Fix PBS certificate validation: pass PBS_FINGERPRINT, optional fingerprint for trusted CA

- Pass stored pbs_fingerprint as PBS_FINGERPRINT in login, snapshot list, and restore
- Allow empty fingerprint so trusted-CA PBS works without entering one
- Make fingerprint field optional in PBSCredentialsModal with updated helper text

Fixes #438

.env.example

@@ -18,7 +18,12 @@ ALLOWED_SCRIPT_PATHS="scripts/"
 WEBSOCKET_PORT="3001"
 
 # User settings
+# Optional tokens for private repos: GITHUB_TOKEN (GitHub), GITLAB_TOKEN (GitLab),
+# BITBUCKET_APP_PASSWORD or BITBUCKET_TOKEN (Bitbucket). REPO_URL and added repos
+# can be GitHub, GitLab, Bitbucket, or custom Git servers.
 GITHUB_TOKEN=
+GITLAB_TOKEN=
+BITBUCKET_APP_PASSWORD=
 SAVE_FILTER=false
 FILTERS=
 AUTH_USERNAME=

src/app/_components/ConfigurationModal.tsx

@@ -109,6 +109,7 @@ export function ConfigurationModal({
         var_mknod: 0,
         var_mount_fs: '',
         var_protection: 'no',
+        var_tun: 'no',
 
         // System
         var_timezone: '',
@@ -198,6 +199,17 @@ export function ConfigurationModal({
     return !isNaN(num) && num > 0;
   };
 
+  const validateHostname = (hostname: string): boolean => {
+    if (!hostname || hostname.length > 253) return false;
+    const label = /^[a-zA-Z0-9]([a-zA-Z0-9-]*[a-zA-Z0-9])?$/;
+    const labels = hostname.split('.');
+    return labels.length >= 1 && labels.every(l => l.length >= 1 && l.length <= 63 && label.test(l));
+  };
+
+  const validateAptCacherAddress = (value: string): boolean => {
+    return validateIPv4(value) || validateHostname(value);
+  };
+
   const validateForm = (): boolean => {
     const newErrors: Record<string, string> = {};
 
@@ -215,8 +227,8 @@ export function ConfigurationModal({
       if (advancedVars.var_ns && !validateIPv4(advancedVars.var_ns as string)) {
         newErrors.var_ns = 'Invalid IPv4 address';
       }
-      if (advancedVars.var_apt_cacher_ip && !validateIPv4(advancedVars.var_apt_cacher_ip as string)) {
-        newErrors.var_apt_cacher_ip = 'Invalid IPv4 address';
+      if (advancedVars.var_apt_cacher_ip && !validateAptCacherAddress(advancedVars.var_apt_cacher_ip as string)) {
+        newErrors.var_apt_cacher_ip = 'Invalid IPv4 address or hostname';
       }
       // Validate IPv4 CIDR if network mode is static
       const netValue = advancedVars.var_net;
@@ -806,6 +818,20 @@ export function ConfigurationModal({
                       <option value={1}>Enabled</option>
                     </select>
                   </div>
+                  <div>
+                    <label className="block text-sm font-medium text-foreground mb-2">
+                      TUN/TAP (VPN)
+                    </label>
+                    <select
+                      value={typeof advancedVars.var_tun === 'boolean' ? (advancedVars.var_tun ? 'yes' : 'no') : String(advancedVars.var_tun ?? 'no')}
+                      onChange={(e) => updateAdvancedVar('var_tun', e.target.value)}
+                      className="w-full rounded-md border border-input bg-background px-3 py-2 text-sm text-foreground focus:ring-2 focus:ring-ring focus:outline-none"
+                    >
+                      <option value="no">No</option>
+                      <option value="yes">Yes</option>
+                    </select>
+                    <p className="text-xs text-muted-foreground mt-1">For Tailscale, WireGuard, OpenVPN</p>
+                  </div>
                   <div>
                     <label className="block text-sm font-medium text-foreground mb-2">
                       Mknod
@@ -889,13 +915,13 @@ export function ConfigurationModal({
                   </div>
                   <div>
                     <label className="block text-sm font-medium text-foreground mb-2">
-                      APT Cacher IP
+                      APT Cacher host or IP
                     </label>
                     <Input
                       type="text"
                       value={typeof advancedVars.var_apt_cacher_ip === 'boolean' ? '' : String(advancedVars.var_apt_cacher_ip ?? '')}
                       onChange={(e) => updateAdvancedVar('var_apt_cacher_ip', e.target.value)}
-                      placeholder="192.168.1.10"
+                      placeholder="192.168.1.10 or apt-cacher.internal"
                       className={errors.var_apt_cacher_ip ? 'border-destructive' : ''}
                     />
                     {errors.var_apt_cacher_ip && (

src/app/_components/DownloadedScriptsTab.tsx

@@ -8,7 +8,9 @@ import { ScriptDetailModal } from "./ScriptDetailModal";
 import { CategorySidebar } from "./CategorySidebar";
 import { FilterBar, type FilterState } from "./FilterBar";
 import { ViewToggle } from "./ViewToggle";
+import { ConfirmationModal } from "./ConfirmationModal";
 import { Button } from "./ui/button";
+import { RefreshCw } from "lucide-react";
 import type { ScriptCard as ScriptCardType } from "~/types/script";
 import type { Server } from "~/types/server";
 import { getDefaultFilters, mergeFiltersWithDefaults } from "./filterUtils";
@@ -32,8 +34,15 @@ export function DownloadedScriptsTab({
   const [filters, setFilters] = useState<FilterState>(getDefaultFilters());
   const [saveFiltersEnabled, setSaveFiltersEnabled] = useState(false);
   const [isLoadingFilters, setIsLoadingFilters] = useState(true);
+  const [updateAllConfirmOpen, setUpdateAllConfirmOpen] = useState(false);
+  const [updateResult, setUpdateResult] = useState<{
+    successCount: number;
+    failCount: number;
+    failed: { slug: string; error: string }[];
+  } | null>(null);
   const gridRef = useRef<HTMLDivElement>(null);
 
+  const utils = api.useUtils();
   const {
     data: scriptCardsData,
     isLoading: githubLoading,
@@ -50,6 +59,30 @@ export function DownloadedScriptsTab({
     { enabled: !!selectedSlug },
   );
 
