chore(repo): cleanup + v6-docs + healthcheck installer + SC2034 suppress

.env.example

@@ -0,0 +1,11 @@
+# Intentionally left blank. Do NOT put secrets here.
+# Example placeholders (do not set real values):
+# PIHOLE_API_URL=
+# PIHOLE_PASSWORD=
+# Local configuration for tools (no secrets)
+# Export before running healthcheck:
+#   export PIHOLE_API_URL="http://127.0.0.1/api"
+#   read -s PIHOLE_PASSWORD
+#   export PIHOLE_PASSWORD
+PIHOLE_API_URL=
+# PIHOLE_PASSWORD is read from environment if set

.gitignore

@@ -86,3 +86,23 @@ pihole_maintenance_pro_test.sh
 vendor/bundle/
 .bundle/
 .npm-cache/
+
+# Additional ignores
+.DS_Store
+Thumbs.db
+node_modules/
+dist/
+build/
+out/
+__pycache__/
+*.pyc
+.mypy_cache/
+.pytest_cache/
+.ruff_cache/
+*.log
+*.tmp
+
+# Dotenv / local env files
+.env
+.env.*
+!.env.example

LICENSE

@@ -1,6 +1,6 @@
 MIT License
 
-Copyright (c) 2025 ==TIM.©.B  ==
+Copyright (c) 2025 Tim
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
 of this software and associated documentation files (the "Software"), to deal

Makefile

@@ -1,24 +1,37 @@
+.PHONY: check fmt lint
+
 SHELL := /bin/bash
 SHFMT ?= shfmt
 SHELLCHECK ?= shellcheck
 
 SCRIPTS := pihole_maintenance_pro.sh scripts/*.sh tools/*.sh
 
-.PHONY: fmt lint check
+check:
+	@echo "bash -n"
+	bash -n $(SCRIPTS)
+	@echo "shellcheck"
+	@if command -v $(SHELLCHECK) >/dev/null 2>&1; then \
+		$(SHELLCHECK) -x $(SCRIPTS) || true; \
+	else \
+		echo "shellcheck not installed; skipping"; \
+	fi
+	@echo "shfmt -d (no changes)"
+	@if command -v $(SHFMT) >/dev/null 2>&1; then \
+		$(SHFMT) -i 2 -ci -sr -d .; \
+	else \
+		echo "shfmt not installed; skipping"; \
+	fi
 
 fmt:
 	@if command -v $(SHFMT) >/dev/null 2>&1; then \
-		$(SHFMT) -i 2 -ci -sr -w $(SCRIPTS); \
+		$(SHFMT) -i 2 -ci -sr -w .; \
 	else \
-		echo "shfmt not installed; skipping fmt"; \
+		echo "shfmt not installed; skipping"; \
 	fi
 
 lint:
 	@if command -v $(SHELLCHECK) >/dev/null 2>&1; then \
 		$(SHELLCHECK) -x $(SCRIPTS); \
 	else \
-		echo "shellcheck not installed; skipping lint"; \
+		echo "shellcheck not installed; skipping"; \
 	fi
-
-check: fmt lint
-

README.de.md

@@ -1,6 +1,7 @@
 <div align="center">
 
 # 🛰️ Pi-hole Maintenance PRO MAX
+
 **Automatisiertes Pi-hole v6 Wartungsskript**
 
 [![Build](https://img.shields.io/github/actions/workflow/status/TimInTech/pihole-maintenance-pro/ci-sanity.yml?branch=main)](https://github.com/TimInTech/pihole-maintenance-pro/actions)
@@ -16,20 +17,24 @@
 ---
 
