Update CHANGELOG.md

Co-authored-by: github-actions[bot] <github-actions[bot]@users.noreply.github.com>

CHANGELOG.md

@@ -12,6 +12,22 @@ Exercise vigilance regarding copycat or coat-tailing sites that seek to exploit
 
 ## 2025-11-10
 
+### 🚀 Updated Scripts
+
+  - #### 🐞 Bug Fixes
+
+    - Plex: extend checking for deb822 source [@Matt17000](https://github.com/Matt17000) ([#9036](https://github.com/community-scripts/ProxmoxVE/pull/9036))
+
+  - #### ✨ New Features
+
+    - tools.func: add helper functions for MariaDB and PostgreSQL setup [@MickLesk](https://github.com/MickLesk) ([#9026](https://github.com/community-scripts/ProxmoxVE/pull/9026))
+    - core: update message for no available updates scenario (if pinned) [@MickLesk](https://github.com/MickLesk) ([#9021](https://github.com/community-scripts/ProxmoxVE/pull/9021))
+    - Migrate Open WebUI to uv-based installation [@MickLesk](https://github.com/MickLesk) ([#9019](https://github.com/community-scripts/ProxmoxVE/pull/9019))
+
+  - #### 🔧 Refactor
+
+    - Refactor: phpIPAM [@MickLesk](https://github.com/MickLesk) ([#9027](https://github.com/community-scripts/ProxmoxVE/pull/9027))
+
 ## 2025-11-09
 
 ### 🚀 Updated Scripts

ct/openwebui.sh

@@ -23,6 +23,62 @@ function update_script() {
   header_info
   check_container_storage
   check_container_resources
+
+  if [[ -d /opt/open-webui ]]; then
+    msg_warn "Legacy installation detected — migrating to uv based install..."
+    msg_info "Stopping Service"
+    systemctl stop open-webui
+    msg_ok "Stopped Service"
+
+    msg_info "Creating Backup"
+    mkdir -p /opt/open-webui-backup
+    cp -a /opt/open-webui/backend/data /opt/open-webui-backup/data || true
+    msg_ok "Created Backup"
+
+    msg_info "Removing legacy installation"
+    rm -rf /opt/open-webui
+    rm -rf /root/.open-webui || true
+    msg_ok "Removed legacy installation"
+
+    msg_info "Installing uv-based Open-WebUI"
+    PYTHON_VERSION="3.12" setup_uv
+    $STD uv tool install --python $PYTHON_VERSION open-webui[all]
+    msg_ok "Installed uv-based Open-WebUI"
+
+    msg_info "Restoring data"
+    mkdir -p /root/.open-webui
+    cp -a /opt/open-webui-backup/data/* /root/.open-webui/ || true
+    rm -rf /opt/open-webui-backup || true
+    msg_ok "Restored data"
+
+    msg_info "Recreating Service"
+    cat <<EOF >/etc/systemd/system/open-webui.service
+[Unit]
+Description=Open WebUI Service
+After=network.target
+
+[Service]
+Type=simple
+Environment=DATA_DIR=/root/.open-webui
+EnvironmentFile=-/root/.env
+ExecStart=/root/.local/bin/open-webui serve
+WorkingDirectory=/root
+Restart=on-failure
+RestartSec=5
+User=root
+
+[Install]
+WantedBy=multi-user.target
+EOF
+
+    $STD systemctl daemon-reload
+    systemctl enable -q --now open-webui
+    msg_ok "Recreated Service"
+
+    msg_ok "Migration completed"
+    exit 0
+  fi
+
   if [[ ! -d /root/.open-webui ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
@@ -50,8 +106,11 @@ function update_script() {
     fi
   fi
 