+  const loadMultipleScriptsMutation = api.scripts.loadMultipleScripts.useMutation({
+    onSuccess: (data) => {
+      void utils.scripts.getAllDownloadedScripts.invalidate();
+      void utils.scripts.getScriptCardsWithCategories.invalidate();
+      setUpdateResult({
+        successCount: data.successful?.length ?? 0,
+        failCount: data.failed?.length ?? 0,
+        failed: (data.failed ?? []).map((f) => ({
+          slug: f.slug,
+          error: f.error ?? "Unknown error",
+        })),
+      });
+      setTimeout(() => setUpdateResult(null), 8000);
+    },
+    onError: (error) => {
+      setUpdateResult({
+        successCount: 0,
+        failCount: 1,
+        failed: [{ slug: "Request failed", error: error.message }],
+      });
+      setTimeout(() => setUpdateResult(null), 8000);
+    },
+  });
+
   // Load SAVE_FILTER setting, saved filters, and view mode on component mount
   useEffect(() => {
     const loadSettings = async () => {
@@ -416,6 +449,21 @@ export function DownloadedScriptsTab({
     setSelectedSlug(null);
   };
 
+  const handleUpdateAllClick = () => {
+    setUpdateResult(null);
+    setUpdateAllConfirmOpen(true);
+  };
+
+  const handleUpdateAllConfirm = () => {
+    setUpdateAllConfirmOpen(false);
+    const slugs = downloadedScripts
+      .map((s) => s.slug)
+      .filter((slug): slug is string => Boolean(slug));
+    if (slugs.length > 0) {
+      loadMultipleScriptsMutation.mutate({ slugs });
+    }
+  };
+
   if (githubLoading || localLoading) {
     return (
       <div className="flex items-center justify-center py-12">
@@ -508,6 +556,43 @@ export function DownloadedScriptsTab({
 
         {/* Main Content */}
         <div className="order-1 min-w-0 flex-1 lg:order-2" ref={gridRef}>
+          {/* Update all downloaded scripts */}
+          <div className="mb-4 flex flex-wrap items-center gap-3">
+            <Button
+              onClick={handleUpdateAllClick}
+              disabled={loadMultipleScriptsMutation.isPending}
+              variant="secondary"
+              size="default"
+              className="flex items-center gap-2"
+            >
+              {loadMultipleScriptsMutation.isPending ? (
+                <>
+                  <RefreshCw className="h-4 w-4 animate-spin" />
+                  <span>Updating...</span>
+                </>
+              ) : (
+                <>
+                  <RefreshCw className="h-4 w-4" />
+                  <span>Update all downloaded scripts</span>
+                </>
+              )}
+            </Button>
+            {updateResult && (
+              <span className="text-muted-foreground text-sm">
+                Updated {updateResult.successCount} successfully
+                {updateResult.failCount > 0
+                  ? `, ${updateResult.failCount} failed`
+                  : ""}
+                .
+                {updateResult.failCount > 0 && updateResult.failed.length > 0 && (
+                  <span className="ml-1" title={updateResult.failed.map((f) => `${f.slug}: ${f.error}`).join("\n")}>
+                    (hover for details)
+                  </span>
+                )}
+              </span>
+            )}
+          </div>
+
           {/* Enhanced Filter Bar */}
           <FilterBar
             filters={filters}
@@ -621,6 +706,17 @@ export function DownloadedScriptsTab({
             onClose={handleCloseModal}
             onInstallScript={onInstallScript}
           />
+
+          <ConfirmationModal
+            isOpen={updateAllConfirmOpen}
+            onClose={() => setUpdateAllConfirmOpen(false)}
+            onConfirm={handleUpdateAllConfirm}
+            title="Update all downloaded scripts"
+            message={`Update all ${downloadedScripts.length} downloaded scripts? This may take several minutes.`}
+            variant="simple"
+            confirmButtonText="Update all"
+            cancelButtonText="Cancel"
+          />
         </div>
       </div>
     </div>

src/app/_components/GeneralSettingsModal.tsx

@@ -1617,7 +1617,7 @@ export function GeneralSettingsModal({
                       <Input
                         id="new-repo-url"
                         type="url"
-                        placeholder="https://github.com/owner/repo"
+                        placeholder="https://github.com/owner/repo or https://git.example.com/owner/repo"
                         value={newRepoUrl}
                         onChange={(e: React.ChangeEvent<HTMLInputElement>) =>
                           setNewRepoUrl(e.target.value)
@@ -1626,8 +1626,9 @@ export function GeneralSettingsModal({
                         className="w-full"
                       />
                       <p className="text-muted-foreground mt-1 text-xs">
-                        Enter a GitHub repository URL (e.g.,
-                        https://github.com/owner/repo)
+                        Supported: GitHub, GitLab, Bitbucket, or custom Git
+                        servers (e.g. https://github.com/owner/repo,
+                        https://gitlab.com/owner/repo)
                       </p>
                     </div>
                     <div className="border-border flex items-center justify-between gap-3 rounded-lg border p-3">

src/app/_components/PBSCredentialsModal.tsx

@@ -270,22 +270,21 @@ export function PBSCredentialsModal({
                 htmlFor="pbs-fingerprint"
                 className="text-foreground mb-1 block text-sm font-medium"
               >
-                Fingerprint <span className="text-error">*</span>
+                Fingerprint
               </label>
               <input
                 type="text"
                 id="pbs-fingerprint"
                 value={pbsFingerprint}
                 onChange={(e) => setPbsFingerprint(e.target.value)}
-                required
                 disabled={isLoading}
                 className="bg-card text-foreground placeholder-muted-foreground focus:ring-ring focus:border-ring border-border w-full rounded-md border px-3 py-2 shadow-sm focus:ring-2 focus:outline-none"
                 placeholder="e.g., 7b:e5:87:38:5e:16:05:d1:12:22:7f:73:d2:e2:d0:cf:8c:cb:28:e2:74:0c:78:91:1a:71:74:2e:79:20:5a:02"
               />
               <p className="text-muted-foreground mt-1 text-xs">
-                Server fingerprint for auto-acceptance. You can find this on
-                your PBS dashboard by clicking the &quot;Show Fingerprint&quot;
-                button.
+                Leave empty if PBS uses a trusted CA (e.g. Let&apos;s Encrypt).
+                For self-signed certificates, enter the server fingerprint from
+                the PBS dashboard (&quot;Show Fingerprint&quot;).
               </p>
             </div>
 

