Pi-hole core 6.1.4 (#6347 )

Fix pihole api command by not setting the some variabes as readonly (#6346 )
Fix issue where web interface cannot run gravity (#6345 )
2025-07-31 01:24:17 +02:00 · 2025-07-14 22:15:50 +01:00 · 2025-07-14 22:09:27 +01:00 · 2025-07-14 22:05:18 +01:00 · 2025-07-14 22:02:02 +01:00 · 2025-07-14 21:38:59 +01:00
45 changed files with 655 additions and 765 deletions
--- a/.github/CODEOWNERS
+++ b/.github/CODEOWNERS
@ -0,0 +1,5 @@
 # see https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/about-code-owners#codeowners-syntax
 # These owners will be the default owners for everything in
 # the repo. Unless a later match takes precedence,
 *       @pi-hole/core-maintainers
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@ -8,8 +8,10 @@ updates:
    time: "10:00"
  open-pull-requests-limit: 10
  target-branch: development
-  reviewers:
+  groups:
-    - "pi-hole/core-maintainers"
+    github-actions-dependencies:
      patterns:
        - "*"
 - package-ecosystem: pip
  directory: "/test"
  schedule:
@ -18,5 +20,7 @@ updates:
    time: "10:00"
  open-pull-requests-limit: 10
  target-branch: development
-  reviewers:
+  groups:
-    - "pi-hole/core-maintainers"
+    python-dependencies:
      patterns:
        - "*"
--- a/.github/release.yml
+++ b/.github/release.yml
@ -2,6 +2,7 @@ changelog:
  exclude:
    labels:
      - internal
      - dependencies
    authors:
      - dependabot
      - github-actions
--- a/.github/workflows/stale.yml
+++ b/.github/workflows/stale.yml
@ -24,7 +24,7 @@ jobs:
          days-before-close: 5
          stale-issue-message: 'This issue is stale because it has been open 30 days with no activity. Please comment or update this issue or it will be closed in 5 days.'
          stale-issue-label: '${{ env.stale_label }}'
-          exempt-issue-labels: 'Internal, Fixed in next release, Bug: Confirmed, Documentation Needed'
+          exempt-issue-labels: 'Internal, Fixed in next release, Bug: Confirmed, Documentation Needed, never-stale'
          exempt-all-issue-assignees: true
          operations-per-run: 300
          close-issue-reason: 'not_planned'
--- a/.github/workflows/test.yml
+++ b/.github/workflows/test.yml
@ -19,6 +19,8 @@ jobs:
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4.2.2
        with:
          fetch-depth: 0 # Differential ShellCheck requires full git history
      - name: Check scripts in repository are executable
        run: |
@ -28,12 +30,12 @@ jobs:
          # If FAIL is 1 then we fail.
          [[ $FAIL == 1 ]] && exit 1 || echo "Scripts are executable!"
-      - name: Run shellcheck
+      - name: Differential ShellCheck
-        uses: ludeeus/action-shellcheck@master
+        uses: redhat-plumbers-in-action/differential-shellcheck@v5
        with:
-          check_together: 'yes'
+          severity: warning
-          format: tty
+          display-engine: sarif-fmt
-          severity: error
+
      - name: Spell-Checking
        uses: codespell-project/actions-codespell@master
@ -67,8 +69,10 @@ jobs:
            ubuntu_22,
            ubuntu_24,
            centos_9,
            centos_10,
            fedora_40,
            fedora_41,
            fedora_42,
          ]
    env:
      DISTRO: ${{matrix.distro}}
@ -76,10 +80,10 @@ jobs:
      - name: Checkout repository
        uses: actions/checkout@v4.2.2
-      - name: Set up Python 3.10
+      - name: Set up Python
-        uses: actions/setup-python@v5.4.0
+        uses: actions/setup-python@v5.6.0
        with:
-          python-version: "3.10"
+          python-version: "3.13"
      - name: Install wheel
        run:  pip install wheel
--- a/.gitignore
+++ b/.gitignore
@ -10,3 +10,6 @@ __pycache__
 .idea/
 *.iml
 .vscode/
 .venv/
 .fleet/
 .cache/
--- a/.shellcheckrc
+++ b/.shellcheckrc
@ -0,0 +1,2 @@
 external-sources=true # allow shellcheck to read external sources
 disable=SC3043 #disable SC3043: In POSIX sh, local is undefined.
--- a/README.md
+++ b/README.md
@ -3,13 +3,9 @@
 #
 <p align="center">
-  <picture>
+  <img src="https://raw.githubusercontent.com/pi-hole/graphics/refs/heads/master/Vortex/vortex_with_text.svg" alt="Pi-hole website" width="168" height="270">
-    <source media="(prefers-color-scheme: dark)" srcset="https://pi-hole.github.io/graphics/Vortex/Vortex_Vertical_wordmark_darkmode.png">
+  <br>
-    <source media="(prefers-color-scheme: light)" srcset="https://pi-hole.github.io/graphics/Vortex/Vortex_Vertical_wordmark_lightmode.png">
+  <strong>Network-wide ad blocking via your own Linux hardware</strong>
    <img src="https://pi-hole.github.io/graphics/Vortex/Vortex_Vertical_wordmark_lightmode.png" width="168" height="270" alt="Pi-hole website">
  </picture>
    <br>
    <strong>Network-wide ad blocking via your own Linux hardware</strong>
 </p>
 <!-- markdownlint-enable MD033 -->
@ -132,7 +128,10 @@ Some of the statistics you can integrate include:
 - Queries cached
 - Unique clients
-Access the API via [`telnet`](https://github.com/pi-hole/FTL), the Web (`admin/api.php`) and Command Line (`pihole -c -j`). You can find out [more details over here](https://discourse.pi-hole.net/t/pi-hole-api/1863).
+Access the API using:
 - your browser: http://pi.hole/api/docs
 - `curl`: `curl --connect-timeout 2 -ks "https://pi.hole/api/stats/summary" -H "Accept: application/json"`;
 - the command line - examples: `pihole api config/webserver/port` or `pihole api stats/summary`.
 ### The Command-Line Interface
--- a/advanced/Scripts/COL_TABLE
+++ b/advanced/Scripts/COL_TABLE
@ -1,10 +1,12 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC2034  # Disable warning about unused variables
 # Determine if terminal is capable of showing colors
-if ([ -t 1 ] && [ $(tput colors) -ge 8 ]) || [ "${WEBCALL}" ]; then
+# When COL_TABLE is sourced via gravity invoked by FTL, FORCE_COLOR is set to true
 if { [ -t 1 ] && [ "$(tput colors)" -ge 8 ]; } || [ "${FORCE_COLOR}" ]; then
  # Bold and underline may not show up on all clients
  # If something MUST be emphasized, use both
  COL_BOLD='[1m'
  COL_ULINE='[4m'
  COL_NC='[0m'
  COL_GRAY='[90m'
  COL_RED='[91m'
@ -16,8 +18,6 @@ if ([ -t 1 ] && [ $(tput colors) -ge 8 ]) || [ "${WEBCALL}" ]; then
 else
  # Provide empty variables for `set -u`
  COL_BOLD=""
  COL_ULINE=""
  COL_NC=""
  COL_GRAY=""
  COL_RED=""
@ -28,22 +28,8 @@ else
  COL_CYAN=""
 fi
 # Deprecated variables
 COL_WHITE="${COL_BOLD}"
 COL_BLACK="${COL_NC}"
 COL_LIGHT_BLUE="${COL_BLUE}"
 COL_LIGHT_GREEN="${COL_GREEN}"
 COL_LIGHT_CYAN="${COL_CYAN}"
 COL_LIGHT_RED="${COL_RED}"
 COL_URG_RED="${COL_RED}${COL_BOLD}${COL_ULINE}"
 COL_LIGHT_PURPLE="${COL_PURPLE}"
 COL_BROWN="${COL_YELLOW}"
 COL_LIGHT_GRAY="${COL_GRAY}"
 COL_DARK_GRAY="${COL_GRAY}"
 TICK="[${COL_GREEN}✓${COL_NC}]"
 CROSS="[${COL_RED}✗${COL_NC}]"
 INFO="[i]"
 QST="[?]"
 DONE="${COL_GREEN} done!${COL_NC}"
 OVER="\\r[K"
--- a/advanced/Scripts/api.sh
+++ b/advanced/Scripts/api.sh
@ -1,5 +1,4 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC3043 #https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@ -20,13 +19,20 @@
 TestAPIAvailability() {
    local chaos_api_list authResponse authStatus authData apiAvailable DNSport
    # as we are running locally, we can get the port value from FTL directly
-    local chaos_api_list availabilityResponse
+    PI_HOLE_SCRIPT_DIR="/opt/pihole"
    utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
    # shellcheck source=./advanced/Scripts/utils.sh
    . "${utilsfile}"
    DNSport=$(getFTLConfigValue dns.port)
    # Query the API URLs from FTL using CHAOS TXT local.api.ftl
    # The result is a space-separated enumeration of full URLs
    # e.g., "http://localhost:80/api/" "https://localhost:443/api/"
-    chaos_api_list="$(dig +short chaos txt local.api.ftl @127.0.0.1)"
+    chaos_api_list="$(dig +short -p "${DNSport}" chaos txt local.api.ftl @127.0.0.1)"
    # If the query was not successful, the variable is empty
    if [ -z "${chaos_api_list}" ]; then
@ -48,39 +54,50 @@ TestAPIAvailability() {
        API_URL="${API_URL%\"}"
        API_URL="${API_URL#\"}"
-        # Test if the API is available at this URL
+        # Test if the API is available at this URL, include delimiter for ease in splitting payload
-        availabilityResponse=$(curl -skS -o /dev/null -w "%{http_code}" "${API_URL}auth")
+        authResponse=$(curl --connect-timeout 2 -skS -w ">>%{http_code}" "${API_URL}auth")
        # authStatus is the response http_code, eg. 200, 401.
        # Shell parameter expansion, remove everything up to and including the >> delim
        authStatus=${authResponse#*>>}
        # data is everything from response
        # Shell parameter expansion, remove the >> delim and everything after
        authData=${authResponse%>>*}
        # Test if http status code was 200 (OK) or 401 (authentication required)
-        if [ ! "${availabilityResponse}" = 200 ] && [ ! "${availabilityResponse}" = 401 ]; then
+        if [ "${authStatus}" = 200 ]; then
-            # API is not available at this port/protocol combination
+            # API is available without authentication
-            API_PORT=""
+            apiAvailable=true
-        else
+            needAuth=false
            # API is available at this URL combination
            if [ "${availabilityResponse}" = 200 ]; then
                # API is available without authentication
                needAuth=false
            fi
            break
        fi
-        # Remove the first URL from the list
+        elif [ "${authStatus}" = 401 ]; then
-        local last_api_list
+            # API is available with authentication
-        last_api_list="${chaos_api_list}"
+            apiAvailable=true
-        chaos_api_list="${chaos_api_list#* }"
+            needAuth=true
            # Check if 2FA is required
            needTOTP=$(echo "${authData}"| jq --raw-output .session.totp 2>/dev/null)
            break
-        # If the list did not change, we are at the last element
+        else
-        if [ "${last_api_list}" = "${chaos_api_list}" ]; then
+            # API is not available at this port/protocol combination
-            # Remove the last element
+            apiAvailable=false
-            chaos_api_list=""
+            # Remove the first URL from the list
            local last_api_list
            last_api_list="${chaos_api_list}"
            chaos_api_list="${chaos_api_list#* }"
            # If the list did not change, we are at the last element
            if [ "${last_api_list}" = "${chaos_api_list}" ]; then
                # Remove the last element
                chaos_api_list=""
            fi
        fi
    done
-    # if API_PORT is empty, no working API port was found
+    # if apiAvailable is false, no working API was found
-    if [ -n "${API_PORT}" ]; then
+    if [ "${apiAvailable}" = false ]; then
-        echo "API not available at: ${API_URL}"
+        echo "API not available. Please check FTL.log"
        echo "Exiting."
