Download authentik's lib/default.yml for the specified AUTHENTIK_VERSION before running go mod/download and build (added curl to ct/authentik.sh and install/authentik-install.sh to write to /opt/authentik/authentik/lib/default.yml). Also normalize Bitfocus Companion app name to "Bitfocus-Companion" in ct/bitfocus-companion.sh.
Use literal 'Squid' in msg_* labels, add missing msg_ok and spacing in
update_script. Replace install_packages_with_retry/enable_and_start_service/
safe_service_restart helpers with plain apt and systemctl commands. Merge
auth setup and config validation into a single msg block. Drop the custom
/etc/profile.d MOTD heredoc and trailing htpasswd echo.
Append a guarded snippet to /root/.bash_profile that forces TERM=linux on physical LXC consoles (e.g. noVNC) for login shells. This prevents readline (8.2+) from querying CPR (ESC[6n) which can produce stray R;80R garbage; the change runs only for non-SSH sessions and detects /dev/console or /dev/ttyN. The block is only added if a __cs_console_term marker is not already present.
Create a systemd override for console-getty.service inside LXC containers to set Environment=TERM=linux (written to /etc/systemd/system/console-getty.service.d/pve-console-term.conf) instead of touching getty@tty1/serial-getty unit dirs. This targets the noVNC/LXC console behavior where console-getty.service, not getty@tty1, is used and prevents agetty cursor-position queries from corrupting the noVNC login prompt. Also remove the older workaround in create_lxc_container that forced 'cmode: console' in the LXC config, since the new override addresses the issue.