-  msg_info "Restarting Open WebUI to initiate update"
+  msg_info "Updating Open WebUI via uv"
+  PYTHON_VERSION="3.12" setup_uv
+  $STD uv tool install --python 3.12 open-webui[all]
   systemctl restart open-webui
+  msg_ok "Updated Open WebUI"
   msg_ok "Updated successfully!"
   exit
 }

ct/paperless-ngx.sh

@@ -54,8 +54,11 @@ function update_script() {
 
       msg_info "Updating Paperless-ngx"
       cp -r /opt/paperless_backup/* /opt/paperless/
-      CONSUME_DIR="$(sed -n '/^PAPERLESS_CONSUMPTION/s/[^=]=*//p' /opt/paperless/paperless.conf)"
-      mkdir -p "${CONSUME_DIR:-/opt/paperless/consume}"
+      CONSUME_DIR="$(sed -n 's/^PAPERLESS_CONSUMPTION_DIR=//p' /opt/paperless/paperless.conf)"
+      if [[ -z "$CONSUME_DIR" ]]; then
+        CONSUME_DIR="/opt/paperless/consume"
+      fi
+      mkdir -p "$CONSUME_DIR"
       cd /opt/paperless
       $STD uv sync --all-extras
       cd /opt/paperless/src

ct/phpipam.sh

@@ -33,17 +33,22 @@ function update_script() {
     systemctl stop apache2
     msg_ok "Stopped Service"
 
+    PHP_VERSION="8.4" PHP_APACHE="YES" PHP_FPM="YES" PHP_MODULE="mysql,gmp,snmp,ldap,apcu" setup_php
+
+    msg_info "Installing PHP-PEAR"
+    $STD apt install -y \
+      php-pear \
+      php-dev
+    msg_ok "Installed PHP-PEAR"
+
     mv /opt/phpipam/ /opt/phpipam-backup
-    fetch_and_deploy_gh_release "phpipam" "phpipam/phpipam" "prebuild" "latest" "/opt/phpipam" "phpipam-v*.zip"
+    CLEAN_INSTALL=1 fetch_and_deploy_gh_release "phpipam" "phpipam/phpipam" "prebuild" "latest" "/opt/phpipam" "phpipam-v*.zip"
     cp /opt/phpipam-backup/config.php /opt/phpipam
+    rm -r /opt/phpipam-backup
 
     msg_info "Starting Service"
     systemctl start apache2
     msg_ok "Started Service"
-
-    msg_info "Cleaning up"
-    rm -r /opt/phpipam-backup
-    msg_ok "Cleaned"
     msg_ok "Updated successfully!"
   fi
   exit

ct/plex.sh

@@ -23,7 +23,7 @@ function update_script() {
   header_info
   check_container_storage
   check_container_resources
-  if [[ ! -f /etc/apt/sources.list.d/plexmediaserver.list ]]; then
+  if [ ! -f /etc/apt/sources.list.d/plexmediaserver.list ]] && [[ ! -f /etc/apt/sources.list.d/plexmediaserver.sources ]]; then
     msg_error "No ${APP} Installation Found!"
     exit
   fi

frontend/public/json/cockpit.json

@@ -33,8 +33,12 @@
   },
   "notes": [
     {
-      "text": "Set a root password if using autologin. This will be the Cockpit password.`sudo passwd root`",
+      "text": "Set a root password if using autologin. This will be the Cockpit password. To set root password run `sudo passwd root`",
       "type": "info"
+    },
+    {
+      "text": "If you plan on using 45Drives extension with NFS, you must setup LXC as privileged. Some features of 45Drives don't work on Debian 13, so Debian 12 must be used.",
+      "type": "warning"
     }
   ]
 }