        exit 1
    fi
@ -108,22 +125,51 @@ LoginAPI() {
            echo "API Authentication: Trying to use CLI password"
        fi
-        # Try to authenticate using the CLI password
+        # If we can read the CLI password, we can skip 2FA even when it's required otherwise
-        Authentication "${1}"
+        needTOTP=false
    elif [ "${1}" = "verbose" ]; then
        echo "API Authentication: CLI password not available"
    fi
    if [ -z "${password}" ]; then
        # no password read from CLI file
        echo "Please enter your password:"
        # secretly read the password
        secretRead; printf '\n'
    fi
    if [ "${needTOTP}" = true ]; then
        # 2FA required
        echo "Please enter the correct second factor."
        echo "(Can be any number if you used the app password)"
        read -r totp
    fi
-    # If this did not work, ask the user for the password
+    # Try to authenticate using the supplied password (CLI file or user input) and TOTP
-    while [ "${validSession}" = false ] || [ -z "${validSession}" ] ; do
+    Authentication "${1}"
    # Try to login again until the session is valid
    while [ ! "${validSession}" = true ]  ; do
        echo "Authentication failed. Please enter your Pi-hole password"
        # Print the error message if there is one
        if  [ ! "${sessionError}" = "null"  ] && [ "${1}" = "verbose" ]; then
            echo "Error: ${sessionError}"
        fi
        # Print the session message if there is one
        if  [ ! "${sessionMessage}" = "null" ] && [ "${1}" = "verbose" ]; then
            echo "Error: ${sessionMessage}"
        fi
        # secretly read the password
        secretRead; printf '\n'
        if [ "${needTOTP}" = true ]; then
            echo "Please enter the correct second factor:"
            echo "(Can be any number if you used the app password)"
            read -r totp
        fi
        # Try to authenticate again
        Authentication "${1}"
    done
@ -131,23 +177,27 @@ LoginAPI() {
 }
 Authentication() {
-  sessionResponse="$(curl -skS -X POST "${API_URL}auth" --user-agent "Pi-hole cli " --data "{\"password\":\"${password}\"}" )"
+    sessionResponse="$(curl --connect-timeout 2 -skS -X POST "${API_URL}auth" --user-agent "Pi-hole cli" --data "{\"password\":\"${password}\", \"totp\":${totp:-null}}" )"
-  if [ -z "${sessionResponse}" ]; then
+    if [ -z "${sessionResponse}" ]; then
-    echo "No response from FTL server. Please check connectivity"
+        echo "No response from FTL server. Please check connectivity"
-    exit 1
+        exit 1
-  fi
+    fi
-  # obtain validity and session ID from session response
+    # obtain validity, session ID and sessionMessage from session response
-  validSession=$(echo "${sessionResponse}"| jq .session.valid 2>/dev/null)
+    validSession=$(echo "${sessionResponse}"| jq .session.valid 2>/dev/null)
-  SID=$(echo "${sessionResponse}"| jq --raw-output .session.sid 2>/dev/null)
+    SID=$(echo "${sessionResponse}"| jq --raw-output .session.sid 2>/dev/null)
-
+    sessionMessage=$(echo "${sessionResponse}"| jq --raw-output .session.message 2>/dev/null)
-  if [ "${1}" = "verbose" ]; then
+
-    if [ "${validSession}" = true ]; then
+    # obtain the error message from the session response
-      echo "API Authentication: ${COL_GREEN}Success${COL_NC}"
+    sessionError=$(echo "${sessionResponse}"| jq --raw-output .error.message 2>/dev/null)
-    else
+
-      echo "API Authentication: ${COL_RED}Failed${COL_NC}"
+    if [ "${1}" = "verbose" ]; then
        if [ "${validSession}" = true ]; then
            echo "API Authentication: ${COL_GREEN}Success${COL_NC}"
        else
            echo "API Authentication: ${COL_RED}Failed${COL_NC}"
        fi
    fi
  fi
 }
 LogoutAPI() {
@ -185,7 +235,7 @@ GetFTLData() {
    # return only the data
    if [ "${status}" = 200 ]; then
        # response OK
-        echo "${data}"
+        printf %s "${data}"
    else
        # connection lost
        echo "${status}"
@ -259,14 +309,23 @@ secretRead() {
 }
 apiFunc() {
-  local data response status status_col
+  local data response status status_col verbosity
  # Define if the output will be silent (default) or verbose
  verbosity="silent"
  if [ "$1" = "verbose" ]; then
    verbosity="verbose"
    shift
  fi
  # Authenticate with the API
-  LoginAPI verbose
+  LoginAPI "${verbosity}"
  echo ""
-  echo "Requesting: ${COL_PURPLE}GET ${COL_CYAN}${API_URL}${COL_YELLOW}$1${COL_NC}"
+  if [ "${verbosity}" = "verbose" ]; then
-  echo ""
+    echo ""
    echo "Requesting: ${COL_PURPLE}GET ${COL_CYAN}${API_URL}${COL_YELLOW}$1${COL_NC}"
    echo ""
  fi
  # Get the data from the API
  response=$(GetFTLData "$1" raw)
@ -283,11 +342,18 @@ apiFunc() {
  else
    status_col="${COL_RED}"
  fi
-  echo "Status: ${status_col}${status}${COL_NC}"
+
  # Only print the status in verbose mode or if the status is not 200
  if [ "${verbosity}" = "verbose" ] || [ "${status}" != 200 ]; then
    echo "Status: ${status_col}${status}${COL_NC}"
  fi
  # Output the data. Format it with jq if available and data is actually JSON.
  # Otherwise just print it
-  echo "Data:"
+  if [ "${verbosity}" = "verbose" ]; then
    echo "Data:"
  fi
  if command -v jq >/dev/null && echo "${data}" | jq . >/dev/null 2>&1; then
    echo "${data}" | jq .
  else
@ -295,5 +361,5 @@ apiFunc() {
  fi
  # Delete the session
-  LogoutAPI verbose
+  LogoutAPI "${verbosity}"
 }
--- a/advanced/Scripts/database_migration/gravity-db.sh
+++ b/advanced/Scripts/database_migration/gravity-db.sh
@ -1,5 +1,5 @@
 #!/usr/bin/env bash
-# shellcheck disable=SC1090
+
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2019 Pi-hole, LLC (https://pi-hole.net)
@ -13,9 +13,8 @@
 readonly scriptPath="/etc/.pihole/advanced/Scripts/database_migration/gravity"
 upgrade_gravityDB(){
-    local database piholeDir version
+    local database version
    database="${1}"
    piholeDir="${2}"
    # Exit early if the database does not exist (e.g. in CI tests)
    if [[ ! -f "${database}" ]]; then
--- a/advanced/Scripts/list.sh
+++ b/advanced/Scripts/list.sh
@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@ -12,9 +11,11 @@
 readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 readonly utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "${utilsfile}"
 readonly apifile="${PI_HOLE_SCRIPT_DIR}/api.sh"
 # shellcheck source="./advanced/Scripts/api.sh"
 source "${apifile}"
 # Determine database location
@ -39,6 +40,7 @@ typeId=""
 comment=""
 colfile="/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 source ${colfile}
 helpFunc() {
--- a/advanced/Scripts/piholeARPTable.sh
+++ b/advanced/Scripts/piholeARPTable.sh
@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2019 Pi-hole, LLC (https://pi-hole.net)
@ -12,11 +11,13 @@
 coltable="/opt/pihole/COL_TABLE"
 if [[ -f ${coltable} ]]; then
 # shellcheck source="./advanced/Scripts/COL_TABLE"
    source ${coltable}
 fi
 readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source=./advanced/Scripts/utils.sh
 source "${utilsfile}"
 # Determine database location
--- a/advanced/Scripts/piholeCheckout.sh
+++ b/advanced/Scripts/piholeCheckout.sh
@ -10,6 +10,7 @@
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # webInterfaceGitUrl set in basic-install.sh
@ -25,7 +26,7 @@ source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 warning1() {
    echo "  Please note that changing branches severely alters your Pi-hole subsystems"
    echo "  Features that work on the master branch, may not on a development branch"
-    echo -e "  ${COL_LIGHT_RED}This feature is NOT supported unless a Pi-hole developer explicitly asks!${COL_NC}"
+    echo -e "  ${COL_RED}This feature is NOT supported unless a Pi-hole developer explicitly asks!${COL_NC}"
    read -r -p "  Have you read and understood this? [y/N] " response
    case "${response}" in
        [yY][eE][sS]|[yY])
@ -54,19 +55,19 @@ checkout() {
    # This is unlikely
    if ! is_repo "${PI_HOLE_FILES_DIR}" ; then
-        echo -e "  ${COL_LIGHT_RED}Error: Core Pi-hole repo is missing from system!"
+        echo -e "  ${COL_RED}Error: Core Pi-hole repo is missing from system!"
        echo -e "  Please re-run install script from https://github.com/pi-hole/pi-hole${COL_NC}"
        exit 1;
    fi
    if ! is_repo "${webInterfaceDir}" ; then
-        echo -e "  ${COL_LIGHT_RED}Error: Web Admin repo is missing from system!"
