fix(comfyui): update docker image to cuda 12.8

document valkey/redis naming, VERSION file, GIT_MODE, caddy addons,
external compose files pattern, GOST_NO_PROXY requirement, and
n8n-template profile pattern

.env.example

@@ -430,11 +430,13 @@ GOST_PROXY_URL=
 
 # External upstream proxy (REQUIRED - asked during wizard if gost is selected)
 # Examples: socks5://user:pass@proxy.com:1080, http://user:pass@proxy.com:8080
+# IMPORTANT: For HTTP proxies use http://, NOT https://
+# The protocol refers to proxy type, not connection security.
 GOST_UPSTREAM_PROXY=
 
 # Internal services bypass list (prevents internal Docker traffic from going through proxy)
 # Includes: Docker internal networks (172.16-31.*, 10.*), Docker DNS (127.0.0.11), and all service hostnames
-GOST_NO_PROXY=localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,postgres,postgres:5432,redis,redis:6379,caddy,ollama,neo4j,qdrant,weaviate,clickhouse,minio,searxng,crawl4ai,gotenberg,langfuse-web,langfuse-worker,flowise,n8n,n8n-import,n8n-worker-1,n8n-worker-2,n8n-worker-3,n8n-worker-4,n8n-worker-5,n8n-worker-6,n8n-worker-7,n8n-worker-8,n8n-worker-9,n8n-worker-10,n8n-runner-1,n8n-runner-2,n8n-runner-3,n8n-runner-4,n8n-runner-5,n8n-runner-6,n8n-runner-7,n8n-runner-8,n8n-runner-9,n8n-runner-10,letta,lightrag,docling,postiz,temporal,temporal-ui,ragflow,ragflow-mysql,ragflow-minio,ragflow-redis,ragflow-elasticsearch,ragapp,open-webui,comfyui,waha,libretranslate,paddleocr,nocodb,db,studio,kong,auth,rest,realtime,storage,imgproxy,meta,functions,analytics,vector,supavisor,gost
+GOST_NO_PROXY=localhost,127.0.0.0/8,10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,.local,postgres,postgres:5432,redis,redis:6379,caddy,ollama,neo4j,qdrant,weaviate,clickhouse,minio,searxng,crawl4ai,gotenberg,langfuse-web,langfuse-worker,flowise,n8n,n8n-import,n8n-worker-1,n8n-worker-2,n8n-worker-3,n8n-worker-4,n8n-worker-5,n8n-worker-6,n8n-worker-7,n8n-worker-8,n8n-worker-9,n8n-worker-10,n8n-runner-1,n8n-runner-2,n8n-runner-3,n8n-runner-4,n8n-runner-5,n8n-runner-6,n8n-runner-7,n8n-runner-8,n8n-runner-9,n8n-runner-10,letta,lightrag,docling,postiz,temporal,temporal-ui,ragflow,ragflow-mysql,ragflow-minio,ragflow-redis,ragflow-elasticsearch,ragapp,open-webui,comfyui,waha,libretranslate,paddleocr,nocodb,db,studio,kong,auth,rest,realtime,storage,imgproxy,meta,functions,analytics,vector,supavisor,gost,api.telegram.org,telegram.org,t.me,core.telegram.org
 
 ############
 # Functions - Configuration for Functions

AGENTS.md

@@ -0,0 +1,31 @@
+# Repository Guidelines
+
+## Project Structure & Module Organization
+- Core runtime config lives at the repo root: `docker-compose.yml`, `docker-compose.n8n-workers.yml`, and `Caddyfile`.
+- Installer and maintenance logic is in `scripts/` (install, update, doctor, cleanup, and helpers).
+- Service-specific assets are grouped by folder (examples: `n8n/`, `grafana/`, `prometheus/`, `searxng/`, `ragflow/`, `python-runner/`, `welcome/`).
+- Shared files for workflows are stored in `shared/` and mounted inside containers as `/data/shared`.
+
+## Build, Test, and Development Commands
+- `make install`: run the full installation wizard.
+- `make update` or `make git-pull`: refresh images and configuration (fork-friendly via `make git-pull`).
+- `make logs s=<service>`: tail a specific service’s logs (example: `make logs s=n8n`).
+- `make doctor`: run system checks for DNS/SSL/containers.
+- `make restart`, `make stop`, `make start`, `make status`: manage the compose stack.
+- `make clean` or `make clean-all`: remove unused Docker resources (`clean-all` is destructive).
+
+## Coding Style & Naming Conventions
+- Bash scripts in `scripts/` use `#!/bin/bash`, 4-space indentation, and uppercase constants. Match existing formatting.
+- Environment variable patterns are consistent: hostnames use `_HOSTNAME`, secrets use `_PASSWORD` or `_KEY`, and bcrypt hashes use `_PASSWORD_HASH`.
+- Services should not publish ports directly; external access goes through Caddy.
+
+## Testing Guidelines
+- There is no unit-test suite. Use syntax checks instead:
+- `docker compose -p localai config --quiet`
+- `bash -n scripts/install.sh` (and other edited scripts)
+- For installer changes, validate on a clean Ubuntu 24.04 LTS host and confirm profile selections start correctly.
+
+## Commit & Pull Request Guidelines
+- Commit messages follow Conventional Commits: `type(scope): summary` (examples in history include `fix(caddy): ...`, `docs(readme): ...`, `feat(postiz): ...`).
+- PRs should include a short summary, affected services/profiles, and test commands run.
+- Update `README.md` and `CHANGELOG.md` for user-facing changes or new services.