 ## Was & Warum
+
 Pi-hole v6 Wartung für Raspberry Pi OS (Bookworm/Trixie) mit Logging und Healthchecks.
 
 ## Features
-- APT update/upgrade/autoremove/autoclean  
-- Pi-hole Update (`-up`), Gravity (`-g`), `reloaddns`  
-- Healthchecks: Port 53, `dig`, GitHub-Erreichbarkeit  
-- Optional: Tailscale-Info, FTL-Toplisten via `sqlite3`  
-- Performance-Dashboard & intelligente Zusammenfassung  
-- Lokales Backup vor Pi-hole-Änderungen  
-- Installer setzt automatisch einen wöchentlichen Cron (`0 4 * * 0`)  
+
+- APT update/upgrade/autoremove/autoclean
+- Pi-hole Update (`-up`), Gravity (`-g`), optionaler FTL-Restart (`--restart-ftl`)
+- Healthchecks: Port 53, `dig`, GitHub-Erreichbarkeit
+- Optional: Tailscale-Info, FTL-Toplisten via `sqlite3`
+- Performance-Dashboard & intelligente Zusammenfassung
+- Lokales Backup vor Pi-hole-Änderungen
+- Installer setzt automatisch einen wöchentlichen Cron (`0 4 * * 0`) (idempotent)
 - Logs: `/var/log/pihole_maintenance_pro_<timestamp>.log`
 
 ## Schnellstart
+
 **Installer:**
+
 ```bash
 bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-maintenance-pro/main/scripts/install.sh)"
 ```
@@ -38,11 +43,13 @@ bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-mainten
 ## Update / Überschreiben (sichere Re-Installation)
 
 Zieht die aktuelle Version und überschreibt die vorhandene:
+
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-maintenance-pro/main/scripts/install.sh)"
 ```
 
 ## Uninstall (saubere Entfernung)
+
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-maintenance-pro/main/scripts/uninstall.sh)"
 ```
@@ -55,7 +62,8 @@ Zieht die aktuelle Version und überschreibt die vorhandene:
 - `--no-apt` – APT-Schritte (update/upgrade/autoremove/autoclean) überspringen.
 - `--no-upgrade` – **kein** `pihole -up`.
 - `--no-gravity` – `pihole -g` (Blocklisten/Gravity) überspringen.
-- `--no-dnsreload` – `pihole reloaddns` überspringen.
+- `--no-dnsreload` – veraltet unter v6 (No-Op).
+- `--restart-ftl` – pihole-FTL am Ende neustarten (nur bei Bedarf).
 - `--backup` – Backup vor Pi-hole-Operationen unter `/var/backups/pihole/`.
 - `--json` – JSON-Ausgabe statt farbiger Zusammenfassung.
 
@@ -81,6 +89,7 @@ sudo /usr/local/bin/pihole_maintenance_pro.sh --no-apt --no-upgrade --no-gravity
 ```
 
 ## Beispielausgabe (echtes Pi-hole v6)
+
 Aufgenommen auf einem Raspberry Pi mit Pi-hole Core 6.1.4, Web 6.2.1, FTL 6.2.3 – so sieht das aktuelle Dashboard + die Zusammenfassung live aus:
 
 ```bash
@@ -99,6 +108,7 @@ Aufgenommen auf einem Raspberry Pi mit Pi-hole Core 6.1.4, Web 6.2.1, FTL 6.2.3
 ```
 
 Der reale Lauf bestätigt außerdem:
+
 - Backups werden vor Pi-hole-Wartung erstellt (z. B. `/etc/pihole/backup_20251025_100315`, `/etc/pihole/backup_20251025_100337`)
 - Der Installer setzt automatisch den empfohlenen Cron: `0 4 * * 0 /usr/local/bin/pihole_maintenance_pro.sh >>/var/log/pihole_maint_cron.log 2>&1`
 - Security-Block (Steps 20–26) und Healthchecks (Steps 07–10) laufen ohne Warnungen durch
@@ -111,30 +121,32 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 30 3 * * * /usr/local/bin/pihole_maintenance_pro.sh >> /var/log/pihole_maintenance_pro.log 2>&1
 ```
 
-> Trixie/Cron nutzt einen reduzierten PATH. Mit vollem PATH laufen beide Skripte zuverlässig.
+> Trixie/Cron nutzt einen reduzierten PATH. Mit vollem PATH laufen beide Skripte zuverlässig. Der Installer setzt den wöchentlichen Cron jetzt idempotent.
 