+        echo -e "  ${COL_RED}Error: Web Admin repo is missing from system!"
        echo -e "  Please re-run install script from https://github.com/pi-hole/pi-hole${COL_NC}"
        exit 1;
    fi
    if [[ -z "${1}" ]]; then
-        echo -e "  ${COL_LIGHT_RED}Invalid option${COL_NC}"
+        echo -e "  ${COL_RED}Invalid option${COL_NC}"
        echo -e "  Try 'pihole checkout --help' for more information."
        exit 1
    fi
@ -109,7 +110,7 @@ checkout() {
            echo -e "${OVER}  ${CROSS} $str"
            exit 1
        fi
-        corebranches=($(get_available_branches "${PI_HOLE_FILES_DIR}"))
+        mapfile -t corebranches < <(get_available_branches "${PI_HOLE_FILES_DIR}")
        if [[ "${corebranches[*]}" == *"master"* ]]; then
            echo -e "${OVER}  ${TICK} $str"
@ -136,7 +137,7 @@ checkout() {
            echo -e "${OVER}  ${CROSS} $str"
            exit 1
        fi
-        webbranches=($(get_available_branches "${webInterfaceDir}"))
+        mapfile -t webbranches < <(get_available_branches "${webInterfaceDir}")
        if [[ "${webbranches[*]}" == *"master"* ]]; then
            echo -e "${OVER}  ${TICK} $str"
@ -167,7 +168,7 @@ checkout() {
        # Check if requested branch is available
        echo -e "  ${INFO} Checking for availability of branch ${COL_CYAN}${2}${COL_NC} on GitHub"
-        ftlbranches=( $(git ls-remote https://github.com/pi-hole/ftl | grep "refs/heads" | cut -d'/' -f3- -) )
+        mapfile -t ftlbranches < <(git ls-remote https://github.com/pi-hole/ftl | grep "refs/heads" | cut -d'/' -f3- -)
        # If returned array is empty -> connectivity issue
        if [[ ${#ftlbranches[@]} -eq 0 ]]; then
            echo -e "  ${CROSS} Unable to fetch branches from GitHub. Please check your Internet connection and try again later."
@ -209,13 +210,15 @@ checkout() {
            # Update local and remote versions via updatechecker
            /opt/pihole/updatecheck.sh
        else
-            if [ $? -eq 1 ]; then
+            local status
            status=$?
            if [ $status -eq 1 ]; then
                # Binary for requested branch is not available, may still be
                # int he process of being built or CI build job failed
-                printf "  %b Binary for requested branch is not available, please try again later.\\n" ${CROSS}
+                printf "  %b Binary for requested branch is not available, please try again later.\\n" "${CROSS}"
                printf "      If the issue persists, please contact Pi-hole Support and ask them to re-generate the binary.\\n"
                exit 1
-            elif [ $? -eq 2 ]; then
+            elif [ $status -eq 2 ]; then
                printf "  %b Unable to download from ftl.pi-hole.net. Please check your Internet connection and try again later.\\n" "${CROSS}"
                exit 1
            else
@ -235,7 +238,7 @@ checkout() {
        if "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh" --unattended; then
            exit 0
        else
-            echo -e "  ${COL_LIGHT_RED} Error: Unable to complete update, please contact support${COL_NC}"
+            echo -e "  ${COL_RED} Error: Unable to complete update, please contact support${COL_NC}"
            exit 1
        fi
    fi
--- a/advanced/Scripts/piholeDebug.sh
+++ b/advanced/Scripts/piholeDebug.sh
@ -8,7 +8,6 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
 # shellcheck source=/dev/null
 # -e option instructs bash to immediately exit if any command [1] has a non-zero exit status
 # -u a reference to any variable you haven't previously defined
@ -27,6 +26,7 @@ PIHOLE_COLTABLE_FILE="${PIHOLE_SCRIPTS_DIRECTORY}/COL_TABLE"
 # These provide the colors we need for making the log more readable
 if [[ -f ${PIHOLE_COLTABLE_FILE} ]]; then
 # shellcheck source=./advanced/Scripts/COL_TABLE
    source ${PIHOLE_COLTABLE_FILE}
 else
    COL_NC='\e[0m' # No Color
@ -41,7 +41,7 @@ else
    #OVER="\r\033[K"
 fi
-# shellcheck disable=SC1091
+# shellcheck source=/dev/null
 . /etc/pihole/versions
 # Read the value of an FTL config key. The value is printed to stdout.
@ -213,7 +213,7 @@ compare_local_version_to_git_version() {
            local local_status
            local_status=$(git status -s)
            # echo this information out to the user in a nice format
-            if [ ${local_version} ]; then
+            if [ "${local_version}" ]; then
              log_write "${TICK} Version: ${local_version}"
            elif [ -n "${DOCKER_VERSION}" ]; then
              log_write "${TICK} Version: Pi-hole Docker Container ${COL_BOLD}${DOCKER_VERSION}${COL_NC}"
@ -296,91 +296,12 @@ check_component_versions() {
    check_ftl_version
 }
 os_check() {
    # This function gets a list of supported OS versions from a TXT record at versions.pi-hole.net
    # and determines whether or not the script is running on one of those systems
    local remote_os_domain valid_os valid_version detected_os detected_version cmdResult digReturnCode response
    remote_os_domain=${OS_CHECK_DOMAIN_NAME:-"versions.pi-hole.net"}
    detected_os=$(grep "\bID\b" /etc/os-release | cut -d '=' -f2 | tr -d '"')
    detected_version=$(grep VERSION_ID /etc/os-release | cut -d '=' -f2 | tr -d '"')
    cmdResult="$(dig -4 +short -t txt "${remote_os_domain}" @ns1.pi-hole.net 2>&1; echo $?)"
    #Get the return code of the previous command (last line)
    digReturnCode="${cmdResult##*$'\n'}"
    # Extract dig response
    response="${cmdResult%%$'\n'*}"
    if [ "${digReturnCode}" -ne 0 ]; then
        log_write "${INFO} Distro: ${detected_os^}"
        log_write "${INFO} Version: ${detected_version}"
        log_write "${CROSS} dig IPv4 return code: ${COL_RED}${digReturnCode}${COL_NC}"
        log_write "${CROSS} dig response: ${response}"
        log_write "${INFO} Retrying via IPv6"
        cmdResult="$(dig -6 +short -t txt "${remote_os_domain}" @ns1.pi-hole.net 2>&1; echo $?)"
        #Get the return code of the previous command (last line)
        digReturnCode="${cmdResult##*$'\n'}"
        # Extract dig response
        response="${cmdResult%%$'\n'*}"
    fi
    # If also no success via IPv6
    if [ "${digReturnCode}" -ne 0 ]; then
        log_write "${CROSS} dig IPv6 return code: ${COL_RED}${digReturnCode}${COL_NC}"
        log_write "${CROSS} dig response: ${response}"
        log_write "${CROSS} Error: ${COL_RED}dig command failed - Unable to check OS${COL_NC}"
    else
        IFS=" " read -r -a supportedOS < <(echo "${response}" | tr -d '"')
        for distro_and_versions in "${supportedOS[@]}"
        do
            distro_part="${distro_and_versions%%=*}"
            versions_part="${distro_and_versions##*=}"
            if [[ "${detected_os^^}" =~ ${distro_part^^} ]]; then
                valid_os=true
                IFS="," read -r -a supportedVer <<<"${versions_part}"
                for version in "${supportedVer[@]}"
                do
                    if [[ "${detected_version}" =~ $version ]]; then
                        valid_version=true
                        break
                    fi
                done
                break
            fi
        done
        # If it is a docker container, we can assume the OS is supported
        [ -n "${DOCKER_VERSION}" ] && valid_os=true && valid_version=true
        local finalmsg
        if [ "$valid_os" = true ]; then
            log_write "${TICK} Distro:  ${COL_GREEN}${detected_os^}${COL_NC}"
            if [ "$valid_version" = true ]; then
                log_write "${TICK} Version: ${COL_GREEN}${detected_version}${COL_NC}"
                finalmsg="${TICK} ${COL_GREEN}Distro and version supported${COL_NC}"
            else
                log_write "${CROSS} Version: ${COL_RED}${detected_version}${COL_NC}"
                finalmsg="${CROSS} Error: ${COL_RED}${detected_os^} is supported but version ${detected_version} is currently unsupported ${COL_NC}(${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
            fi
        else
            log_write "${CROSS} Distro:  ${COL_RED}${detected_os^}${COL_NC}"
            finalmsg="${CROSS} Error: ${COL_RED}${detected_os^} is not a supported distro ${COL_NC}(${FAQ_HARDWARE_REQUIREMENTS})${COL_NC}"
        fi
        # Print dig response and the final check result
        log_write "${TICK} dig return code: ${COL_GREEN}${digReturnCode}${COL_NC}"
        log_write "${INFO} dig response: ${response}"
        log_write "${finalmsg}"
    fi
 }
 diagnose_operating_system() {
    # error message in a variable so we can easily modify it later (or reuse it)
    local error_msg="Distribution unknown -- most likely you are on an unsupported platform and may run into issues."
    local detected_os
    local detected_version
    # Display the current test that is running
    echo_current_diagnostic "Operating system"
@ -389,8 +310,13 @@ diagnose_operating_system() {
    # If there is a /etc/*release file, it's probably a supported operating system, so we can
    if ls /etc/*release 1> /dev/null 2>&1; then
-        # display the attributes to the user from the function made earlier
+        # display the attributes to the user
-        os_check
+
        detected_os=$(grep "\bID\b" /etc/os-release | cut -d '=' -f2 | tr -d '"')
        detected_version=$(grep VERSION_ID /etc/os-release | cut -d '=' -f2 | tr -d '"')
        log_write "${INFO} Distro: ${detected_os^}"
        log_write "${INFO} Version: ${detected_version}"
    else
        # If it doesn't exist, it's not a system we currently support and link to FAQ
        log_write "${CROSS} ${COL_RED}${error_msg}${COL_NC} (${FAQ_HARDWARE_REQUIREMENTS})"
@ -441,7 +367,7 @@ check_firewalld() {
            # test common required service ports
            local firewalld_enabled_services
            firewalld_enabled_services=$(firewall-cmd --list-services)
-            local firewalld_expected_services=("http" "dns" "dhcp" "dhcpv6")
+            local firewalld_expected_services=("http" "https" "dns" "dhcp" "dhcpv6" "ntp")
            for i in "${firewalld_expected_services[@]}"; do
                if [[ "${firewalld_enabled_services}" =~ ${i} ]]; then
                    log_write "${TICK} ${COL_GREEN}  Allow Service: ${i}${COL_NC}";
@ -462,14 +388,6 @@ check_firewalld() {
                else
                    log_write "${CROSS} ${COL_RED}  Local Interface Not Detected${COL_NC} (${FAQ_HARDWARE_REQUIREMENTS_FIREWALLD})"
                fi
                # check FTL custom zone port: 4711
                local firewalld_ftl_zone_ports
                firewalld_ftl_zone_ports=$(firewall-cmd --zone=ftl --list-ports)
                if [[ "${firewalld_ftl_zone_ports}" =~ "4711/tcp" ]]; then
                    log_write "${TICK} ${COL_GREEN}  FTL Port 4711/tcp Detected${COL_NC}";
                else
                    log_write "${CROSS} ${COL_RED}  FTL Port 4711/tcp Not Detected${COL_NC} (${FAQ_HARDWARE_REQUIREMENTS_FIREWALLD})"
                fi
            else
                log_write "${CROSS} ${COL_RED}FTL Custom Zone Not Detected${COL_NC} (${FAQ_HARDWARE_REQUIREMENTS_FIREWALLD})"
            fi
@ -488,7 +406,9 @@ run_and_print_command() {
    local output
    output=$(${cmd} 2>&1)
    # If the command was successful,
-    if [[ $? -eq 0 ]]; then
+    local return_code
    return_code=$?