src/env.js

@@ -23,8 +23,11 @@ export const env = createEnv({
     ALLOWED_SCRIPT_PATHS: z.string().default("scripts/"),
     // WebSocket Configuration
     WEBSOCKET_PORT: z.string().default("3001"),
-    // GitHub Configuration
+    // Git provider tokens (optional, for private repos)
     GITHUB_TOKEN: z.string().optional(),
+    GITLAB_TOKEN: z.string().optional(),
+    BITBUCKET_APP_PASSWORD: z.string().optional(),
+    BITBUCKET_TOKEN: z.string().optional(),
     // Authentication Configuration
     AUTH_USERNAME: z.string().optional(),
     AUTH_PASSWORD_HASH: z.string().optional(),
@@ -62,8 +65,10 @@ export const env = createEnv({
     ALLOWED_SCRIPT_PATHS: process.env.ALLOWED_SCRIPT_PATHS,
     // WebSocket Configuration
     WEBSOCKET_PORT: process.env.WEBSOCKET_PORT,
-    // GitHub Configuration
     GITHUB_TOKEN: process.env.GITHUB_TOKEN,
+    GITLAB_TOKEN: process.env.GITLAB_TOKEN,
+    BITBUCKET_APP_PASSWORD: process.env.BITBUCKET_APP_PASSWORD,
+    BITBUCKET_TOKEN: process.env.BITBUCKET_TOKEN,
     // Authentication Configuration
     AUTH_USERNAME: process.env.AUTH_USERNAME,
     AUTH_PASSWORD_HASH: process.env.AUTH_PASSWORD_HASH,

src/server/api/routers/installedScripts.ts

@@ -2068,32 +2068,72 @@ export const installedScriptsRouter = createTRPCRouter({
           };
         }
 
-        // Get the script's interface_port from metadata (prioritize metadata over existing database values)
-        let detectedPort = 80; // Default fallback
-        
+        // Resolve app slug from /usr/bin/update (community-scripts) when available; else from hostname/suffix.
+        let slugFromUpdate: string | null = null;
+        try {
+          const updateCommand = `pct exec ${scriptData.container_id} -- cat /usr/bin/update 2>/dev/null`;
+          let updateOutput = '';
+          await new Promise<void>((resolve) => {
+            void sshExecutionService.executeCommand(
+              server as Server,
+              updateCommand,
+              (data: string) => { updateOutput += data; },
+              () => {},
+              () => resolve()
+            );
+          });
+          const ctSlugMatch = /ct\/([a-zA-Z0-9_.-]+)\.sh/.exec(updateOutput);
+          if (ctSlugMatch?.[1]) {
+            slugFromUpdate = ctSlugMatch[1].trim().toLowerCase();
+            console.log('🔍 Slug from /usr/bin/update:', slugFromUpdate);
+          }
+        } catch {
+          // Container may not be from community-scripts; use hostname fallback
+        }
+
+        // Get the script's interface_port from metadata. Primary: slug from /usr/bin/update; fallback: hostname/suffix.
+        let detectedPort = 80; // Default fallback
+
         try {
-          // Import localScriptsService to get script metadata
           const { localScriptsService } = await import('~/server/services/localScripts');
-          
-          // Get all scripts and find the one matching our script name
           const allScripts = await localScriptsService.getAllScripts();
-          
-          // Extract script slug from script_name (remove .sh extension)
-          const scriptSlug = scriptData.script_name.replace(/\.sh$/, '');
-          console.log('🔍 Looking for script with slug:', scriptSlug);
-          
-          const scriptMetadata = allScripts.find(script => script.slug === scriptSlug);
-          
+
+          const nameFromHostname = scriptData.script_name.replace(/\.sh$/, '').toLowerCase();
+
+          // Primary: slug from /usr/bin/update (community-scripts)
+          let scriptMetadata =
+            slugFromUpdate != null
+              ? allScripts.find((s) => s.slug === slugFromUpdate)
+              : undefined;
+          if (scriptMetadata) {
+            console.log('🔍 Using slug from /usr/bin/update for metadata:', scriptMetadata.slug);
+          }
+
+          // Fallback: exact hostname then hostname ends with slug (longest wins)
+          if (!scriptMetadata) {
+            scriptMetadata = allScripts.find((script) => script.slug === nameFromHostname);
+            if (!scriptMetadata) {
+              const suffixMatches = allScripts.filter((script) => nameFromHostname.endsWith(script.slug));
+              scriptMetadata =
+                suffixMatches.length > 0
+                  ? suffixMatches.reduce((a, b) => (a.slug.length >= b.slug.length ? a : b))
+                  : undefined;
+              if (scriptMetadata) {
+                console.log('🔍 Matched metadata by slug suffix in hostname:', scriptMetadata.slug);
+              }
+            }
+          }
+
           if (scriptMetadata?.interface_port) {
             detectedPort = scriptMetadata.interface_port;
             console.log('📋 Found interface_port in metadata:', detectedPort);
           } else {
             console.log('📋 No interface_port found in metadata, using default port 80');
-            detectedPort = 80; // Default to port 80 if no metadata port found
+            detectedPort = 80;
           }
         } catch (error) {
           console.log('⚠️ Error getting script metadata, using default port 80:', error);
-          detectedPort = 80; // Default to port 80 if metadata lookup fails
+          detectedPort = 80;
         }
         
         console.log('🎯 Final detected port:', detectedPort);

src/server/lib/gitProvider/bitbucket.ts

@@ -0,0 +1,55 @@
+import type { DirEntry, GitProvider } from './types';
+import { parseRepoUrl } from '../repositoryUrlValidation';
+
+export class BitbucketProvider implements GitProvider {
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const listUrl = `https://api.bitbucket.org/2.0/repositories/${owner}/${repo}/src/${encodeURIComponent(branch)}/${path}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.BITBUCKET_APP_PASSWORD ?? process.env.BITBUCKET_TOKEN;
+    if (token) {
+      const auth = Buffer.from(`:${token}`).toString('base64');
+      headers.Authorization = `Basic ${auth}`;
+    }
+
+    const response = await fetch(listUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Bitbucket API error: ${response.status} ${response.statusText}`);
+    }
+
+    const body = (await response.json()) as { values?: { path: string; type: string }[] };
+    const data = body.values ?? (Array.isArray(body) ? body : []);
+    if (!Array.isArray(data)) {
+      throw new Error('Bitbucket API returned unexpected response');
+    }
+    return data.map((item: { path: string; type: string }) => {
+      const name = item.path.split('/').pop() ?? item.path;
+      return {
+        name,
+        path: item.path,
+        type: item.type === 'commit_directory' ? ('dir' as const) : ('file' as const),
+      };
+    });
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const rawUrl = `https://api.bitbucket.org/2.0/repositories/${owner}/${repo}/src/${encodeURIComponent(branch)}/${filePath}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.BITBUCKET_APP_PASSWORD ?? process.env.BITBUCKET_TOKEN;
+    if (token) {
+      const auth = Buffer.from(`:${token}`).toString('base64');
+      headers.Authorization = `Basic ${auth}`;
+    }
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
+    }
+    return response.text();
+  }
+}