frontend/public/json/versions.json

@@ -1,4 +1,49 @@
 [
+  {
+    "name": "dgtlmoon/changedetection.io",
+    "version": "0.50.41",
+    "date": "2025-11-10T11:00:46Z"
+  },
+  {
+    "name": "emqx/emqx",
+    "version": "e5.10.2",
+    "date": "2025-11-10T10:58:21Z"
+  },
+  {
+    "name": "autobrr/autobrr",
+    "version": "v1.69.0",
+    "date": "2025-11-10T10:57:40Z"
+  },
+  {
+    "name": "documenso/documenso",
+    "version": "v2.0.6",
+    "date": "2025-11-10T08:08:43Z"
+  },
+  {
+    "name": "mattermost/mattermost",
+    "version": "v10.11.6",
+    "date": "2025-11-04T09:43:16Z"
+  },
+  {
+    "name": "Jackett/Jackett",
+    "version": "v0.24.270",
+    "date": "2025-11-10T05:57:22Z"
+  },
+  {
+    "name": "firefly-iii/firefly-iii",
+    "version": "v6.4.6",
+    "date": "2025-11-08T22:45:35Z"
+  },
+  {
+    "name": "jeedom/core",
+    "version": "4.4.20",
+    "date": "2025-11-10T00:27:05Z"
+  },
+  {
+    "name": "steveiliop56/tinyauth",
+    "version": "v4.0.1",
+    "date": "2025-10-15T16:53:55Z"
+  },
   {
     "name": "navidrome/navidrome",
     "version": "v0.58.5",
@@ -55,20 +100,15 @@
     "date": "2025-11-09T11:56:25Z"
   },
   {
-    "name": "firefly-iii/firefly-iii",
-    "version": "v6.4.6",
-    "date": "2025-11-08T22:45:35Z"
+    "name": "keycloak/keycloak",
+    "version": "26.4.4",
+    "date": "2025-11-07T08:55:27Z"
   },
   {
     "name": "authelia/authelia",
     "version": "v4.39.14",
     "date": "2025-11-09T07:18:40Z"
   },
-  {
-    "name": "Jackett/Jackett",
-    "version": "v0.24.268",
-    "date": "2025-11-09T05:56:26Z"
-  },
   {
     "name": "apache/couchdb",
     "version": "3.5.1",
@@ -84,16 +124,6 @@
     "version": "1.1.3",
     "date": "2025-11-09T00:28:21Z"
   },
-  {
-    "name": "jeedom/core",
-    "version": "4.4.20",
-    "date": "2025-11-09T00:27:05Z"
-  },
-  {
-    "name": "steveiliop56/tinyauth",
-    "version": "v4.0.1",
-    "date": "2025-10-15T16:53:55Z"
-  },
   {
     "name": "raydak-labs/configarr",
     "version": "v1.17.2",
@@ -149,16 +179,6 @@
     "version": "v0.85.1",
     "date": "2025-10-31T10:45:26Z"
   },
-  {
-    "name": "documenso/documenso",
-    "version": "v2.0.5",
-    "date": "2025-11-08T05:03:59Z"
-  },
-  {
-    "name": "keycloak/keycloak",
-    "version": "26.4.4",
-    "date": "2025-11-07T08:55:27Z"
-  },
   {
     "name": "home-assistant/core",
     "version": "2025.11.1",
@@ -204,11 +224,6 @@
     "version": "v1.0.0",
     "date": "2025-11-07T12:52:42Z"
   },
-  {
-    "name": "dgtlmoon/changedetection.io",
-    "version": "0.50.40",
-    "date": "2025-11-07T12:22:58Z"
-  },
   {
     "name": "element-hq/synapse",
     "version": "v1.142.0rc2",
@@ -224,11 +239,6 @@
     "version": "coverity-w45-4.14.1",
     "date": "2025-11-05T16:56:57Z"
   },
-  {
-    "name": "mattermost/mattermost",
-    "version": "v10.11.6",
-    "date": "2025-11-04T09:43:16Z"
-  },
   {
     "name": "umami-software/umami",
     "version": "v3.0.0",
@@ -337,7 +347,7 @@
   {
     "name": "javedh-dev/tracktor",
     "version": "0.5.1",
-    "date": "2025-11-05T16:14:37Z"
+    "date": "2025-11-05T15:51:02Z"
   },
   {
     "name": "zitadel/zitadel",
@@ -364,11 +374,6 @@
     "version": "1.5.0",
     "date": "2025-11-05T11:10:20Z"
   },
-  {
-    "name": "emqx/emqx",
-    "version": "e5.10.2-alpha.1",
-    "date": "2025-11-05T09:55:26Z"
-  },
   {
     "name": "glpi-project/glpi",
     "version": "11.0.2",
@@ -934,11 +939,6 @@
     "version": "r1945",
     "date": "2025-10-10T02:30:05Z"
   },
-  {
-    "name": "autobrr/autobrr",
-    "version": "v1.68.0",
-    "date": "2025-10-08T18:33:12Z"
-  },
   {
     "name": "advplyr/audiobookshelf",
     "version": "v2.30.0",

install/openwebui-install.sh

@@ -17,7 +17,11 @@ msg_info "Installing Dependencies"
 $STD apt install -y ffmpeg
 msg_ok "Installed Dependencies"
 