    if [[ "${return_code}" -eq 0 ]]; then
        # show the output
        log_write "${output}"
    else
@ -569,16 +489,25 @@ ping_gateway() {
    ping_ipv4_or_ipv6 "${protocol}"
    # Check if we are using IPv4 or IPv6
    # Find the default gateways using IPv4 or IPv6
-    local gateway gateway_addr gateway_iface
+    local gateway gateway_addr gateway_iface default_route
    log_write "${INFO} Default IPv${protocol} gateway(s):"
-    while IFS= read -r gateway; do
+    while IFS= read -r default_route; do
-        log_write "     $(cut -d ' ' -f 3 <<< "${gateway}")%$(cut -d ' ' -f 5 <<< "${gateway}")"
+        gateway_addr=$(jq -r '.gateway' <<< "${default_route}")
-    done < <(ip -"${protocol}" route | grep default)
+        gateway_iface=$(jq -r '.dev' <<< "${default_route}")
        log_write "     ${gateway_addr}%${gateway_iface}"
    done < <(ip -j -"${protocol}" route | jq -c '.[] | select(.dst == "default")')
    # Find the first default route
    default_route=$(ip -j -"${protocol}" route show default)
    if echo "$default_route" | grep 'gateway' | grep -q 'dev'; then
        gateway_addr=$(echo "$default_route" | jq -r -c '.[0].gateway')
        gateway_iface=$(echo "$default_route" | jq -r -c '.[0].dev')
    else
        log_write "     Unable to determine gateway address for IPv${protocol}"
    fi
    gateway_addr=$(ip -"${protocol}" route | grep default | cut -d ' ' -f 3 | head -n 1)
    gateway_iface=$(ip -"${protocol}" route | grep default | cut -d ' ' -f 5 | head -n 1)
    # If there was at least one gateway
    if [ -n "${gateway_addr}" ]; then
        # Append the interface to the gateway address if it is a link-local address
@ -933,7 +862,6 @@ parse_file() {
    # Get the lines that are in the file(s) and store them in an array for parsing later
    local file_info
    if [[ -f "$filename" ]]; then
        #shellcheck disable=SC2016
        IFS=$'\r\n' command eval 'file_info=( $(cat "${filename}") )'
    else
        read -r -a file_info <<< "$filename"
--- a/advanced/Scripts/piholeLogFlush.sh
+++ b/advanced/Scripts/piholeLogFlush.sh
@ -9,10 +9,12 @@
 # Please see LICENSE file for your rights under this license.
 colfile="/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 source ${colfile}
 readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "${utilsfile}"
 # In case we're running at the same time as a system logrotate, use a
@ -35,6 +37,46 @@ FTLFILE=$(getFTLConfigValue "files.log.ftl")
 if [ -z "$FTLFILE" ]; then
    FTLFILE="/var/log/pihole/FTL.log"
 fi
 WEBFILE=$(getFTLConfigValue "files.log.webserver")
 if [ -z "$WEBFILE" ]; then
    WEBFILE="/var/log/pihole/webserver.log"
 fi
 # Helper function to handle log rotation for a single file
 rotate_log() {
    # This function copies x.log over to x.log.1
    # and then empties x.log
    # Note that moving the file is not an option, as
    # dnsmasq would happily continue writing into the
    # moved file (it will have the same file handler)
    local logfile="$1"
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Rotating ${logfile} ..."
    fi
    cp -p "${logfile}" "${logfile}.1"
    echo " " > "${logfile}"
    chmod 640 "${logfile}"
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Rotated ${logfile} ..."
    fi
 }
 # Helper function to handle log flushing for a single file
 flush_log() {
    local logfile="$1"
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Flushing ${logfile} ..."
    fi
    echo " " > "${logfile}"
    chmod 640 "${logfile}"
    if [ -f "${logfile}.1" ]; then
        echo " " > "${logfile}.1"
        chmod 640 "${logfile}.1"
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Flushed ${logfile} ..."
    fi
 }
 if [[ "$*" == *"once"* ]]; then
    # Nightly logrotation
@ -46,62 +88,16 @@ if [[ "$*" == *"once"* ]]; then
        fi
        /usr/sbin/logrotate --force --state "${STATEFILE}" /etc/pihole/logrotate
    else
-        # Copy pihole.log over to pihole.log.1
+        # Handle rotation for each log file
-        # and empty out pihole.log
+        rotate_log "${LOGFILE}"
-        # Note that moving the file is not an option, as
+        rotate_log "${FTLFILE}"
-        # dnsmasq would happily continue writing into the
+        rotate_log "${WEBFILE}"
        # moved file (it will have the same file handler)
        if [[ "$*" != *"quiet"* ]]; then
            echo -ne "  ${INFO} Rotating ${LOGFILE} ..."
        fi
        cp -p "${LOGFILE}" "${LOGFILE}.1"
        echo " " > "${LOGFILE}"
        chmod 640 "${LOGFILE}"
        if [[ "$*" != *"quiet"* ]]; then
            echo -e "${OVER}  ${TICK} Rotated ${LOGFILE} ..."
        fi
        # Copy FTL.log over to FTL.log.1
        # and empty out FTL.log
        if [[ "$*" != *"quiet"* ]]; then
            echo -ne "  ${INFO} Rotating ${FTLFILE} ..."
        fi
        cp -p "${FTLFILE}" "${FTLFILE}.1"
        echo " " > "${FTLFILE}"
        chmod 640 "${FTLFILE}"
        if [[ "$*" != *"quiet"* ]]; then
            echo -e "${OVER}  ${TICK} Rotated ${FTLFILE} ..."
        fi
    fi
 else
    # Manual flushing
-
+    flush_log "${LOGFILE}"
-    # Flush both pihole.log and pihole.log.1 (if existing)
+    flush_log "${FTLFILE}"
-    if [[ "$*" != *"quiet"* ]]; then
+    flush_log "${WEBFILE}"
        echo -ne "  ${INFO} Flushing ${LOGFILE} ..."
    fi
    echo " " > "${LOGFILE}"
    chmod 640 "${LOGFILE}"
    if [ -f "${LOGFILE}.1" ]; then
        echo " " > "${LOGFILE}.1"
        chmod 640 "${LOGFILE}.1"
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Flushed ${LOGFILE} ..."
    fi
    # Flush both FTL.log and FTL.log.1 (if existing)
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Flushing ${FTLFILE} ..."
    fi
    echo " " > "${FTLFILE}"
    chmod 640 "${FTLFILE}"
    if [ -f "${FTLFILE}.1" ]; then
        echo " " > "${FTLFILE}.1"
        chmod 640 "${FTLFILE}.1"
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -e "${OVER}  ${TICK} Flushed ${FTLFILE} ..."
    fi
    if [[ "$*" != *"quiet"* ]]; then
        echo -ne "  ${INFO} Flushing database, DNS resolution temporarily unavailable ..."
--- a/advanced/Scripts/query.sh
+++ b/advanced/Scripts/query.sh
@ -1,9 +1,4 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC1090
 # Ignore warning about `local` being undefinded in POSIX
 # shellcheck disable=SC3043
 # https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2023 Pi-hole, LLC (https://pi-hole.net)
@ -22,9 +17,11 @@ domain=""
 # Source color table
 colfile="/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 . "${colfile}"
 # Source api functions
 # shellcheck source="./advanced/Scripts/api.sh"
 . "${PI_HOLE_INSTALL_DIR}/api.sh"
 Help() {
--- a/advanced/Scripts/update.sh
+++ b/advanced/Scripts/update.sh
@ -12,26 +12,31 @@
 # Variables
 readonly ADMIN_INTERFACE_GIT_URL="https://github.com/pi-hole/web.git"
 readonly ADMIN_INTERFACE_DIR="/var/www/html/admin"
 readonly PI_HOLE_GIT_URL="https://github.com/pi-hole/pi-hole.git"
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 # shellcheck disable=SC2034
 SKIP_INSTALL=true
 # when --check-only is passed to this script, it will not perform the actual update
 CHECK_ONLY=false
-# shellcheck disable=SC1090
+# shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
-# shellcheck disable=SC1091
+# shellcheck source=./advanced/Scripts/COL_TABLE
 source "/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "${PI_HOLE_INSTALL_DIR}/utils.sh"
 # is_repo() sourced from basic-install.sh
 # make_repo() sourced from basic-install.sh
 # update_repo() source from basic-install.sh
 # getGitFiles() sourced from basic-install.sh
 # FTLcheckUpdate() sourced from basic-install.sh
 # getFTLConfigValue() sourced from utils.sh
 # Honour configured paths for the web application.
 ADMIN_INTERFACE_DIR=$(getFTLConfigValue "webserver.paths.webroot")$(getFTLConfigValue "webserver.paths.webhome")
 readonly ADMIN_INTERFACE_DIR
 GitCheckUpdateAvail() {
    local directory
@ -42,7 +47,7 @@ GitCheckUpdateAvail() {
    # Fetch latest changes in this repo
    if ! git fetch --quiet origin ; then
-        echo -e "\\n  ${COL_LIGHT_RED}Error: Unable to update local repository. Contact Pi-hole Support.${COL_NC}"
+        echo -e "\\n  ${COL_RED}Error: Unable to update local repository. Contact Pi-hole Support.${COL_NC}"
        exit 1
    fi
@ -71,13 +76,13 @@ GitCheckUpdateAvail() {
    if [[ "${#LOCAL}" == 0 ]]; then
-        echo -e "\\n  ${COL_LIGHT_RED}Error: Local revision could not be obtained, please contact Pi-hole Support"
+        echo -e "\\n  ${COL_RED}Error: Local revision could not be obtained, please contact Pi-hole Support"
        echo -e "  Additional debugging output:${COL_NC}"
        git status
        exit 1
    fi
    if [[ "${#REMOTE}" == 0 ]]; then
-        echo -e "\\n  ${COL_LIGHT_RED}Error: Remote revision could not be obtained, please contact Pi-hole Support"
+        echo -e "\\n  ${COL_RED}Error: Remote revision could not be obtained, please contact Pi-hole Support"
        echo -e "  Additional debugging output:${COL_NC}"
        git status
        exit 1
@ -98,7 +103,7 @@ GitCheckUpdateAvail() {
 }
 main() {
-    local basicError="\\n  ${COL_LIGHT_RED}Unable to complete update, please contact Pi-hole Support${COL_NC}"
+    local basicError="\\n  ${COL_RED}Unable to complete update, please contact Pi-hole Support${COL_NC}"
    local core_update
    local web_update
    local FTL_update
@ -107,8 +112,6 @@ main() {
    web_update=false
    FTL_update=false
    # Perform an OS check to ensure we're on an appropriate operating system
    os_check
    # Install packages used by this installation script (necessary if users have removed e.g. git from their systems)
    package_manager_detect
@ -117,7 +120,7 @@ main() {
    # This is unlikely
    if ! is_repo "${PI_HOLE_FILES_DIR}" ; then
-        echo -e "\\n  ${COL_LIGHT_RED}Error: Core Pi-hole repo is missing from system!"
