_files
-    
+
    # Verify database was restored correctly
    if ! verify_database_restored; then
        log_error "Database verification failed, rolling back..."
        rollback
    fi
-    
+
    # Ensure DATABASE_URL is set for Prisma
    ensure_database_url
-    
+
    # Install dependencies and build
    if ! install_and_build; then
        log_error "Install and build failed, rolling back..."
        rollback
    fi
-    
+
    # Start the application
    if ! start_application; then
        log_error "Failed to start application after update"
        rollback
    fi
-    
+
    # Cleanup only after successful start
    rm -rf "$source_dir"
    rm -rf "/tmp/pve-update-$$"
    rm -rf "$BACKUP_DIR"
    log "Backup directory cleaned up"
-    
+
    log_success "Update completed successfully!"
 }

@@ -1023,4 +1065,4 @@ main() {
 if ! main "$@"; then
    log_error "Update script failed with exit code $?"
    exit 1
-fi
+fi
@@ -1 +1 @@
 .5.1
 .5.5
				`@@ -0,0 +1 @@`
				`export { listDirectory, downloadRawFile, getRepoProvider } from "./index.ts";`