src/server/lib/gitProvider/custom.ts

@@ -0,0 +1,44 @@
+import type { DirEntry, GitProvider } from "./types";
+import { parseRepoUrl } from "../repositoryUrlValidation";
+
+export class CustomProvider implements GitProvider {
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const { origin, owner, repo } = parseRepoUrl(repoUrl);
+    const apiUrl = `${origin}/api/v1/repos/${owner}/${repo}/contents/${path}?ref=${encodeURIComponent(branch)}`;
+    const headers: Record<string, string> = { "User-Agent": "PVEScripts-Local/1.0" };
+    const token = process.env.GITEA_TOKEN ?? process.env.GIT_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(apiUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Custom Git server: list directory failed (${response.status}).`);
+    }
+    const data = (await response.json()) as { type: string; name: string; path: string }[];
+    if (!Array.isArray(data)) {
+      const single = data as unknown as { type?: string; name?: string; path?: string };
+      if (single?.name) {
+        return [{ name: single.name, path: single.path ?? path, type: single.type === "dir" ? "dir" : "file" }];
+      }
+      throw new Error("Custom Git server returned unexpected response");
+    }
+    return data.map((item) => ({
+      name: item.name,
+      path: item.path,
+      type: item.type === "dir" ? ("dir" as const) : ("file" as const),
+    }));
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const { origin, owner, repo } = parseRepoUrl(repoUrl);
+    const rawUrl = `${origin}/${owner}/${repo}/raw/${encodeURIComponent(branch)}/${filePath}`;
+    const headers: Record<string, string> = { "User-Agent": "PVEScripts-Local/1.0" };
+    const token = process.env.GITEA_TOKEN ?? process.env.GIT_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Failed to download ${filePath} from custom Git server (${response.status}).`);
+    }
+    return response.text();
+  }
+}

src/server/lib/gitProvider/github.ts

@@ -0,0 +1,60 @@
+import type { DirEntry, GitProvider } from './types';
+import { parseRepoUrl } from '../repositoryUrlValidation';
+
+export class GitHubProvider implements GitProvider {
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const apiUrl = `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${encodeURIComponent(branch)}`;
+    const headers: Record<string, string> = {
+      Accept: 'application/vnd.github.v3+json',
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITHUB_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(apiUrl, { headers });
+    if (!response.ok) {
+      if (response.status === 403) {
+        const err = new Error(
+          `GitHub API rate limit exceeded. Consider setting GITHUB_TOKEN. Status: ${response.status} ${response.statusText}`
+        );
+        (err as Error & { name: string }).name = 'RateLimitError';
+        throw err;
+      }
+      throw new Error(`GitHub API error: ${response.status} ${response.statusText}`);
+    }
+
+    const data = (await response.json()) as { type: string; name: string; path: string }[];
+    if (!Array.isArray(data)) {
+      throw new Error('GitHub API returned unexpected response');
+    }
+    return data.map((item) => ({
+      name: item.name,
+      path: item.path,
+      type: item.type === 'dir' ? ('dir' as const) : ('file' as const),
+    }));
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    const rawUrl = `https://raw.githubusercontent.com/${owner}/${repo}/${encodeURIComponent(branch)}/${filePath}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITHUB_TOKEN;
+    if (token) headers.Authorization = `token ${token}`;
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      if (response.status === 403) {
+        const err = new Error(
+          `GitHub rate limit exceeded while downloading ${filePath}. Consider setting GITHUB_TOKEN.`
+        );
+        (err as Error & { name: string }).name = 'RateLimitError';
+        throw err;
+      }
+      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
+    }
+    return response.text();
+  }
+}

src/server/lib/gitProvider/gitlab.ts

@@ -0,0 +1,58 @@
+import type { DirEntry, GitProvider } from './types';
+import { parseRepoUrl } from '../repositoryUrlValidation';
+
+export class GitLabProvider implements GitProvider {
+  private getBaseUrl(repoUrl: string): string {
+    const { origin } = parseRepoUrl(repoUrl);
+    return origin;
+  }
+
+  private getProjectId(repoUrl: string): string {
+    const { owner, repo } = parseRepoUrl(repoUrl);
+    return encodeURIComponent(`${owner}/${repo}`);
+  }
+
+  async listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+    const baseUrl = this.getBaseUrl(repoUrl);
+    const projectId = this.getProjectId(repoUrl);
+    const apiUrl = `${baseUrl}/api/v4/projects/${projectId}/repository/tree?path=${encodeURIComponent(path)}&ref=${encodeURIComponent(branch)}&per_page=100`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITLAB_TOKEN;
+    if (token) headers['PRIVATE-TOKEN'] = token;
+
+    const response = await fetch(apiUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`GitLab API error: ${response.status} ${response.statusText}`);
+    }
+
+    const data = (await response.json()) as { type: string; name: string; path: string }[];
+    if (!Array.isArray(data)) {
+      throw new Error('GitLab API returned unexpected response');
+    }
+    return data.map((item) => ({
+      name: item.name,
+      path: item.path,
+      type: item.type === 'tree' ? ('dir' as const) : ('file' as const),
+    }));
+  }
+
+  async downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+    const baseUrl = this.getBaseUrl(repoUrl);
+    const projectId = this.getProjectId(repoUrl);
+    const encodedPath = encodeURIComponent(filePath);
+    const rawUrl = `${baseUrl}/api/v4/projects/${projectId}/repository/files/${encodedPath}/raw?ref=${encodeURIComponent(branch)}`;
+    const headers: Record<string, string> = {
+      'User-Agent': 'PVEScripts-Local/1.0',
+    };
+    const token = process.env.GITLAB_TOKEN;
+    if (token) headers['PRIVATE-TOKEN'] = token;
+
+    const response = await fetch(rawUrl, { headers });
+    if (!response.ok) {
+      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
+    }
+    return response.text();
+  }
+}