+        echo -e "\\n  ${COL_RED}Error: Core Pi-hole repo is missing from system!"
        echo -e "  Please re-run install script from https://pi-hole.net${COL_NC}"
        exit 1;
    fi
@ -129,11 +132,11 @@ main() {
        echo -e "  ${INFO} Pi-hole Core:\\t${COL_YELLOW}update available${COL_NC}"
    else
        core_update=false
-        echo -e "  ${INFO} Pi-hole Core:\\t${COL_LIGHT_GREEN}up to date${COL_NC}"
+        echo -e "  ${INFO} Pi-hole Core:\\t${COL_GREEN}up to date${COL_NC}"
    fi
    if ! is_repo "${ADMIN_INTERFACE_DIR}" ; then
-        echo -e "\\n  ${COL_LIGHT_RED}Error: Web Admin repo is missing from system!"
+        echo -e "\\n  ${COL_RED}Error: Web Admin repo is missing from system!"
        echo -e "  Please re-run install script from https://pi-hole.net${COL_NC}"
        exit 1;
    fi
@ -143,7 +146,7 @@ main() {
        echo -e "  ${INFO} Web Interface:\\t${COL_YELLOW}update available${COL_NC}"
    else
        web_update=false
-        echo -e "  ${INFO} Web Interface:\\t${COL_LIGHT_GREEN}up to date${COL_NC}"
+        echo -e "  ${INFO} Web Interface:\\t${COL_GREEN}up to date${COL_NC}"
    fi
    local funcOutput
@ -157,17 +160,18 @@ main() {
    else
        case $? in
            1)
-                echo -e "  ${INFO} FTL:\\t\\t${COL_LIGHT_GREEN}up to date${COL_NC}"
+                echo -e "  ${INFO} FTL:\\t\\t${COL_GREEN}up to date${COL_NC}"
                ;;
            2)
-                echo -e "  ${INFO} FTL:\\t\\t${COL_LIGHT_RED}Branch is not available.${COL_NC}\\n\\t\\t\\tUse ${COL_LIGHT_GREEN}pihole checkout ftl [branchname]${COL_NC} to switch to a valid branch."
+                echo -e "  ${INFO} FTL:\\t\\t${COL_RED}Branch is not available.${COL_NC}\\n\\t\\t\\tUse ${COL_GREEN}pihole checkout ftl [branchname]${COL_NC} to switch to a valid branch."
                exit 1
                ;;
            3)
-                echo -e "  ${INFO} FTL:\\t\\t${COL_LIGHT_RED}Something has gone wrong, cannot reach download server${COL_NC}"
+                echo -e "  ${INFO} FTL:\\t\\t${COL_RED}Something has gone wrong, cannot reach download server${COL_NC}"
                exit 1
                ;;
            *)
-                echo -e "  ${INFO} FTL:\\t\\t${COL_LIGHT_RED}Something has gone wrong, contact support${COL_NC}"
+                echo -e "  ${INFO} FTL:\\t\\t${COL_RED}Something has gone wrong, contact support${COL_NC}"
                exit 1
        esac
        FTL_update=false
@ -184,7 +188,7 @@ main() {
    if [[ ! "${ftlBranch}" == "master" && ! "${ftlBranch}" == "development" ]]; then
        # Notify user that they are on a custom branch which might mean they they are lost
        # behind if a branch was merged to development and got abandoned
-        printf "  %b %bWarning:%b You are using FTL from a custom branch (%s) and might be missing future releases.\\n" "${INFO}" "${COL_LIGHT_RED}" "${COL_NC}" "${ftlBranch}"
+        printf "  %b %bWarning:%b You are using FTL from a custom branch (%s) and might be missing future releases.\\n" "${INFO}" "${COL_RED}" "${COL_NC}" "${ftlBranch}"
    fi
    if [[ "${core_update}" == false && "${web_update}" == false && "${FTL_update}" == false ]]; then
@ -209,7 +213,7 @@ main() {
        echo ""
        echo -e "  ${INFO} Pi-hole Web Admin files out of date, updating local repo."
        getGitFiles "${ADMIN_INTERFACE_DIR}" "${ADMIN_INTERFACE_GIT_URL}"
-        echo -e "  ${INFO} If you had made any changes in '/var/www/html/admin/', they have been stashed using 'git stash'"
+        echo -e "  ${INFO} If you had made any changes in '${ADMIN_INTERFACE_DIR}', they have been stashed using 'git stash'"
    fi
    if [[ "${FTL_update}" == true ]]; then
--- a/advanced/Scripts/updatecheck.sh
+++ b/advanced/Scripts/updatecheck.sh
@ -39,9 +39,12 @@ function get_remote_hash() {
 }
 # Source the utils file for addOrEditKeyValPair()
-# shellcheck disable=SC1091
+# shellcheck source="./advanced/Scripts/utils.sh"
 . /opt/pihole/utils.sh
 ADMIN_INTERFACE_DIR=$(getFTLConfigValue "webserver.paths.webroot")$(getFTLConfigValue "webserver.paths.webhome")
 readonly ADMIN_INTERFACE_DIR
 # Remove the below three legacy files if they exist
 rm -f "/etc/pihole/GitHubVersions"
 rm -f "/etc/pihole/localbranches"
@ -85,13 +88,13 @@ addOrEditKeyValPair "${VERSION_FILE}" "GITHUB_CORE_HASH" "${GITHUB_CORE_HASH}"
 # get Web versions
-WEB_VERSION="$(get_local_version /var/www/html/admin)"
+WEB_VERSION="$(get_local_version "${ADMIN_INTERFACE_DIR}")"
 addOrEditKeyValPair "${VERSION_FILE}" "WEB_VERSION" "${WEB_VERSION}"
-WEB_BRANCH="$(get_local_branch /var/www/html/admin)"
+WEB_BRANCH="$(get_local_branch "${ADMIN_INTERFACE_DIR}")"
 addOrEditKeyValPair "${VERSION_FILE}" "WEB_BRANCH" "${WEB_BRANCH}"
-WEB_HASH="$(get_local_hash /var/www/html/admin)"
+WEB_HASH="$(get_local_hash "${ADMIN_INTERFACE_DIR}")"
 addOrEditKeyValPair "${VERSION_FILE}" "WEB_HASH" "${WEB_HASH}"
 GITHUB_WEB_VERSION="$(get_remote_version web "${WEB_BRANCH}")"
--- a/advanced/Scripts/utils.sh
+++ b/advanced/Scripts/utils.sh
@ -1,5 +1,4 @@
 #!/usr/bin/env sh
 # shellcheck disable=SC3043 #https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@ -88,8 +87,8 @@ getFTLConfigValue(){
 #######################
 setFTLConfigValue(){
  pihole-FTL --config "${1}" "${2}" >/dev/null
-  if [[ $? -eq 5 ]]; then
+  if [ $? -eq 5 ]; then
-    echo -e "  ${CROSS} ${1} set by environment variable. Please unset it to use this function"
+    printf "  %s %s set by environment variable. Please unset it to use this function\n" "${CROSS}" "${1}"
    exit 5
  fi
 }
--- a/advanced/Scripts/version.sh
+++ b/advanced/Scripts/version.sh
@ -8,20 +8,16 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
-# Ignore warning about `local` being undefinded in POSIX
+# Source the versions file populated by updatechecker.sh
 # shellcheck disable=SC3043
 # https://github.com/koalaman/shellcheck/wiki/SC3043#exceptions
 # Source the versions file poupulated by updatechecker.sh
 cachedVersions="/etc/pihole/versions"
 if [ -f ${cachedVersions} ]; then
-    # shellcheck disable=SC1090
+    # shellcheck source=/dev/null
    . "$cachedVersions"
 else
    echo "Could not find /etc/pihole/versions. Running update now."