CHANGELOG.md

@@ -2,6 +2,26 @@
 
 ## [Unreleased]
 
+## [1.2.6] - 2026-02-10
+
+### Changed
+- **ComfyUI** - Update Docker image to CUDA 12.8 (`cu128-slim`)
+
+## [1.2.5] - 2026-02-03
+
+### Fixed
+- **n8n** - Use static ffmpeg binaries for Alpine/musl compatibility (fixes glibc errors)
+
+## [1.2.4] - 2026-01-30
+
+### Fixed
+- **Postiz** - Fix `BACKEND_INTERNAL_URL` to use `localhost` instead of Docker hostname (internal nginx requires localhost)
+
+## [1.2.3] - 2026-01-29
+
+### Fixed
+- **Gost proxy** - Add Telegram domains to `GOST_NO_PROXY` bypass list for n8n Telegram triggers
+
 ## [1.2.2] - 2026-01-26
 
 ### Fixed

CLAUDE.md

@@ -10,7 +10,7 @@ This is **n8n-install**, a Docker Compose-based installer that provides a compre
 
 - **Profile-based service management**: Services are activated via Docker Compose profiles (e.g., `n8n`, `flowise`, `monitoring`). Profiles are stored in the `.env` file's `COMPOSE_PROFILES` variable.
 - **No exposed ports**: Services do NOT publish ports directly. All external HTTPS access is routed through Caddy reverse proxy on ports 80/443.
-- **Shared secrets**: Core services (Postgres, Redis/Valkey, Caddy) are always included. Other services are optional and selected during installation.
+- **Shared secrets**: Core services (Postgres, Valkey (Redis-compatible, container named `redis` for backward compatibility), Caddy) are always included. Other services are optional and selected during installation.
 - **Queue-based n8n**: n8n runs in `queue` mode with Redis, Postgres, and dynamically scaled workers (`N8N_WORKER_COUNT`).
 
 ### Key Files
@@ -40,9 +40,13 @@ This is **n8n-install**, a Docker Compose-based installer that provides a compre
 - `scripts/docker_cleanup.sh`: Removes unused Docker resources (used by `make clean`)
 - `scripts/download_top_workflows.sh`: Downloads community n8n workflows
 - `scripts/import_workflows.sh`: Imports workflows from `n8n/backup/workflows/` into n8n (used by `make import`)
+- `scripts/restart.sh`: Restarts services with proper compose file handling (used by `make restart`)
+- `scripts/setup_custom_tls.sh`: Configures custom TLS certificates (used by `make setup-tls`)
 
 **Project Name**: All docker-compose commands use `-p localai` (defined in Makefile as `PROJECT_NAME := localai`).
 
+**Version**: Stored in `VERSION` file at repository root.
+
 ### Installation Flow
 
 `scripts/install.sh` orchestrates the installation by running numbered scripts in sequence:
@@ -58,6 +62,8 @@ This is **n8n-install**, a Docker Compose-based installer that provides a compre
 
 The update flow (`scripts/update.sh`) similarly orchestrates: git fetch + reset → service selection → `apply_update.sh` → restart.
 
+**Git update modes**: Default is `reset` (hard reset to origin). Set `GIT_MODE=merge` in `.env` for fork workflows (merges from upstream instead of hard reset). The `make git-pull` command uses merge mode.
+
 ## Common Development Commands
 