src/server/lib/gitProvider/index.js

@@ -0,0 +1 @@
+export { listDirectory, downloadRawFile, getRepoProvider } from "./index.ts";

src/server/lib/gitProvider/index.ts

@@ -0,0 +1,28 @@
+import type { DirEntry, GitProvider } from "./types";
+import { getRepoProvider } from "../repositoryUrlValidation";
+import { GitHubProvider } from "./github";
+import { GitLabProvider } from "./gitlab";
+import { BitbucketProvider } from "./bitbucket";
+import { CustomProvider } from "./custom";
+
+const providers: Record<string, GitProvider> = {
+  github: new GitHubProvider(),
+  gitlab: new GitLabProvider(),
+  bitbucket: new BitbucketProvider(),
+  custom: new CustomProvider(),
+};
+
+export type { DirEntry, GitProvider };
+export { getRepoProvider };
+
+export function getGitProvider(repoUrl: string): GitProvider {
+  return providers[getRepoProvider(repoUrl)]!;
+}
+
+export async function listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]> {
+  return getGitProvider(repoUrl).listDirectory(repoUrl, path, branch);
+}
+
+export async function downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string> {
+  return getGitProvider(repoUrl).downloadRawFile(repoUrl, filePath, branch);
+}

src/server/lib/gitProvider/types.ts

@@ -0,0 +1,14 @@
+/**
+ * Git provider interface for listing and downloading repository files.
+ */
+
+export type DirEntry = {
+  name: string;
+  path: string;
+  type: 'file' | 'dir';
+};
+
+export interface GitProvider {
+  listDirectory(repoUrl: string, path: string, branch: string): Promise<DirEntry[]>;
+  downloadRawFile(repoUrl: string, filePath: string, branch: string): Promise<string>;
+}

src/server/lib/repositoryUrlValidation.js

@@ -0,0 +1,37 @@
+/**
+ * Repository URL validation (JS mirror for server.js).
+ */
+const VALID_REPO_URL =
+  /^(https?:\/\/)(github\.com|gitlab\.com|bitbucket\.org|[^/]+)\/[^/]+\/[^/]+$/;
+
+export const REPO_URL_ERROR_MESSAGE =
+  'Invalid repository URL. Supported: GitHub, GitLab, Bitbucket, and custom Git servers (e.g. https://host/owner/repo).';
+
+export function isValidRepositoryUrl(url) {
+  if (typeof url !== 'string' || !url.trim()) return false;
+  return VALID_REPO_URL.test(url.trim());
+}
+
+export function getRepoProvider(url) {
+  if (!isValidRepositoryUrl(url)) throw new Error(REPO_URL_ERROR_MESSAGE);
+  const normalized = url.trim().toLowerCase();
+  if (normalized.includes('github.com')) return 'github';
+  if (normalized.includes('gitlab.com')) return 'gitlab';
+  if (normalized.includes('bitbucket.org')) return 'bitbucket';
+  return 'custom';
+}
+
+export function parseRepoUrl(url) {
+  if (!isValidRepositoryUrl(url)) throw new Error(REPO_URL_ERROR_MESSAGE);
+  try {
+    const u = new URL(url.trim());
+    const pathParts = u.pathname.replace(/^\/+/, '').replace(/\.git\/?$/, '').split('/');
+    return {
+      origin: u.origin,
+      owner: pathParts[0] ?? '',
+      repo: pathParts[1] ?? '',
+    };
+  } catch {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+}

src/server/lib/repositoryUrlValidation.ts

@@ -0,0 +1,57 @@
+/**
+ * Repository URL validation and provider detection.
+ * Supports GitHub, GitLab, Bitbucket, and custom Git servers.
+ */
+
+const VALID_REPO_URL =
+  /^(https?:\/\/)(github\.com|gitlab\.com|bitbucket\.org|[^/]+)\/[^/]+\/[^/]+$/;
+
+export const REPO_URL_ERROR_MESSAGE =
+  'Invalid repository URL. Supported: GitHub, GitLab, Bitbucket, and custom Git servers (e.g. https://host/owner/repo).';
+
+export type RepoProvider = 'github' | 'gitlab' | 'bitbucket' | 'custom';
+
+/**
+ * Check if a string is a valid repository URL (format only).
+ */
+export function isValidRepositoryUrl(url: string): boolean {
+  if (typeof url !== 'string' || !url.trim()) return false;
+  return VALID_REPO_URL.test(url.trim());
+}
+
+/**
+ * Detect the Git provider from a repository URL.
+ */
+export function getRepoProvider(url: string): RepoProvider {
+  if (!isValidRepositoryUrl(url)) {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+  const normalized = url.trim().toLowerCase();
+  if (normalized.includes('github.com')) return 'github';
+  if (normalized.includes('gitlab.com')) return 'gitlab';
+  if (normalized.includes('bitbucket.org')) return 'bitbucket';
+  return 'custom';
+}
+
+/**
+ * Parse owner and repo from a repository URL (path segments).
+ * Works for GitHub, GitLab, Bitbucket, and custom (host/owner/repo).
+ */
+export function parseRepoUrl(url: string): { origin: string; owner: string; repo: string } {
+  if (!isValidRepositoryUrl(url)) {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+  try {
+    const u = new URL(url.trim());
+    const pathParts = u.pathname.replace(/^\/+/, '').replace(/\.git\/?$/, '').split('/');
+    const owner = pathParts[0] ?? '';
+    const repo = pathParts[1] ?? '';
+    return {
+      origin: u.origin,
+      owner,
+      repo,
+    };
+  } catch {
+    throw new Error(REPO_URL_ERROR_MESSAGE);
+  }
+}

src/server/services/backupService.ts

@@ -327,13 +327,16 @@ class BackupService {
     // PBS supports PBS_PASSWORD and PBS_REPOSITORY environment variables for non-interactive login
     const repository = `root@pam@${pbsIp}:${pbsDatastore}`;
     