    pihole updatechecker
-    # shellcheck disable=SC1090
+     # shellcheck source=/dev/null
    . "$cachedVersions"
 fi
--- a/advanced/Templates/gravity.db.sql
+++ b/advanced/Templates/gravity.db.sql
@ -43,8 +43,8 @@ CREATE TABLE adlist
 CREATE TABLE adlist_by_group
 (
-    adlist_id INTEGER NOT NULL REFERENCES adlist (id),
+    adlist_id INTEGER NOT NULL REFERENCES adlist (id) ON DELETE CASCADE,
-    group_id INTEGER NOT NULL REFERENCES "group" (id),
+    group_id INTEGER NOT NULL REFERENCES "group" (id) ON DELETE CASCADE,
    PRIMARY KEY (adlist_id, group_id)
 );
@ -75,8 +75,8 @@ INSERT INTO "info" VALUES('gravity_restored','false');
 CREATE TABLE domainlist_by_group
 (
-    domainlist_id INTEGER NOT NULL REFERENCES domainlist (id),
+    domainlist_id INTEGER NOT NULL REFERENCES domainlist (id) ON DELETE CASCADE,
-    group_id INTEGER NOT NULL REFERENCES "group" (id),
+    group_id INTEGER NOT NULL REFERENCES "group" (id) ON DELETE CASCADE,
    PRIMARY KEY (domainlist_id, group_id)
 );
@ -91,8 +91,8 @@ CREATE TABLE client
 CREATE TABLE client_by_group
 (
-    client_id INTEGER NOT NULL REFERENCES client (id),
+    client_id INTEGER NOT NULL REFERENCES client (id) ON DELETE CASCADE,
-    group_id INTEGER NOT NULL REFERENCES "group" (id),
+    group_id INTEGER NOT NULL REFERENCES "group" (id) ON DELETE CASCADE,
    PRIMARY KEY (client_id, group_id)
 );
--- a/advanced/Templates/pihole-FTL-poststop.sh
+++ b/advanced/Templates/pihole-FTL-poststop.sh
@ -3,7 +3,7 @@
 # Source utils.sh for getFTLConfigValue()
 PI_HOLE_SCRIPT_DIR='/opt/pihole'
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source="./advanced/Scripts/utils.sh"
 . "${utilsfile}"
 # Get file paths
--- a/advanced/Templates/pihole-FTL-prestart.sh
+++ b/advanced/Templates/pihole-FTL-prestart.sh
@ -3,7 +3,7 @@
 # Source utils.sh for getFTLConfigValue()
 PI_HOLE_SCRIPT_DIR='/opt/pihole'
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source="./advanced/Scripts/utils.sh"
 . "${utilsfile}"
 # Get file paths
@ -11,7 +11,11 @@ FTL_PID_FILE="$(getFTLConfigValue files.pid)"
 # Ensure that permissions are set so that pihole-FTL can edit all necessary files
 mkdir -p /var/log/pihole
-chown -R pihole:pihole /etc/pihole /var/log/pihole
+chown -R pihole:pihole /etc/pihole/ /var/log/pihole/
 # allow all users read version file (and use pihole -v)
 chmod 0644 /etc/pihole/versions
 # allow pihole to access subdirs in /etc/pihole (sets execution bit on dirs)
 find /etc/pihole/ /var/log/pihole/ -type d -exec chmod 0755 {} +
 # Set all files (except TLS-related ones) to u+rw g+r
@ -26,4 +30,5 @@ chown root:root /etc/pihole/logrotate
 [ -f "${FTL_PID_FILE}" ] || install -D -m 644 -o pihole -g pihole /dev/null "${FTL_PID_FILE}"
 [ -f /var/log/pihole/FTL.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/FTL.log
 [ -f /var/log/pihole/pihole.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/pihole.log
 [ -f /var/log/pihole/webserver.log ] || install -m 640 -o pihole -g pihole /dev/null /var/log/pihole/webserver.log
 [ -f /etc/pihole/dhcp.leases ] || install -m 644 -o pihole -g pihole /dev/null /etc/pihole/dhcp.leases
--- a/advanced/Templates/pihole-FTL.service
+++ b/advanced/Templates/pihole-FTL.service
@ -12,7 +12,7 @@
 # Source utils.sh for getFTLConfigValue(), getFTLPID()
 PI_HOLE_SCRIPT_DIR="/opt/pihole"
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source="./advanced/Scripts/utils.sh"
 . "${utilsfile}"
@ -57,13 +57,16 @@ start() {
 stop() {
  if is_running; then
    kill "${FTL_PID}"
-    for i in 1 2 3 4 5; do
+    # Give FTL 60 seconds to gracefully stop
    i=1
    while [ "${i}" -le 60 ]; do
      if ! is_running; then
        break
      fi
      printf "."
      sleep 1
      i=$((i + 1))
    done
    echo
--- a/advanced/Templates/pihole-FTL.systemd
+++ b/advanced/Templates/pihole-FTL.systemd
@ -28,7 +28,7 @@ ExecReload=/bin/kill -HUP $MAINPID
 ExecStopPost=/opt/pihole/pihole-FTL-poststop.sh
 # Use graceful shutdown with a reasonable timeout
-TimeoutStopSec=10s
+TimeoutStopSec=60s
 # Make /usr, /boot, /etc and possibly some more folders read-only...
 ProtectSystem=full
--- a/install/basic-install.sh
+++ b/install/basic-install.sh
@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) Pi-hole (https://pi-hole.net)
@ -49,7 +48,6 @@ Google (ECS, DNSSEC);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:
 OpenDNS (ECS, DNSSEC);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
 Level3;4.2.2.1;4.2.2.2;;
 Comodo;8.26.56.26;8.20.247.20;;
 DNS.WATCH (DNSSEC);84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
 Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
 Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
 Quad9 (filtered, ECS, DNSSEC);9.9.9.11;149.112.112.11;2620:fe::11;2620:fe::fe:11
@ -57,6 +55,17 @@ Cloudflare (DNSSEC);1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001
 EOM
 )
 DNS_SERVERS_IPV6_ONLY=$(
    cat <<EOM
 Google (ECS, DNSSEC);2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
 OpenDNS (ECS, DNSSEC);2620:119:35::35;2620:119:53::53
 Quad9 (filtered, DNSSEC);2620:fe::fe;2620:fe::9
 Quad9 (unfiltered, no DNSSEC);2620:fe::10;2620:fe::fe:10
 Quad9 (filtered, ECS, DNSSEC);2620:fe::11;2620:fe::fe:11
 Cloudflare (DNSSEC);2606:4700:4700::1111;2606:4700:4700::1001
 EOM
 )
 # Location for final installation log storage
 installLogLoc="/etc/pihole/install.log"
 # This is a file used for the colorized output
@ -90,6 +99,7 @@ IPV6_ADDRESS=${IPV6_ADDRESS}
 # Give settings their default values. These may be changed by prompts later in the script.
 QUERY_LOGGING=
 PRIVACY_LEVEL=
 PIHOLE_INTERFACE=
 # Where old configs go to if a v6 migration is performed
 V6_CONF_MIGRATION_DIR="/etc/pihole/migration_backup_v6"
@ -106,11 +116,13 @@ c=70
 PIHOLE_META_PACKAGE_CONTROL_APT=$(
    cat <<EOM
 Package: pihole-meta
-Version: 0.1
+Version: 0.4
 Maintainer: Pi-hole team <adblock@pi-hole.net>
 Architecture: all
 Description: Pi-hole dependency meta package
-Depends: grep,dnsutils,binutils,git,iproute2,dialog,ca-certificates,cron,curl,iputils-ping,psmisc,sudo,unzip,libcap2-bin,dns-root-data,libcap2,netcat-openbsd,procps,jq,lshw,bash-completion
+Depends: awk,bash-completion,binutils,ca-certificates,cron|cron-daemon,curl,dialog,dnsutils,dns-root-data,git,grep,iproute2,iputils-ping,jq,libcap2,libcap2-bin,lshw,netcat-openbsd,procps,psmisc,sudo,unzip
 Section: contrib/metapackages
 Priority: optional
 EOM
 )
@ -118,12 +130,12 @@ EOM
 PIHOLE_META_PACKAGE_CONTROL_RPM=$(
    cat <<EOM
 Name: pihole-meta
-Version: 0.1
+Version: 0.2
 Release: 1
 License: EUPL
 BuildArch: noarch
 Summary: Pi-hole dependency meta package
-Requires: grep,curl,psmisc,sudo, unzip,jq,git,dialog,ca-certificates, bind-utils, iproute, procps-ng, chkconfig, binutils, cronie, findutils, libcap, nmap-ncat, lshw, bash-completion
+Requires: bash-completion,bind-utils,binutils,ca-certificates,chkconfig,cronie,curl,dialog,findutils,gawk,git,grep,iproute,jq,libcap,lshw,nmap-ncat,procps-ng,psmisc,sudo,unzip
 %description
 Pi-hole dependency meta package
 %prep
@ -131,6 +143,9 @@ Pi-hole dependency meta package
 %files
 %install
 %changelog
 * Wed May 28 2025 Pi-hole Team - 0.2
 - Add gawk to the list of dependencies
 * Sun Sep 29 2024 Pi-hole Team - 0.1
 - First version being packaged
 EOM
@ -152,18 +167,17 @@ done
 # If the color table file exists,
 if [[ -f "${coltable}" ]]; then
    # source it
    # shellcheck source="./advanced/Scripts/COL_TABLE"
    source "${coltable}"
 # Otherwise,
 else
    # Set these values so the installer can still run in color
    COL_NC='\e[0m' # No Color
-    COL_LIGHT_GREEN='\e[1;32m'
+    COL_GREEN='\e[1;32m'
-    COL_LIGHT_RED='\e[1;31m'
+    COL_RED='\e[1;31m'
-    TICK="[${COL_LIGHT_GREEN}✓${COL_NC}]"
+    TICK="[${COL_GREEN}✓${COL_NC}]"
-    CROSS="[${COL_LIGHT_RED}✗${COL_NC}]"
+    CROSS="[${COL_RED}✗${COL_NC}]"
    INFO="[i]"
    # shellcheck disable=SC2034
    DONE="${COL_LIGHT_GREEN} done!${COL_NC}"
    OVER="\\r\\033[K"
 fi
@ -171,13 +185,13 @@ fi
 # This lets users know that it is a Pi-hole, LLC product
 show_ascii_berry() {
    echo -e "
-        ${COL_LIGHT_GREEN}.;;,.
+        ${COL_GREEN}.;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
-                 ${COL_LIGHT_RED}.. ','.
+                 ${COL_RED}.. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
@ -199,7 +213,7 @@ abort() {
    # remove any leftover build directory that may exist
    rm -rf /tmp/pihole-meta_*
-    echo -e "\\n\\n  ${COL_LIGHT_RED}Installation was interrupted${COL_NC}\\n"
+    echo -e "\\n\\n  ${COL_RED}Installation was interrupted${COL_NC}\\n"
    echo -e "Pi-hole's dependencies might be already installed. If you want to remove them you can try to\\n"
    echo -e "a) run 'pihole uninstall' \\n"
    echo -e "b) Remove the meta-package 'pihole-meta' manually \\n"
@ -215,173 +229,10 @@ is_command() {
    command -v "${check_command}" >/dev/null 2>&1
 }
-os_check_dig(){
+check_fresh_install() {
-    local protocol="$1"
+    # in case of an update (can be a v5 -> v6 or v6 -> v6 update) or repair
-    local domain="$2"
+    if [[ -f "${PI_HOLE_V6_CONFIG}" ]] || [[ -f "/etc/pihole/setupVars.conf" ]]; then
-    local nameserver="$3"
+        fresh_install=false
    local response
    response="$(dig -"${protocol}" +short -t txt "${domain}" "${nameserver}" 2>&1
    echo $?