 ## Hinweis zu Pi-hole v6 API
 
-- Keine setupVars.conf mehr
-- Konfiguration jetzt in /etc/pihole/pihole.toml
-- API unter /api, nicht /api.php
-- Authentifizierung via Basic Auth mit User cli und Passwort aus /etc/pihole/cli_pw
-- Das Healthcheck-Skript pihole_api_healthcheck.sh kann lokal Basic-Auth gegen die API fahren, wenn PIHOLE_API_URL gesetzt ist
-- Unbound ist nicht erforderlich
+- `setupVars.conf` entfällt
+- Konfiguration in `/etc/pihole/pihole.toml`
+- API unter `/api` (nicht `/api.php`)
+- Authentifizierung mittels Session: `POST /api/auth` → `sid`, danach Header `X-FTL-SID`
+- Healthcheck (`tools/pihole_api_healthcheck.sh`) nutzt `PIHOLE_API_URL` und optional `PIHOLE_PASSWORD` zum Login
+- Unbound ist optional
 
 ## Troubleshooting
 
-* `sqlite3` für Top-Listen:
+- `sqlite3` für Top-Listen:
 
   ```bash
   sudo apt update && sudo apt install -y sqlite3
   ```
+
 * Locale-Warnungen:
 
   ```bash
   echo -e "en_GB.UTF-8 UTF-8\nde_DE.UTF-8 UTF-8" | sudo tee /etc/locale.gen >/dev/null
   sudo locale-gen && sudo update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8
   ```
+
 * Hinweis `linux-image-rpi-v8` auf Pi 3B: ignorierbar.
 
 ## Lizenz
@@ -144,5 +156,6 @@ MIT. Siehe [LICENSE](LICENSE).
 *Zuletzt aktualisiert: 2025-10-10 • Version: 5.3.2*
 
 ## Support
+
 Wenn dir dieses Projekt hilft, kannst du es hier unterstützen:
 [buymeacoffee.com/timintech](https://buymeacoffee.com/timintech)

README.md

@@ -1,4 +1,5 @@
 # 🛰️ Pi-hole Maintenance PRO MAX
+
 **Automated Pi-hole v6 Maintenance Script**
 
 [![Build](https://img.shields.io/github/actions/workflow/status/TimInTech/pihole-maintenance-pro/ci-sanity.yml?branch=main)](https://github.com/TimInTech/pihole-maintenance-pro/actions)
@@ -9,25 +10,27 @@
 
 **Languages:** 🇬🇧 English (this file) • [🇩🇪 Deutsch](README.de.md)
 
-
-
 ---
 
 ## What & Why
+
 Automated Pi-hole v6 maintenance script for Raspberry Pi OS (Bookworm/Trixie) with logging and health checks.
 
 ## Features
-- APT update/upgrade/autoremove/autoclean  
-- Pi-hole update (`-up`), gravity (`-g`), `reloaddns`  
-- Health checks: port 53, `dig`, GitHub reachability  
-- Optional Tailscale info, FTL toplists via `sqlite3`  
-- Performance dashboard & intelligent end-of-run summary  
-- Automatic local backup prior to Pi-hole changes  
-- Installer drops a weekly cron (`0 4 * * 0`) out of the box  
+
+- APT update/upgrade/autoremove/autoclean
+- Pi-hole update (`-up`), gravity (`-g`), optional FTL restart (`--restart-ftl`)
+- Health checks: port 53, `dig`, GitHub reachability
+- Optional Tailscale info, FTL toplists via `sqlite3`
+- Performance dashboard & intelligent end-of-run summary
+- Automatic local backup prior to Pi-hole changes
+- Installer drops a weekly cron (`0 4 * * 0`) out of the box (idempotent)
 - Logs in `/var/log/pihole_maintenance_pro_<timestamp>.log`
 
 ## Quickstart
+
 **Installer:**
+
 ```bash
 bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-maintenance-pro/main/scripts/install.sh)"
 ```
@@ -36,11 +39,13 @@ bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-mainten
 ## Update / Overwrite (safe re-install)
 