-    // Escape password for shell safety (single quotes)
+    // Escape password and fingerprint for shell safety (single quotes)
     const escapedPassword = credential.pbs_password.replace(/'/g, "'\\''");
-    
-    // Use PBS_PASSWORD environment variable for non-interactive authentication
-    // Auto-accept fingerprint by piping "y" to stdin
-    // PBS will use PBS_PASSWORD env var if available, avoiding interactive prompt
-    const fullCommand = `echo "y" | PBS_PASSWORD='${escapedPassword}' PBS_REPOSITORY='${repository}' timeout 10 proxmox-backup-client login --repository ${repository} 2>&1`;
+    const fingerprint = credential.pbs_fingerprint?.trim() ?? '';
+    const escapedFingerprint = fingerprint ? fingerprint.replace(/'/g, "'\\''") : '';
+    const envParts = [`PBS_PASSWORD='${escapedPassword}'`, `PBS_REPOSITORY='${repository}'`];
+    if (escapedFingerprint) {
+      envParts.push(`PBS_FINGERPRINT='${escapedFingerprint}'`);
+    }
+    const envStr = envParts.join(' ');
+    const fullCommand = `${envStr} timeout 10 proxmox-backup-client login --repository ${repository} 2>&1`;
     
     console.log(`[BackupService] Logging into PBS: ${repository}`);
     
@@ -419,9 +422,12 @@ class BackupService {
     
     // Build full repository string: root@pam@<IP>:<DATASTORE>
     const repository = `root@pam@${pbsIp}:${pbsDatastore}`;
-    
+    const fingerprint = credential.pbs_fingerprint?.trim() ?? '';
+    const escapedFingerprint = fingerprint ? fingerprint.replace(/'/g, "'\\''") : '';
+    const snapshotEnvParts = escapedFingerprint ? [`PBS_FINGERPRINT='${escapedFingerprint}'`] : [];
+    const snapshotEnvStr = snapshotEnvParts.length ? snapshotEnvParts.join(' ') + ' ' : '';
     // Use correct command: snapshot list ct/<CT_ID> --repository <full_repo_string>
-    const command = `timeout 30 proxmox-backup-client snapshot list ct/${ctId} --repository ${repository} 2>&1 || echo "PBS_ERROR"`;
+    const command = `${snapshotEnvStr}timeout 30 proxmox-backup-client snapshot list ct/${ctId} --repository ${repository} 2>&1 || echo "PBS_ERROR"`;
     let output = '';
     
     console.log(`[BackupService] Discovering PBS backups for CT ${ctId} on repository ${repository}`);

src/server/services/githubJsonService.js

@@ -2,6 +2,7 @@
 import { writeFile, mkdir, readdir, readFile } from 'fs/promises';
 import { join } from 'path';
 import { repositoryService } from './repositoryService.js';
+import { listDirectory, downloadRawFile } from '../lib/gitProvider/index.js';
 
 // Get environment variables
 const getEnv = () => ({
@@ -28,76 +29,9 @@ class GitHubJsonService {
     }
   }
 
-  getBaseUrl(repoUrl) {
-    const urlMatch = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!urlMatch) {
-      throw new Error(`Invalid GitHub repository URL: ${repoUrl}`);
-    }
-    
-    const [, owner, repo] = urlMatch;
-    return `https://api.github.com/repos/${owner}/${repo}`;
-  }
-
-  extractRepoPath(repoUrl) {
-    const match = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!match) {
-      throw new Error('Invalid GitHub repository URL');
-    }
-    return `${match[1]}/${match[2]}`;
-  }
-
-  async fetchFromGitHub(repoUrl, endpoint) {
-    const baseUrl = this.getBaseUrl(repoUrl);
-    const env = getEnv();
-    
-    const headers = {
-      'Accept': 'application/vnd.github.v3+json',
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(`${baseUrl}${endpoint}`, { headers });
-
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub API rate limit exceeded. Consider setting GITHUB_TOKEN for higher limits. Status: ${response.status} ${response.statusText}`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`GitHub API error: ${response.status} ${response.statusText}`);
-    }
-
-    return response.json();
-  }
-
   async downloadJsonFile(repoUrl, filePath) {
     this.initializeConfig();
-    const repoPath = this.extractRepoPath(repoUrl);
-    const rawUrl = `https://raw.githubusercontent.com/${repoPath}/${this.branch}/${filePath}`;
-    const env = getEnv();
-    
-    const headers = {
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(rawUrl, { headers });
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub rate limit exceeded while downloading ${filePath}. Consider setting GITHUB_TOKEN for higher limits.`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
-    }
-
-    const content = await response.text();
+    const content = await downloadRawFile(repoUrl, filePath, this.branch);
     const script = JSON.parse(content);
     script.repository_url = repoUrl;
     return script;
@@ -105,16 +39,13 @@ class GitHubJsonService {
 
   async getJsonFiles(repoUrl) {
     this.initializeConfig();
-    
     try {
-      const files = await this.fetchFromGitHub(
-        repoUrl,
-        `/contents/${this.jsonFolder}?ref=${this.branch}`
-      );
-      
-      return files.filter(file => file.name.endsWith('.json'));
+      const entries = await listDirectory(repoUrl, this.jsonFolder, this.branch);
+      return entries
+        .filter((e) => e.type === 'file' && e.name.endsWith('.json'))
+        .map((e) => ({ name: e.name, path: e.path }));
     } catch (error) {
-      console.error(`Error fetching JSON files from GitHub (${repoUrl}):`, error);
+      console.error(`Error fetching JSON files from repository (${repoUrl}):`, error);
       throw new Error(`Failed to fetch script files from repository: ${repoUrl}`);
     }
   }

src/server/services/githubJsonService.ts

@@ -3,6 +3,7 @@ import { join } from 'path';
 import { env } from '../../env.js';
 import type { Script, ScriptCard, GitHubFile } from '../../types/script';
 import { repositoryService } from './repositoryService';
+import { listDirectory, downloadRawFile } from '~/server/lib/gitProvider';
 
 export class GitHubJsonService {
   private branch: string | null = null;
@@ -22,96 +23,24 @@ export class GitHubJsonService {
     }
   }
 