    )"
    echo "${response}"
 }
 os_check_dig_response(){
    # Checks the reply from the dig command to determine if it's a valid response
    local digReply="$1"
    local response
    # Dig returned 0 (success), so get the actual response, and loop through it to determine if the detected variables above are valid
    response="${digReply%%$'\n'*}"
    # If the value of ${response} is a single 0, then this is the return code, not an actual response.
    if [ "${response}" == 0 ]; then
        echo false
    else
        echo true
    fi
 }
 os_check() {
    if [ "$PIHOLE_SKIP_OS_CHECK" != true ]; then
        # This function gets a list of supported OS versions from a TXT record at versions.pi-hole.net
        # and determines whether or not the script is running on one of those systems
        local remote_os_domain valid_os valid_version valid_response detected_os detected_version display_warning cmdResult digReturnCode response
        local piholeNameserver="@ns1.pi-hole.net"
        remote_os_domain=${OS_CHECK_DOMAIN_NAME:-"versions.pi-hole.net"}
        detected_os=$(grep '^ID=' /etc/os-release | cut -d '=' -f2 | tr -d '"')
        detected_version=$(grep VERSION_ID /etc/os-release | cut -d '=' -f2 | tr -d '"')
        # Test via IPv4 and hardcoded nameserver ns1.pi-hole.net
        cmdResult=$(os_check_dig 4 "${remote_os_domain}" "${piholeNameserver}")
        # Gets the return code of the previous command (last line)
        digReturnCode="${cmdResult##*$'\n'}"
        if [ ! "${digReturnCode}" == "0" ]; then
            valid_response=false
        else
            valid_response=$(os_check_dig_response cmdResult)
        fi
        # Try again via IPv6 and hardcoded nameserver ns1.pi-hole.net
        if [ "$valid_response" = false ]; then
            unset valid_response
            unset cmdResult
            unset digReturnCode
            cmdResult=$(os_check_dig 6 "${remote_os_domain}" "${piholeNameserver}")
            # Gets the return code of the previous command (last line)
            digReturnCode="${cmdResult##*$'\n'}"
            if [ ! "${digReturnCode}" == "0" ]; then
                valid_response=false
            else
                valid_response=$(os_check_dig_response cmdResult)
            fi
        fi
        # Try again without hardcoded nameserver
        if [ "$valid_response" = false ]; then
            unset valid_response
            unset cmdResult
            unset digReturnCode
            cmdResult=$(os_check_dig 4 "${remote_os_domain}")
            # Gets the return code of the previous command (last line)
            digReturnCode="${cmdResult##*$'\n'}"
            if [ ! "${digReturnCode}" == "0" ]; then
                valid_response=false
            else
                valid_response=$(os_check_dig_response cmdResult)
            fi
        fi
        if [ "$valid_response" = false ]; then
            unset valid_response
            unset cmdResult
            unset digReturnCode
            cmdResult=$(os_check_dig 6 "${remote_os_domain}")
            # Gets the return code of the previous command (last line)
            digReturnCode="${cmdResult##*$'\n'}"
            if [ ! "${digReturnCode}" == "0" ]; then
                valid_response=false
            else
                valid_response=$(os_check_dig_response cmdResult)
            fi
        fi
        if [ "$valid_response" = true ]; then
            response="${cmdResult%%$'\n'*}"
            IFS=" " read -r -a supportedOS < <(echo "${response}" | tr -d '"')
            for distro_and_versions in "${supportedOS[@]}"; do
                distro_part="${distro_and_versions%%=*}"
                versions_part="${distro_and_versions##*=}"
                # If the distro part is a (case-insensitive) substring of the computer OS
                if [[ "${detected_os^^}" =~ ${distro_part^^} ]]; then
                    valid_os=true
                    IFS="," read -r -a supportedVer <<<"${versions_part}"
                    for version in "${supportedVer[@]}"; do
                        if [[ "${detected_version}" =~ $version ]]; then
                            valid_version=true
                            break
                        fi
                    done
                    break
                fi
            done
        fi
        if [ "$valid_os" = true ] && [ "$valid_version" = true ] && [ "$valid_response" = true ]; then
            display_warning=false
        fi
        if [ "$display_warning" != false ]; then
            if [ "$valid_response" = false ]; then
                if [ "${digReturnCode}" -eq 0 ]; then
                    errStr="dig succeeded, but response was blank. Please contact support"
                else
                    errStr="dig failed with return code ${digReturnCode}"
                fi
                printf "  %b %bRetrieval of supported OS list failed. %s. %b\\n" "${CROSS}" "${COL_LIGHT_RED}" "${errStr}" "${COL_NC}"
                printf "      %bUnable to determine if the detected OS (%s %s) is supported%b\\n" "${COL_LIGHT_RED}" "${detected_os^}" "${detected_version}" "${COL_NC}"
                printf "      Possible causes for this include:\\n"
                printf "        - Firewall blocking DNS lookups from Pi-hole device to ns1.pi-hole.net\\n"
                printf "        - DNS resolution issues of the host system\\n"
                printf "        - Other internet connectivity issues\\n"
            else
                printf "  %b %bUnsupported OS detected: %s %s%b\\n" "${CROSS}" "${COL_LIGHT_RED}" "${detected_os^}" "${detected_version}" "${COL_NC}"
                printf "      If you are seeing this message and you do have a supported OS, please contact support.\\n"
            fi
            printf "\\n"
            printf "      %bhttps://docs.pi-hole.net/main/prerequisites/#supported-operating-systems%b\\n" "${COL_LIGHT_GREEN}" "${COL_NC}"
            printf "\\n"
            printf "      If you wish to attempt to continue anyway, you can try one of the following commands to skip this check:\\n"
            printf "\\n"
            printf "      e.g: If you are seeing this message on a fresh install, you can run:\\n"
            printf "             %bcurl -sSL https://install.pi-hole.net | sudo PIHOLE_SKIP_OS_CHECK=true bash%b\\n" "${COL_LIGHT_GREEN}" "${COL_NC}"
            printf "\\n"
            printf "           If you are seeing this message after having run pihole -up:\\n"
            printf "             %bsudo PIHOLE_SKIP_OS_CHECK=true pihole -r%b\\n" "${COL_LIGHT_GREEN}" "${COL_NC}"
            printf "           (In this case, your previous run of pihole -up will have already updated the local repository)\\n"
            printf "\\n"
            printf "      It is possible that the installation will still fail at this stage due to an unsupported configuration.\\n"
            printf "      If that is the case, you can feel free to ask the community on Discourse with the %bCommunity Help%b category:\\n" "${COL_LIGHT_RED}" "${COL_NC}"
            printf "      %bhttps://discourse.pi-hole.net/c/bugs-problems-issues/community-help/%b\\n" "${COL_LIGHT_GREEN}" "${COL_NC}"
            printf "\\n"
            exit 1
        else
            printf "  %b %bSupported OS detected%b\\n" "${TICK}" "${COL_LIGHT_GREEN}" "${COL_NC}"
        fi
    else
        printf "  %b %bPIHOLE_SKIP_OS_CHECK env variable set to true - installer will continue%b\\n" "${INFO}" "${COL_LIGHT_GREEN}" "${COL_NC}"
    fi
 }
@ -401,8 +252,6 @@ package_manager_detect() {
        PKG_COUNT="${PKG_MANAGER} -s -o Debug::NoLocking=true upgrade | grep -c ^Inst || true"
        # The command we will use to remove packages (used in the uninstaller)
        PKG_REMOVE="${PKG_MANAGER} -y remove --purge"
        # Update package cache
        update_package_cache || exit 1
    # If apt-get is not found, check for rpm.
    elif is_command rpm; then
@ -462,7 +311,7 @@ build_dependency_package(){
            printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
        else
            printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-            printf "%b Error: Building pihole-meta.deb failed. %b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+            printf "%b Error: Building pihole-meta.deb failed. %b\\n" "${COL_RED}" "${COL_NC}"
            return 1
        fi
@ -495,7 +344,7 @@ build_dependency_package(){
            printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
        else
            printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-            printf "%b Error: Building pihole-meta.rpm failed. %b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+            printf "%b Error: Building pihole-meta.rpm failed. %b\\n" "${COL_RED}" "${COL_NC}"
            return 1
        fi
@ -637,7 +486,7 @@ getGitFiles() {
        printf "%b  %b %s\\n" "${OVER}" "${TICK}" "${str}"
        # Update the repo, returning an error message on failure
        update_repo "${directory}" || {
-            printf "\\n  %b: Could not update local repository. Contact support.%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+            printf "\\n  %b: Could not update local repository. Contact support.%b\\n" "${COL_RED}" "${COL_NC}"
            exit 1
        }
    # If it's not a .git repo,
@ -646,7 +495,7 @@ getGitFiles() {
        printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
        # Attempt to make the repository, showing an error on failure
        make_repo "${directory}" "${remoteRepo}" || {
-            printf "\\n  %bError: Could not update local repository. Contact support.%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+            printf "\\n  %bError: Could not update local repository. Contact support.%b\\n" "${COL_RED}" "${COL_NC}"
            exit 1
        }
    fi
@ -686,7 +535,11 @@ find_IPv4_information() {
    local IPv4bare
    # Find IP used to route to outside world by checking the route to Google's public DNS server
-    route=$(ip route get 8.8.8.8)
+    if ! route="$(ip route get 8.8.8.8 2> /dev/null)"; then
        printf "  %b No IPv4 route was detected.\n" "${INFO}"
        IPV4_ADDRESS=""
        return
    fi
    # Get just the interface IPv4 address
    # shellcheck disable=SC2059,SC2086
@ -702,10 +555,35 @@ find_IPv4_information() {
    IPV4_ADDRESS=$(ip -oneline -family inet address show | grep "${IPv4bare}/" | awk '{print $4}' | awk 'END {print}')
 }
 confirm_ipv6_only() {
    # Confirm from user before IPv6 only install
    dialog --no-shadow --output-fd 1 \
 --no-button "Exit" --yes-button "Install IPv6 ONLY" \
 --yesno "\\n\\nWARNING - no valid IPv4 route detected.\\n\\n\
 This may be due to a temporary connectivity issue,\\n\
 or you may be installing on an IPv6 only system.\\n\\n\
 Do you wish to continue with an IPv6-only installation?\\n\\n" \
        "${r}" "${c}" && result=0 || result="$?"
    case "${result}" in
    "${DIALOG_CANCEL}" | "${DIALOG_ESC}")
        printf "  %b Installer exited at IPv6 only message.\\n" "${INFO}"
        exit 1
    ;;
    esac
    DNS_SERVERS="$DNS_SERVERS_IPV6_ONLY"
    printf "  %b Proceeding with IPv6 only installation.\\n" "${INFO}"
 }
 # Get available interfaces that are UP
 get_available_interfaces() {
    # There may be more than one so it's all stored in a variable
-    availableInterfaces=$(ip --oneline link show up | grep -v "lo" | awk '{print $2}' | cut -d':' -f1 | cut -d'@' -f1)
+    # The ip command list all interfaces that are in the up state
    # The awk command filters out any interfaces that have the LOOPBACK flag set
    # while using the characters ": " or "@" as a field separator for awk
    availableInterfaces=$(ip --oneline link show up | awk -F ': |@' '!/<.*LOOPBACK.*>/ {print $2}')
 }
 # A function for displaying the dialogs the user sees when first running the installer
@ -767,7 +645,6 @@ chooseInterface() {
            # All further interfaces are deselected
            status="OFF"
        done
        # shellcheck disable=SC2086
        # Disable check for double quote here as we are passing a string with spaces
        PIHOLE_INTERFACE=$(dialog --no-shadow --keep-tite --output-fd 1 \
            --cancel-label "Exit" --ok-label "Select" \
@ -856,6 +733,9 @@ collect_v4andv6_information() {
    printf "  %b IPv4 address: %s\\n" "${INFO}" "${IPV4_ADDRESS}"
    find_IPv6_information
    printf "  %b IPv6 address: %s\\n" "${INFO}" "${IPV6_ADDRESS}"
    if [ "$IPV4_ADDRESS" == "" ] && [ "$IPV6_ADDRESS" != "" ]; then
        confirm_ipv6_only
    fi
 }
 # Check an IP address to see if it is a valid one
@ -933,7 +813,7 @@ setDNS() {
    result=$?
