Use literal 'Squid' in msg_* labels, add missing msg_ok and spacing in
update_script. Replace install_packages_with_retry/enable_and_start_service/
safe_service_restart helpers with plain apt and systemctl commands. Merge
auth setup and config validation into a single msg block. Drop the custom
/etc/profile.d MOTD heredoc and trailing htpasswd echo.
Append a guarded snippet to /root/.bash_profile that forces TERM=linux on physical LXC consoles (e.g. noVNC) for login shells. This prevents readline (8.2+) from querying CPR (ESC[6n) which can produce stray R;80R garbage; the change runs only for non-SSH sessions and detects /dev/console or /dev/ttyN. The block is only added if a __cs_console_term marker is not already present.
Create a systemd override for console-getty.service inside LXC containers to set Environment=TERM=linux (written to /etc/systemd/system/console-getty.service.d/pve-console-term.conf) instead of touching getty@tty1/serial-getty unit dirs. This targets the noVNC/LXC console behavior where console-getty.service, not getty@tty1, is used and prevents agetty cursor-position queries from corrupting the noVNC login prompt. Also remove the older workaround in create_lxc_container that forced 'cmode: console' in the LXC config, since the new override addresses the issue.
Reset shell command hash in spinner and make sleep resilient to shells without redirected sleep, preventing stale PATH lookups and failures in background subshells. Improve Gentoo bootstrap by syncing portage (emerge-webrsync or emerge --sync), preferring binary packages (--getbinpkg --usepkg) before falling back to source emerge, and add a fallback fetcher: prefer curl but use wget if curl is unavailable; fail with a clear error if neither is present. Replace direct curl sourcing with a configurable _fetch command to support the wget fallback.