-  private getBaseUrl(repoUrl: string): string {
-    const urlMatch = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!urlMatch) {
-      throw new Error(`Invalid GitHub repository URL: ${repoUrl}`);
-    }
-    
-    const [, owner, repo] = urlMatch;
-    return `https://api.github.com/repos/${owner}/${repo}`;
-  }
-
-  private extractRepoPath(repoUrl: string): string {
-    const match = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!match) {
-      throw new Error('Invalid GitHub repository URL');
-    }
-    return `${match[1]}/${match[2]}`;
-  }
-
-  private async fetchFromGitHub<T>(repoUrl: string, endpoint: string): Promise<T> {
-    const baseUrl = this.getBaseUrl(repoUrl);
-    
-    const headers: HeadersInit = {
-      'Accept': 'application/vnd.github.v3+json',
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    // Add GitHub token authentication if available
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(`${baseUrl}${endpoint}`, { headers });
-
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub API rate limit exceeded. Consider setting GITHUB_TOKEN for higher limits. Status: ${response.status} ${response.statusText}`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`GitHub API error: ${response.status} ${response.statusText}`);
-    }
-
-    const data = await response.json();
-    return data as T;
-  }
-
   private async downloadJsonFile(repoUrl: string, filePath: string): Promise<Script> {
     this.initializeConfig();
-    const repoPath = this.extractRepoPath(repoUrl);
-    const rawUrl = `https://raw.githubusercontent.com/${repoPath}/${this.branch!}/${filePath}`;
-    
-    const headers: HeadersInit = {
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    // Add GitHub token authentication if available
-    if (env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${env.GITHUB_TOKEN}`;
-    }
-    
-    const response = await fetch(rawUrl, { headers });
-    if (!response.ok) {
-      if (response.status === 403) {
-        const error = new Error(`GitHub rate limit exceeded while downloading ${filePath}. Consider setting GITHUB_TOKEN for higher limits. Status: ${response.status} ${response.statusText}`);
-        error.name = 'RateLimitError';
-        throw error;
-      }
-      throw new Error(`Failed to download ${filePath}: ${response.status} ${response.statusText}`);
-    }
-
-    const content = await response.text();
+    const content = await downloadRawFile(repoUrl, filePath, this.branch!);
     const script = JSON.parse(content) as Script;
-    // Add repository_url to script
     script.repository_url = repoUrl;
     return script;
   }
 
   async getJsonFiles(repoUrl: string): Promise<GitHubFile[]> {
     this.initializeConfig();
-    
     try {
-      const files = await this.fetchFromGitHub<GitHubFile[]>(
-        repoUrl,
-        `/contents/${this.jsonFolder!}?ref=${this.branch!}`
-      );
-      
-      // Filter for JSON files only
-      return files.filter(file => file.name.endsWith('.json'));
+      const entries = await listDirectory(repoUrl, this.jsonFolder!, this.branch!);
+      const files: GitHubFile[] = entries
+        .filter((e) => e.type === 'file' && e.name.endsWith('.json'))
+        .map((e) => ({ name: e.name, path: e.path } as GitHubFile));
+      return files;
     } catch (error) {
-      console.error(`Error fetching JSON files from GitHub (${repoUrl}):`, error);
+      console.error(`Error fetching JSON files from repository (${repoUrl}):`, error);
       throw new Error(`Failed to fetch script files from repository: ${repoUrl}`);
     }
   }
@@ -233,8 +162,7 @@ export class GitHubJsonService {
     try {
       console.log(`Starting JSON sync from repository: ${repoUrl}`);
       
-      // Get file list from GitHub
-      console.log(`Fetching file list from GitHub (${repoUrl})...`);
+      console.log(`Fetching file list from repository (${repoUrl})...`);
       const githubFiles = await this.getJsonFiles(repoUrl);
       console.log(`Found ${githubFiles.length} JSON files in repository ${repoUrl}`);
       

src/server/services/repositoryService.js

@@ -1,5 +1,6 @@
 // JavaScript wrapper for repositoryService (for use with node server.js)
 import { prisma } from '../db.js';
+import { isValidRepositoryUrl, REPO_URL_ERROR_MESSAGE } from '../lib/repositoryUrlValidation.js';
 
 class RepositoryService {
   /**
@@ -89,9 +90,8 @@ class RepositoryService {
    * Create a new repository
    */
   async createRepository(data) {
-    // Validate GitHub URL
-    if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-      throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+    if (!isValidRepositoryUrl(data.url)) {
+      throw new Error(REPO_URL_ERROR_MESSAGE);
     }
 
     // Check for duplicates
@@ -122,10 +122,9 @@ class RepositoryService {
    * Update repository
    */
   async updateRepository(id, data) {
-    // If updating URL, validate it
     if (data.url) {
-      if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-        throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+      if (!isValidRepositoryUrl(data.url)) {
+        throw new Error(REPO_URL_ERROR_MESSAGE);
       }
 
       // Check for duplicates (excluding current repo)

src/server/services/repositoryService.ts

@@ -1,5 +1,5 @@
-/* eslint-disable @typescript-eslint/prefer-regexp-exec */
 import { prisma } from '../db';
+import { isValidRepositoryUrl, REPO_URL_ERROR_MESSAGE } from '../lib/repositoryUrlValidation';
 
 export class RepositoryService {
   /**
@@ -93,9 +93,8 @@ export class RepositoryService {
     enabled?: boolean;
     priority?: number;
   }) {
-    // Validate GitHub URL
-    if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-      throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+    if (!isValidRepositoryUrl(data.url)) {
+      throw new Error(REPO_URL_ERROR_MESSAGE);
     }
 
     // Check for duplicates
@@ -130,10 +129,9 @@ export class RepositoryService {
     url?: string;
     priority?: number;
   }) {
-    // If updating URL, validate it
     if (data.url) {
-      if (!data.url.match(/^https:\/\/github\.com\/[^\/]+\/[^\/]+$/)) {
-        throw new Error('Invalid GitHub repository URL. Format: https://github.com/owner/repo');
+      if (!isValidRepositoryUrl(data.url)) {
+        throw new Error(REPO_URL_ERROR_MESSAGE);
       }
 
       // Check for duplicates (excluding current repo)

src/server/services/restoreService.ts

@@ -250,9 +250,16 @@ class RestoreService {
     const targetFolder = `/var/lib/vz/dump/vzdump-lxc-${ctId}-${snapshotNameForPath}`;
     const targetTar = `${targetFolder}.tar`;
     