-USE_UVX="YES" PYTHON_VERSION="3.12" setup_uv
+PYTHON_VERSION="3.12" setup_uv
+
+msg_info "Installing Open WebUI"
+$STD uv tool install --python 3.12 open-webui[all]
+msg_ok "Installed Open WebUI"
 
 read -r -p "${TAB3}Would you like to add Ollama? <y/N> " prompt
 if [[ ${prompt,,} =~ ^(y|yes)$ ]]; then
@@ -56,7 +60,7 @@ After=network.target
 Type=simple
 EnvironmentFile=-/root/.env
 Environment=DATA_DIR=/root/.open-webui
-ExecStart=/usr/local/bin/uvx --python 3.12 open-webui@latest serve
+ExecStart=/root/.local/bin/open-webui serve
 WorkingDirectory=/root
 Restart=on-failure
 RestartSec=5
@@ -70,9 +74,4 @@ msg_ok "Created Service"
 
 motd_ssh
 customize
-
-msg_info "Cleaning up"
-$STD apt -y autoremove
-$STD apt -y autoclean
-$STD apt -y clean
-msg_ok "Cleaned"
+cleanup_lxc

install/phpipam-install.sh

@@ -13,39 +13,27 @@ setting_up_container
 network_check
 update_os
 
-msg_info "Installing Dependencies"
-$STD apt install -y php-pear
-msg_ok "Installed Dependencies"
+PHP_VERSION="8.4" PHP_APACHE="YES" PHP_FPM="YES" PHP_MODULE="mysql,gmp,snmp,ldap,apcu" setup_php
+
+msg_info "Installing PHP-PEAR"
+$STD apt install -y \
+  php-pear \
+  php-dev
+msg_ok "Installed PHP-PEAR"
 
-PHP_VERSION="8.2" PHP_APACHE="YES" PHP_FPM="YES" PHP_MODULE="mysql,imap,apcu,pspell,tidy,xmlrpc,gmp,ldap,common,snmp" setup_php
 setup_mariadb
-
-msg_info "Setting up MariaDB"
-DB_NAME=phpipam
-DB_USER=phpipam
-DB_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13)
-$STD mariadb -u root -e "CREATE DATABASE $DB_NAME;"
-$STD mariadb -u root -e "CREATE USER '$DB_USER'@'localhost' IDENTIFIED BY '$DB_PASS';"
-$STD mariadb -u root -e "GRANT ALL ON $DB_NAME.* TO '$DB_USER'@'localhost'; FLUSH PRIVILEGES;"
-{
-  echo "phpIPAM-Credentials"
-  echo "phpIPAM Database User: $DB_USER"
-  echo "phpIPAM Database Password: $DB_PASS"
-  echo "phpIPAM Database Name: $DB_NAME"
-} >>~/phpipam.creds
-msg_ok "Set up MariaDB"
-
+MARIADB_DB_NAME="phpipam" MARIADB_DB_USER="phpipam" setup_mariadb_db
 fetch_and_deploy_gh_release "phpipam" "phpipam/phpipam" "prebuild" "latest" "/opt/phpipam" "phpipam-v*.zip"
 