 Use this to pull and overwrite with the latest release:
+
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-maintenance-pro/main/scripts/install.sh)"
 ```
 
 ## Uninstall (clean removal)
+
 ```bash
 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/TimInTech/pihole-maintenance-pro/main/scripts/uninstall.sh)"
 ```
@@ -50,11 +55,12 @@ Use this to pull and overwrite with the latest release:
 
 ### Flags
 
-- `--no-apt` – skips APT steps (update/upgrade/autoremove/autoclean)  
-- `--no-upgrade` – does **not** run `pihole -up`  
-- `--no-gravity` – skips `pihole -g` (blocklists/Gravity update)  
-- `--no-dnsreload` – skips `pihole reloaddns`  
-- `--backup` – creates a backup before Pi-hole ops under `/var/backups/pihole/`  
+- `--no-apt` – skips APT steps (update/upgrade/autoremove/autoclean)
+- `--no-upgrade` – does **not** run `pihole -up`
+- `--no-gravity` – skips `pihole -g` (blocklists/Gravity update)
+- `--no-dnsreload` – deprecated in v6 (no-op)
+- `--restart-ftl` – restart pihole-FTL at the end (v6: only if needed)
+- `--backup` – creates a backup before Pi-hole ops under `/var/backups/pihole/`
 - `--json` – outputs machine-readable JSON instead of the colored TUI
 
 **Manual installation:**
@@ -79,6 +85,7 @@ sudo /usr/local/bin/pihole_maintenance_pro.sh --no-apt --no-upgrade --no-gravity
 ```
 
 ## Real Pi-hole v6 sample run
+
 Captured on a Raspberry Pi with Pi-hole Core 6.1.4, Web 6.2.1, FTL 6.2.3 — this is the live dashboard + summary rendered by the current release:
 
 ```bash
@@ -97,6 +104,7 @@ Captured on a Raspberry Pi with Pi-hole Core 6.1.4, Web 6.2.1, FTL 6.2.3 — thi
 ```
 
 The same production run confirms:
+
 - Backups are created before Pi-hole maintenance kicks in (e.g. `/etc/pihole/backup_20251025_100315`, `/etc/pihole/backup_20251025_100337`)
 - The installer provisions the recommended cron automatically: `0 4 * * 0 /usr/local/bin/pihole_maintenance_pro.sh >>/var/log/pihole_maint_cron.log 2>&1`
 - Security (Steps 20–26) and health checks (Steps 07–10) run green end-to-end
@@ -109,30 +117,32 @@ PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
 30 3 * * * /usr/local/bin/pihole_maintenance_pro.sh >> /var/log/pihole_maintenance_pro.log 2>&1
 ```
 
-> Trixie/cron runs with a reduced PATH. Using a full PATH ensures both scripts run reliably.
+> Trixie/cron runs with a reduced PATH. Using a full PATH ensures both scripts run reliably. The installer now sets the weekly cron idempotently.
 
 ## Pi-hole v6 API notes
 
-- setupVars.conf is gone
-- Config now lives in /etc/pihole/pihole.toml
-- API is served at /api instead of /api.php
-- Authentication is HTTP Basic Auth using cli plus the password in /etc/pihole/cli_pw
-- The healthcheck script (pihole_api_healthcheck.sh) can hit those endpoints locally when PIHOLE_API_URL is set
-- Unbound is not required
+- `setupVars.conf` is gone
+- Config lives in `/etc/pihole/pihole.toml`
+- API is served at `/api` instead of `/api.php`
+- Authentication uses session tokens: `POST /api/auth` returns `sid`, pass via header `X-FTL-SID`
+- The healthcheck script (`tools/pihole_api_healthcheck.sh`) can hit endpoints when `PIHOLE_API_URL` is set; set `PIHOLE_PASSWORD` to enable session login
+- Unbound is optional
 
 ## Troubleshooting
 
-* `sqlite3` toplists:
+- `sqlite3` toplists:
 
   ```bash
   sudo apt update && sudo apt install -y sqlite3
   ```
+
 * Locale warnings:
 
   ```bash
   echo -e "en_GB.UTF-8 UTF-8\nde_DE.UTF-8 UTF-8" | sudo tee /etc/locale.gen >/dev/null
   sudo locale-gen && sudo update-locale LANG=de_DE.UTF-8 LC_ALL=de_DE.UTF-8
   ```
+
 * Pi 3B note about `linux-image-rpi-v8`: ignorable on ARMv7.
 
 ## License
@@ -142,5 +152,6 @@ MIT. See [LICENSE](LICENSE).
 *Last updated: 2025-10-25 • Version: 5.3.2*
 
 ## Support
+
 If this project helps you, you can support it here:
 [buymeacoffee.com/timintech](https://buymeacoffee.com/timintech)