-    // Use PBS_PASSWORD env var and add timeout for long downloads
+    // Use PBS_PASSWORD env var and add timeout for long downloads; PBS_FINGERPRINT when set for cert validation
     const escapedPassword = credential.pbs_password.replace(/'/g, "'\\''");
-    const restoreCommand = `PBS_PASSWORD='${escapedPassword}' PBS_REPOSITORY='${repository}' timeout 300 proxmox-backup-client restore "${snapshotPath}" root.pxar "${targetFolder}" --repository '${repository}' 2>&1`;
+    const fingerprint = credential.pbs_fingerprint?.trim() ?? '';
+    const escapedFingerprint = fingerprint ? fingerprint.replace(/'/g, "'\\''") : '';
+    const restoreEnvParts = [`PBS_PASSWORD='${escapedPassword}'`, `PBS_REPOSITORY='${repository}'`];
+    if (escapedFingerprint) {
+      restoreEnvParts.push(`PBS_FINGERPRINT='${escapedFingerprint}'`);
+    }
+    const restoreEnvStr = restoreEnvParts.join(' ');
+    const restoreCommand = `${restoreEnvStr} timeout 300 proxmox-backup-client restore "${snapshotPath}" root.pxar "${targetFolder}" --repository '${repository}' 2>&1`;
     
     let output = '';
     let exitCode = 0;

src/server/services/scriptDownloader.js

@@ -1,6 +1,7 @@
 // Real JavaScript implementation for script downloading
 import { join } from 'path';
 import { writeFile, mkdir, access, readFile, unlink } from 'fs/promises';
+import { downloadRawFile } from '../lib/gitProvider/index.js';
 
 export class ScriptDownloaderService {
   constructor() {
@@ -82,51 +83,18 @@ export class ScriptDownloaderService {
   }
 
   /**
-   * Extract repository path from GitHub URL
-   * @param {string} repoUrl - The GitHub repository URL
-   * @returns {string}
-   */
-  extractRepoPath(repoUrl) {
-    const match = /github\.com\/([^\/]+)\/([^\/]+)/.exec(repoUrl);
-    if (!match) {
-      throw new Error(`Invalid GitHub repository URL: ${repoUrl}`);
-    }
-    return `${match[1]}/${match[2]}`;
-  }
-
-  /**
-   * Download a file from GitHub
-   * @param {string} repoUrl - The GitHub repository URL
+   * Download a file from the repository (GitHub, GitLab, Bitbucket, or custom)
+   * @param {string} repoUrl - The repository URL
    * @param {string} filePath - The file path within the repository
    * @param {string} [branch] - The branch to download from
    * @returns {Promise<string>}
    */
-  async downloadFileFromGitHub(repoUrl, filePath, branch = 'main') {
-    this.initializeConfig();
+  async downloadFileFromRepo(repoUrl, filePath, branch = 'main') {
     if (!repoUrl) {
       throw new Error('Repository URL is not set');
     }
-
-    const repoPath = this.extractRepoPath(repoUrl);
-    const url = `https://raw.githubusercontent.com/${repoPath}/${branch}/${filePath}`;
-    
-    /** @type {Record<string, string>} */
-    const headers = {
-      'User-Agent': 'PVEScripts-Local/1.0',
-    };
-    
-    // Add GitHub token authentication if available
-    if (process.env.GITHUB_TOKEN) {
-      headers.Authorization = `token ${process.env.GITHUB_TOKEN}`;
-    }
-    
-    console.log(`Downloading from GitHub: ${url}`);
-    const response = await fetch(url, { headers });
-    if (!response.ok) {
-      throw new Error(`Failed to download ${filePath} from ${repoUrl}: ${response.status} ${response.statusText}`);
-    }
-
-    return response.text();
+    console.log(`Downloading from repository: ${repoUrl} (${filePath})`);
+    return downloadRawFile(repoUrl, filePath, branch);
   }
 
   /**
@@ -184,9 +152,8 @@ export class ScriptDownloaderService {
             const fileName = scriptPath.split('/').pop();
             
             if (fileName) {
-              // Download from GitHub using the script's repository URL
               console.log(`Downloading script file: ${scriptPath} from ${repoUrl}`);
-              const content = await this.downloadFileFromGitHub(repoUrl, scriptPath, branch);
+              const content = await this.downloadFileFromRepo(repoUrl, scriptPath, branch);
               
               // Determine target directory based on script path
               let targetDir;
@@ -250,7 +217,7 @@ export class ScriptDownloaderService {
         const installScriptName = `${script.slug}-install.sh`;
         try {
           console.log(`Downloading install script: install/${installScriptName} from ${repoUrl}`);
-          const installContent = await this.downloadFileFromGitHub(repoUrl, `install/${installScriptName}`, branch);
+          const installContent = await this.downloadFileFromRepo(repoUrl, `install/${installScriptName}`, branch);
           const localInstallPath = join(this.scriptsDirectory, 'install', installScriptName);
           await writeFile(localInstallPath, installContent, 'utf-8');
           files.push(`install/${installScriptName}`);
@@ -274,7 +241,7 @@ export class ScriptDownloaderService {
         const alpineInstallScriptName = `alpine-${script.slug}-install.sh`;
         try {
           console.log(`[${script.slug}] Downloading alpine install script: install/${alpineInstallScriptName} from ${repoUrl}`);
-          const alpineInstallContent = await this.downloadFileFromGitHub(repoUrl, `install/${alpineInstallScriptName}`, branch);
+          const alpineInstallContent = await this.downloadFileFromRepo(repoUrl, `install/${alpineInstallScriptName}`, branch);
           const localAlpineInstallPath = join(this.scriptsDirectory, 'install', alpineInstallScriptName);
           await writeFile(localAlpineInstallPath, alpineInstallContent, 'utf-8');
           files.push(`install/${alpineInstallScriptName}`);
@@ -681,7 +648,7 @@ export class ScriptDownloaderService {
       console.log(`[Comparison] Local file size: ${localContent.length} bytes`);
       
       // Download remote content from the script's repository
-      const remoteContent = await this.downloadFileFromGitHub(repoUrl, remotePath, branch);
+      const remoteContent = await this.downloadFileFromRepo(repoUrl, remotePath, branch);
       console.log(`[Comparison] Remote file size: ${remoteContent.length} bytes`);
       
       // Apply modification only for CT scripts, not for other script types
@@ -739,7 +706,7 @@ export class ScriptDownloaderService {
             // Find the corresponding script path in install_methods
             const method = script.install_methods?.find(m => m.script === filePath);
             if (method?.script) {
-              const downloadedContent = await this.downloadFileFromGitHub(repoUrl, method.script, branch);
+              const downloadedContent = await this.downloadFileFromRepo(repoUrl, method.script, branch);
               remoteContent = this.modifyScriptContent(downloadedContent);
             }
           } catch {
@@ -756,7 +723,7 @@ export class ScriptDownloaderService {
         }
 
         try {
-          remoteContent = await this.downloadFileFromGitHub(repoUrl, filePath, branch);
+          remoteContent = await this.downloadFileFromRepo(repoUrl, filePath, branch);
         } catch {
           // Error downloading remote install script
         }