 msg_info "Installing phpIPAM"
-$STD mariadb -u root "${DB_NAME}" </opt/phpipam/db/SCHEMA.sql
+$STD mariadb -u root "${MARIADB_DB_NAME}" </opt/phpipam/db/SCHEMA.sql
 cp /opt/phpipam/config.dist.php /opt/phpipam/config.php
 sed -i -e "s/\(\$disable_installer = \).*/\1true;/" \
-  -e "s/\(\$db\['user'\] = \).*/\1'$DB_USER';/" \
-  -e "s/\(\$db\['pass'\] = \).*/\1'$DB_PASS';/" \
-  -e "s/\(\$db\['name'\] = \).*/\1'$DB_NAME';/" \
+  -e "s/\(\$db\['user'\] = \).*/\1'$MARIADB_DB_USER';/" \
+  -e "s/\(\$db\['pass'\] = \).*/\1'$MARIADB_DB_PASS';/" \
+  -e "s/\(\$db\['name'\] = \).*/\1'$MARIADB_DB_NAME';/" \
   /opt/phpipam/config.php
-sed -i '/max_execution_time/s/= .*/= 600/' /etc/php/8.2/apache2/php.ini
+sed -i '/max_execution_time/s/= .*/= 600/' /etc/php/8.4/apache2/php.ini
 msg_ok "Installed phpIPAM"
 
 msg_info "Creating Service"
@@ -71,9 +59,4 @@ msg_ok "Created Service"
 
 motd_ssh
 customize
-
-msg_info "Cleaning up"
-$STD apt -y autoremove
-$STD apt -y autoclean
-$STD apt -y clean
-msg_ok "Cleaned"
+cleanup_lxc

misc/core.func

@@ -386,28 +386,28 @@ cleanup_lxc() {
 
   # Truncate writable log files silently (permission errors ignored)
   if command -v truncate >/dev/null 2>&1; then
-    find /var/log -type f -writable -print0 2>/dev/null | \
+    find /var/log -type f -writable -print0 2>/dev/null |
       xargs -0 -n1 truncate -s 0 2>/dev/null || true
   fi
 
   # Python pip
-  if command -v pip &>/dev/null; then pip cache purge || true; fi
+  if command -v pip &>/dev/null; then $STD pip cache purge || true; fi
   # Python uv
-  if command -v uv &>/dev/null; then uv cache clear || true; fi
+  if command -v uv &>/dev/null; then $STD uv cache clear || true; fi
   # Node.js npm
-  if command -v npm &>/dev/null; then npm cache clean --force || true; fi
+  if command -v npm &>/dev/null; then $STD npm cache clean --force || true; fi
   # Node.js yarn
-  if command -v yarn &>/dev/null; then yarn cache clean || true; fi
+  if command -v yarn &>/dev/null; then $STD yarn cache clean || true; fi
   # Node.js pnpm
-  if command -v pnpm &>/dev/null; then pnpm store prune || true; fi
+  if command -v pnpm &>/dev/null; then $STD pnpm store prune || true; fi
   # Go
-  if command -v go &>/dev/null; then go clean -cache -modcache || true; fi
+  if command -v go &>/dev/null; then $STD go clean -cache -modcache || true; fi
   # Rust cargo
-  if command -v cargo &>/dev/null; then cargo clean || true; fi
+  if command -v cargo &>/dev/null; then $STD cargo clean || true; fi
   # Ruby gem
-  if command -v gem &>/dev/null; then gem cleanup || true; fi
+  if command -v gem &>/dev/null; then $STD gem cleanup || true; fi
   # Composer (PHP)
-  if command -v composer &>/dev/null; then composer clear-cache || true; fi
+  if command -v composer &>/dev/null; then $STD composer clear-cache || true; fi
 
   if command -v journalctl &>/dev/null; then
     $STD journalctl --rotate || true

misc/tools.func

@@ -72,15 +72,23 @@ stop_all_services() {
   local service_patterns=("$@")
 
   for pattern in "${service_patterns[@]}"; do
-    # Find all matching services
-    systemctl list-units --type=service --all 2>/dev/null |
-      grep -oE "${pattern}[^ ]*\.service" |
-      sort -u |
-      while read -r service; do
+    # Find all matching services (use || true to avoid pipeline failures)
+    local services
+    services=$(systemctl list-units --type=service --all 2>/dev/null |
+      grep -oE "${pattern}[^ ]*\.service" 2>/dev/null |
+      sort -u 2>/dev/null || true)
+
+    # Only process if we found any services
+    if [[ -n "$services" ]]; then
+      while IFS= read -r service; do
+        [[ -z "$service" ]] && continue
         $STD systemctl stop "$service" 2>/dev/null || true
         $STD systemctl disable "$service" 2>/dev/null || true
-      done
+      done <<<"$services"
+    fi
   done
+
+  return 0
 }
 