 ### Makefile Commands
@@ -156,6 +162,7 @@ This project uses [Semantic Versioning](https://semver.org/). When updating `CHA
   - Configuration stored in `docker-compose.n8n-workers.yml` (auto-generated, gitignored)
   - Runner connects to its worker via `network_mode: "service:n8n-worker-N"` (localhost:5679)
   - Runner image `n8nio/runners` must match n8n version
+- **Template profile pattern**: `docker-compose.yml` defines `n8n-worker-template` and `n8n-runner-template` with `profiles: ["n8n-template"]` (never activated directly). `generate_n8n_workers.sh` uses these as templates to generate `docker-compose.n8n-workers.yml` with the actual worker/runner services.
 - **Scaling**: Change `N8N_WORKER_COUNT` in `.env` and run `bash scripts/generate_n8n_workers.sh`
 - **Code node libraries**: Configured via `n8n/n8n-task-runners.json` and `n8n/Dockerfile.runner`:
   - JS packages installed via `pnpm add` in Dockerfile.runner
@@ -170,6 +177,16 @@ This project uses [Semantic Versioning](https://semver.org/). When updating `CHA
 - Hostnames are passed via environment variables (e.g., `N8N_HOSTNAME`, `FLOWISE_HOSTNAME`)
 - Basic auth uses bcrypt hashes generated by `scripts/03_generate_secrets.sh` via Caddy's hash command
 - Never add `ports:` to services in docker-compose.yml; let Caddy handle all external access
+- **Caddy Addons** (`caddy-addon/`): Extend Caddy config without modifying the main Caddyfile. Files matching `site-*.conf` are auto-imported. TLS is controlled via `tls-snippet.conf` (all service blocks use `import service_tls`). See `caddy-addon/README.md` for details.
+
+### External Compose Files (Supabase/Dify)
+
+Complex services like Supabase and Dify maintain their own upstream docker-compose files:
+- `start_services.py` handles cloning repos, preparing `.env` files, and starting services
+- Each external service needs: `is_*_enabled()`, `clone_*_repo()`, `prepare_*_env()`, `start_*()` functions in `start_services.py`
+- `scripts/utils.sh` provides `get_*_compose()` getter functions and `build_compose_files_array()` includes them
+- `stop_all_services()` in `start_services.py` checks compose file existence (not profile) to ensure cleanup when a profile is removed
+- All external compose files use the same project name (`-p localai`) so containers appear together
 
 ### Secret Generation
 
@@ -276,6 +293,8 @@ healthcheck:
   test: ["CMD-SHELL", "http_proxy= https_proxy= HTTP_PROXY= HTTPS_PROXY= wget -qO- http://localhost:8080/health || exit 1"]
 ```
 
+**GOST_NO_PROXY**: ALL service container names must be listed in `GOST_NO_PROXY` in `.env.example`. This prevents internal Docker network traffic from routing through the proxy. This applies to every service, not just those using `<<: *proxy-env`.
+
 ### Welcome Page Dashboard
 
 The welcome page (`welcome/`) provides a post-install dashboard showing all active services:

docker-compose.yml

@@ -836,7 +836,7 @@ services:
     restart: always
     environment:
       <<: *proxy-env
-      BACKEND_INTERNAL_URL: http://postiz:3000
+      BACKEND_INTERNAL_URL: http://localhost:3000
       DATABASE_URL: "postgresql://postgres:${POSTGRES_PASSWORD}@postgres:5432/${POSTIZ_DB_NAME:-postiz}?schema=postiz"
       DISABLE_REGISTRATION: ${POSTIZ_DISABLE_REGISTRATION}
       FRONTEND_URL: ${POSTIZ_HOSTNAME:+https://}${POSTIZ_HOSTNAME}
@@ -908,7 +908,7 @@ services:
       start_period: 60s
 
   comfyui:
-    image: yanwk/comfyui-boot:cu124-slim
+    image: yanwk/comfyui-boot:cu128-slim
     container_name: comfyui
     profiles: ["comfyui"]
     restart: unless-stopped

n8n/Dockerfile.n8n

@@ -1,9 +1,11 @@
+# Stage 1: Get static ffmpeg binaries (statically linked, works on Alpine/musl)
+FROM mwader/static-ffmpeg:latest AS ffmpeg
+
+# Stage 2: Build final n8n image with ffmpeg
 FROM n8nio/n8n:stable
 
 USER root
-# Install static ffmpeg binary from BtbN GitHub releases
-RUN wget -qO- --tries=3 --timeout=60 https://github.com/BtbN/FFmpeg-Builds/releases/download/latest/ffmpeg-master-latest-linux64-gpl.tar.xz | \
-    tar -xJC /tmp && \
-    mv /tmp/ffmpeg-master-latest-linux64-gpl/bin/ffmpeg /tmp/ffmpeg-master-latest-linux64-gpl/bin/ffprobe /usr/local/bin/ && \
-    rm -rf /tmp/ffmpeg-*
+# Copy static ffmpeg binaries from the ffmpeg stage
+COPY --from=ffmpeg /ffmpeg /usr/local/bin/ffmpeg
+COPY --from=ffmpeg /ffprobe /usr/local/bin/ffprobe
 USER node

scripts/04_wizard.sh

@@ -215,7 +215,7 @@ if [ $gost_selected -eq 1 ]; then
     EXISTING_UPSTREAM=$(read_env_var "GOST_UPSTREAM_PROXY")
 
     GOST_UPSTREAM_INPUT=$(wt_input "Gost Upstream Proxy" \
-        "Enter your external proxy URL for geo-bypass.\n\nExamples:\n  socks5://user:pass@proxy.com:1080\n  http://user:pass@proxy.com:8080\n\nThis proxy should be located outside restricted regions." \
+        "Enter your external proxy URL for geo-bypass.\n\nExamples:\n  socks5://user:pass@proxy.com:1080\n  http://user:pass@proxy.com:8080\n\nIMPORTANT: For HTTP proxies use http://, NOT https://.\nThe protocol refers to proxy type, not connection security.\n\nThis proxy should be located outside restricted regions." \
         "$EXISTING_UPSTREAM") || true
 
     if [ -n "$GOST_UPSTREAM_INPUT" ]; then