 # ------------------------------------------------------------------------------
@@ -1207,7 +1215,7 @@ setup_deb822_repo() {
   local repo_url="$3"
   local suite="$4"
   local component="${5:-main}"
-  local architectures="${6-}"   # optional
+  local architectures="${6-}" # optional
 
   # Validate required parameters
   if [[ -z "$name" || -z "$gpg_url" || -z "$repo_url" || -z "$suite" ]]; then
@@ -1399,7 +1407,7 @@ verify_gpg_fingerprint() {
 }
 
 # ==============================================================================
-# EXISTING FUNCTIONS
+# INSTALL FUNCTIONS
 # ==============================================================================
 
 # ------------------------------------------------------------------------------
@@ -1501,7 +1509,7 @@ check_for_gh_release() {
       return 0
     fi
 
-    msg_error "No update available: ${app} is not installed!"
+    msg_ok "No update available: ${app} is already on pinned version (${current})"
     return 1
   fi
 
@@ -3044,6 +3052,85 @@ setup_mariadb() {
   msg_ok "Setup MariaDB $MARIADB_VERSION"
 }
 
+# ------------------------------------------------------------------------------
+# Creates MariaDB database with user, charset and optional extra grants/modes
+#
+# Description:
+#   - Generates password if empty
+#   - Creates database with utf8mb4_unicode_ci
+#   - Creates local user with password
+#   - Grants full access to this DB
+#   - Optional: apply extra GRANT statements (comma-separated)
+#   - Optional: apply custom GLOBAL sql_mode
+#   - Saves credentials to file
+#   - Exports variables for use in calling script
+#
+# Usage:
+#   MARIADB_DB_NAME="myapp_db" MARIADB_DB_USER="myapp_user" setup_mariadb_db
+#   MARIADB_DB_NAME="domain_monitor" MARIADB_DB_USER="domainmonitor" setup_mariadb_db
+#   MARIADB_DB_NAME="myapp" MARIADB_DB_USER="myapp" MARIADB_DB_EXTRA_GRANTS="GRANT SELECT ON \`mysql\`.\`time_zone_name\`" setup_mariadb_db
+#   MARIADB_DB_NAME="ghostfolio" MARIADB_DB_USER="ghostfolio" MARIADB_DB_SQL_MODE="" setup_mariadb_db
+#
+# Variables:
+#   MARIADB_DB_NAME         - Database name (required)
+#   MARIADB_DB_USER         - Database user (required)
+#   MARIADB_DB_PASS         - User password (optional, auto-generated if empty)
+#   MARIADB_DB_EXTRA_GRANTS - Comma-separated GRANT statements (optional)
+#                             Example: "GRANT SELECT ON \`mysql\`.\`time_zone_name\`"
+#   MARIADB_DB_SQL_MODE     - Optional global sql_mode override (e.g. "", "STRICT_TRANS_TABLES")
+#   MARIADB_DB_CREDS_FILE   - Credentials file path (optional, default: ~/${APPLICATION}.creds)
+#
+# Exports:
+#   MARIADB_DB_NAME, MARIADB_DB_USER, MARIADB_DB_PASS
+# ------------------------------------------------------------------------------
+
+function setup_mariadb_db() {
+  if [[ -z "${MARIADB_DB_NAME:-}" || -z "${MARIADB_DB_USER:-}" ]]; then
+    msg_error "MARIADB_DB_NAME and MARIADB_DB_USER must be set before calling setup_mariadb_db"
+    return 1
+  fi
+
+  if [[ -z "${MARIADB_DB_PASS:-}" ]]; then
+    MARIADB_DB_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13)
+  fi
+
+  msg_info "Setting up MariaDB Database"
+
+  $STD mariadb -u root -e "CREATE DATABASE \`$MARIADB_DB_NAME\` CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci;"
+  $STD mariadb -u root -e "CREATE USER '$MARIADB_DB_USER'@'localhost' IDENTIFIED BY '$MARIADB_DB_PASS';"
+  $STD mariadb -u root -e "GRANT ALL ON \`$MARIADB_DB_NAME\`.* TO '$MARIADB_DB_USER'@'localhost';"
+
+  # Optional extra grants
+  if [[ -n "${MARIADB_DB_EXTRA_GRANTS:-}" ]]; then
+    IFS=',' read -ra G_LIST <<<"${MARIADB_DB_EXTRA_GRANTS:-}"
+    for g in "${G_LIST[@]}"; do
+      g=$(echo "$g" | xargs)
+      $STD mariadb -u root -e "$g TO '$MARIADB_DB_USER'@'localhost';"
+    done
+  fi
+
+  # Optional sql_mode override
+  if [[ -n "${MARIADB_DB_SQL_MODE:-}" ]]; then
+    $STD mariadb -u root -e "SET GLOBAL sql_mode='${MARIADB_DB_SQL_MODE:-}';"
+  fi
+
+  $STD mariadb -u root -e "FLUSH PRIVILEGES;"
+
+  local CREDS_FILE="${MARIADB_DB_CREDS_FILE:-${HOME}/${APPLICATION}.creds}"
+  {
+    echo "MariaDB Credentials"
+    echo "Database: $MARIADB_DB_NAME"
+    echo "User: $MARIADB_DB_USER"
+    echo "Password: $MARIADB_DB_PASS"
+  } >>"$CREDS_FILE"
+
+  msg_ok "Set up MariaDB Database"
+
+  export MARIADB_DB_NAME
+  export MARIADB_DB_USER
+  export MARIADB_DB_PASS
+}
+
 # ------------------------------------------------------------------------------
 # Installs or updates MongoDB to specified major version.
 #
@@ -3803,6 +3890,103 @@ function setup_postgresql() {
   fi
 }
 
+# ------------------------------------------------------------------------------
+# Creates PostgreSQL database with user and optional extensions
+#
+# Description:
+#   - Creates PostgreSQL role with login and password
+#   - Creates database with UTF8 encoding and template0
+#   - Installs optional extensions (postgis, pgvector, etc.)
+#   - Configures ALTER ROLE settings for Django/Rails compatibility
+#   - Saves credentials to file
+#   - Exports variables for use in calling script
+#
+# Usage:
+#   PG_DB_NAME="myapp_db" PG_DB_USER="myapp_user" setup_postgresql_db
+#   PG_DB_NAME="immich" PG_DB_USER="immich" PG_DB_EXTENSIONS="pgvector" setup_postgresql_db
+#   PG_DB_NAME="ghostfolio" PG_DB_USER="ghostfolio" PG_DB_GRANT_SUPERUSER="true" setup_postgresql_db
+#   PG_DB_NAME="adventurelog" PG_DB_USER="adventurelog" PG_DB_EXTENSIONS="postgis" setup_postgresql_db
+#
+# Variables:
+#   PG_DB_NAME             - Database name (required)
+#   PG_DB_USER             - Database user (required)
+#   PG_DB_PASS             - Database password (optional, auto-generated if empty)
+#   PG_DB_EXTENSIONS       - Comma-separated list of extensions (optional, e.g. "postgis,pgvector")
+#   PG_DB_GRANT_SUPERUSER  - Grant SUPERUSER privilege (optional, "true" to enable, security risk!)
+#   PG_DB_SCHEMA_PERMS     - Grant schema-level permissions (optional, "true" to enable)
+#   PG_DB_SKIP_ALTER_ROLE  - Skip ALTER ROLE settings (optional, "true" to skip)
+#   PG_DB_CREDS_FILE       - Credentials file path (optional, default: ~/${APPLICATION}.creds)
+#
+# Exports:
+#   PG_DB_NAME, PG_DB_USER, PG_DB_PASS - For use in calling script
+# ------------------------------------------------------------------------------
+
+function setup_postgresql_db() {
+  # Validation
+  if [[ -z "${PG_DB_NAME:-}" || -z "${PG_DB_USER:-}" ]]; then
+    msg_error "PG_DB_NAME and PG_DB_USER must be set before calling setup_postgresql_db"
+    return 1
+  fi
+
+  # Generate password if not provided
+  if [[ -z "${PG_DB_PASS:-}" ]]; then
+    PG_DB_PASS=$(openssl rand -base64 18 | tr -dc 'a-zA-Z0-9' | head -c13)
+  fi
+
+  msg_info "Setting up PostgreSQL Database"
+  $STD sudo -u postgres psql -c "CREATE ROLE $PG_DB_USER WITH LOGIN PASSWORD '$PG_DB_PASS';"
+  $STD sudo -u postgres psql -c "CREATE DATABASE $PG_DB_NAME WITH OWNER $PG_DB_USER ENCODING 'UTF8' TEMPLATE template0;"
+
+  # Install extensions (comma-separated)
+  if [[ -n "${PG_DB_EXTENSIONS:-}" ]]; then
+    IFS=',' read -ra EXT_LIST <<<"${PG_DB_EXTENSIONS:-}"
+    for ext in "${EXT_LIST[@]}"; do
+      ext=$(echo "$ext" | xargs) # Trim whitespace
+      $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "CREATE EXTENSION IF NOT EXISTS $ext;"
+    done
+  fi
+
+  # ALTER ROLE settings for Django/Rails compatibility (unless skipped)
+  if [[ "${PG_DB_SKIP_ALTER_ROLE:-}" != "true" ]]; then
+    $STD sudo -u postgres psql -c "ALTER ROLE $PG_DB_USER SET client_encoding TO 'utf8';"
+    $STD sudo -u postgres psql -c "ALTER ROLE $PG_DB_USER SET default_transaction_isolation TO 'read committed';"
+    $STD sudo -u postgres psql -c "ALTER ROLE $PG_DB_USER SET timezone TO 'UTC';"
+  fi
+
+  # Schema permissions (if requested)
+  if [[ "${PG_DB_SCHEMA_PERMS:-}" == "true" ]]; then
+    $STD sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE $PG_DB_NAME TO $PG_DB_USER;"
+    $STD sudo -u postgres psql -c "ALTER USER $PG_DB_USER CREATEDB;"
+    $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "GRANT ALL ON SCHEMA public TO $PG_DB_USER;"
+    $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "GRANT CREATE ON SCHEMA public TO $PG_DB_USER;"
+    $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO $PG_DB_USER;"
+    $STD sudo -u postgres psql -d "$PG_DB_NAME" -c "ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO $PG_DB_USER;"
+  fi
+
+  # Superuser grant (if requested - WARNING!)
+  if [[ "${PG_DB_GRANT_SUPERUSER:-}" == "true" ]]; then
+    msg_warn "Granting SUPERUSER privilege (security risk!)"
+    $STD sudo -u postgres psql -c "GRANT ALL PRIVILEGES ON DATABASE $PG_DB_NAME to $PG_DB_USER;"
+    $STD sudo -u postgres psql -c "ALTER USER $PG_DB_USER WITH SUPERUSER;"
+  fi
+
+  # Save credentials
+  local CREDS_FILE="${PG_DB_CREDS_FILE:-${HOME}/${APPLICATION}.creds}"
+  {
+    echo "PostgreSQL Credentials"
+    echo "Database: $PG_DB_NAME"
+    echo "User: $PG_DB_USER"
+    echo "Password: $PG_DB_PASS"
+  } >>"$CREDS_FILE"
+
+  msg_ok "Set up PostgreSQL Database"
+
+  # Export for use in calling script
+  export PG_DB_NAME
+  export PG_DB_USER
+  export PG_DB_PASS
+}
+
 # ------------------------------------------------------------------------------
 # Installs rbenv and ruby-build, installs Ruby and optionally Rails.
 #