    case ${result} in
    "${DIALOG_CANCEL}" | "${DIALOG_ESC}")
-        printf "  %b Cancel was selected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "  %b Cancel was selected, exiting installer%b\\n" "${COL_RED}" "${COL_NC}"
        exit 1
        ;;
    esac
@ -970,7 +850,7 @@ If you want to specify a port other than 53, separate it with a hash.\
            result=$?
            case ${result} in
            "${DIALOG_CANCEL}" | "${DIALOG_ESC}")
-                printf "  %b Cancel was selected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+                printf "  %b Cancel was selected, exiting installer%b\\n" "${COL_RED}" "${COL_NC}"
                exit 1
                ;;
            esac
@ -1024,7 +904,7 @@ If you want to specify a port other than 53, separate it with a hash.\
                    DNSSettingsCorrect=False
                    ;;
                "${DIALOG_ESC}")
-                    printf "  %b Escape pressed, exiting installer at DNS Settings%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+                    printf "  %b Escape pressed, exiting installer at DNS Settings%b\\n" "${COL_RED}" "${COL_NC}"
                    exit 1
                    ;;
                esac
@ -1075,7 +955,7 @@ setLogging() {
        ;;
    "${DIALOG_ESC}")
        # User pressed <ESC>
-        printf "  %b Escape pressed, exiting installer at Query Logging choice.%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "  %b Escape pressed, exiting installer at Query Logging choice.%b\\n" "${COL_RED}" "${COL_NC}"
        exit 1
        ;;
    esac
@ -1100,7 +980,7 @@ setPrivacyLevel() {
        printf "  %b Using privacy level: %s\\n" "${INFO}" "${PRIVACY_LEVEL}"
        ;;
    "${DIALOG_CANCEL}" | "${DIALOG_ESC}")
-        printf "  %b Cancelled privacy level selection.%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "  %b Cancelled privacy level selection.%b\\n" "${COL_RED}" "${COL_NC}"
        exit 1
        ;;
    esac
@ -1134,7 +1014,7 @@ chooseBlocklists() {
        ;;
    "${DIALOG_ESC}")
        # User pressed <ESC>
-        printf "  %b Escape pressed, exiting installer at blocklist choice.%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "  %b Escape pressed, exiting installer at blocklist choice.%b\\n" "${COL_RED}" "${COL_NC}"
        exit 1
        ;;
    esac
@ -1260,7 +1140,7 @@ installScripts() {
    else
        # Otherwise, show an error and exit
        printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-        printf "\\t\\t%bError: Local repo %s not found, exiting installer%b\\n" "${COL_LIGHT_RED}" "${PI_HOLE_LOCAL_REPO}" "${COL_NC}"
+        printf "\\t\\t%bError: Local repo %s not found, exiting installer%b\\n" "${COL_RED}" "${PI_HOLE_LOCAL_REPO}" "${COL_NC}"
        return 1
    fi
 }
@ -1275,14 +1155,13 @@ installConfigs() {
    # Install empty custom.list file if it does not exist
    if [[ ! -r "${PI_HOLE_CONFIG_DIR}/hosts/custom.list" ]]; then
        if ! install -D -T -o pihole -g pihole -m 660 /dev/null "${PI_HOLE_CONFIG_DIR}/hosts/custom.list" &>/dev/null; then
-            printf "  %b Error: Unable to initialize configuration file %s/custom.list\\n" "${COL_LIGHT_RED}" "${PI_HOLE_CONFIG_DIR}/hosts"
+            printf "  %b Error: Unable to initialize configuration file %s/custom.list\\n" "${COL_RED}" "${PI_HOLE_CONFIG_DIR}/hosts"
            return 1
        fi
    fi
    # Install pihole-FTL systemd or init.d service, based on whether systemd is the init system or not
-    # Follow debhelper logic, which checks for /run/systemd/system to derive whether systemd is the init system
+    if ps -p 1 -o comm= | grep -q systemd; then
    if [[ -d '/run/systemd/system' ]]; then
        install -T -m 0644 "${PI_HOLE_LOCAL_REPO}/advanced/Templates/pihole-FTL.systemd" '/etc/systemd/system/pihole-FTL.service'
        # Remove init.d service if present
@ -1455,7 +1334,7 @@ update_package_cache() {
            UPDATE_PKG_CACHE="apt update"
        fi
        printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-        printf "  %b Error: Unable to update package cache. Please try \"%s\"%b\\n" "${COL_LIGHT_RED}" "sudo ${UPDATE_PKG_CACHE}" "${COL_NC}"
+        printf "  %b Error: Unable to update package cache. Please try \"%s\"%b\\n" "${COL_RED}" "sudo ${UPDATE_PKG_CACHE}" "${COL_NC}"
        return 1
    fi
 }
@ -1473,7 +1352,7 @@ notify_package_updates_available() {
        printf "%b  %b %s... up to date!\\n\\n" "${OVER}" "${TICK}" "${str}"
    else
        printf "%b  %b %s... %s updates available\\n" "${OVER}" "${TICK}" "${str}" "${updatesToInstall}"
-        printf "  %b %bIt is recommended to update your OS after installing the Pi-hole!%b\\n\\n" "${INFO}" "${COL_LIGHT_GREEN}" "${COL_NC}"
+        printf "  %b %bIt is recommended to update your OS after installing the Pi-hole!%b\\n\\n" "${INFO}" "${COL_GREEN}" "${COL_NC}"
    fi
 }
@ -1490,11 +1369,11 @@ install_dependent_packages() {
                rm /tmp/pihole-meta.deb
            else
                printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-                printf "  %b Error: Unable to install Pi-hole dependency package.\\n" "${COL_LIGHT_RED}"
+                printf "  %b Error: Unable to install Pi-hole dependency package.\\n" "${COL_RED}"
                return 1
            fi
        else
-            printf "  %b Error: Unable to find Pi-hole dependency package.\\n" "${COL_LIGHT_RED}"
+            printf "  %b Error: Unable to find Pi-hole dependency package.\\n" "${COL_RED}"
            return 1
        fi
    # Install Fedora/CentOS packages
@ -1505,11 +1384,11 @@ install_dependent_packages() {
                rm /tmp/pihole-meta.rpm
            else
                printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-                printf "  %b Error: Unable to install Pi-hole dependency package.\\n" "${COL_LIGHT_RED}"
+                printf "  %b Error: Unable to install Pi-hole dependency package.\\n" "${COL_RED}"
                return 1
            fi
        else
-            printf "  %b Error: Unable to find Pi-hole dependency package.\\n" "${COL_LIGHT_RED}"
+            printf "  %b Error: Unable to find Pi-hole dependency package.\\n" "${COL_RED}"
            return 1
        fi
@ -1738,19 +1617,20 @@ checkSelinux() {
    if [[ "${SELINUX_ENFORCING}" -eq 1 ]] && [[ -z "${PIHOLE_SELINUX}" ]]; then
        printf "  Pi-hole does not provide an SELinux policy as the required changes modify the security of your system.\\n"
        printf "  Please refer to https://wiki.centos.org/HowTos/SELinux if SELinux is required for your deployment.\\n"
-        printf "      This check can be skipped by setting the environment variable %bPIHOLE_SELINUX%b to %btrue%b\\n" "${COL_LIGHT_RED}" "${COL_NC}" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "      This check can be skipped by setting the environment variable %bPIHOLE_SELINUX%b to %btrue%b\\n" "${COL_RED}" "${COL_NC}" "${COL_RED}" "${COL_NC}"
        printf "      e.g: export PIHOLE_SELINUX=true\\n"
        printf "      By setting this variable to true you acknowledge there may be issues with Pi-hole during or after the install\\n"
-        printf "\\n  %bSELinux Enforcing detected, exiting installer%b\\n" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "\\n  %bSELinux Enforcing detected, exiting installer%b\\n" "${COL_RED}" "${COL_NC}"
        exit 1
    elif [[ "${SELINUX_ENFORCING}" -eq 1 ]] && [[ -n "${PIHOLE_SELINUX}" ]]; then
-        printf "  %b %bSELinux Enforcing detected%b. PIHOLE_SELINUX env variable set - installer will continue\\n" "${INFO}" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "  %b %bSELinux Enforcing detected%b. PIHOLE_SELINUX env variable set - installer will continue\\n" "${INFO}" "${COL_RED}" "${COL_NC}"
    fi
 }
 check_download_exists() {
    # Check if the download exists and we can reach the server
-    local status=$(curl --head --silent "https://ftl.pi-hole.net/${1}" | head -n 1)
+    local status
    status=$(curl --head --silent "https://ftl.pi-hole.net/${1}" | head -n 1)
    # Check the status code
    if grep -q "200" <<<"$status"; then
@ -1841,13 +1721,13 @@ clone_or_reset_repos() {
        # Reset the Core repo
        resetRepo ${PI_HOLE_LOCAL_REPO} ||
            {
-                printf "  %b Unable to reset %s, exiting installer%b\\n" "${COL_LIGHT_RED}" "${PI_HOLE_LOCAL_REPO}" "${COL_NC}"
+                printf "  %b Unable to reset %s, exiting installer%b\\n" "${COL_RED}" "${PI_HOLE_LOCAL_REPO}" "${COL_NC}"
                exit 1
            }
        # Reset the Web repo
        resetRepo ${webInterfaceDir} ||
            {
-                printf "  %b Unable to reset %s, exiting installer%b\\n" "${COL_LIGHT_RED}" "${webInterfaceDir}" "${COL_NC}"
+                printf "  %b Unable to reset %s, exiting installer%b\\n" "${COL_RED}" "${webInterfaceDir}" "${COL_NC}"
                exit 1
            }
    # Otherwise, a fresh installation is happening
@ -1855,13 +1735,13 @@ clone_or_reset_repos() {
        # so get git files for Core
        getGitFiles ${PI_HOLE_LOCAL_REPO} ${piholeGitUrl} ||
            {
-                printf "  %b Unable to clone %s into %s, unable to continue%b\\n" "${COL_LIGHT_RED}" "${piholeGitUrl}" "${PI_HOLE_LOCAL_REPO}" "${COL_NC}"
+                printf "  %b Unable to clone %s into %s, unable to continue%b\\n" "${COL_RED}" "${piholeGitUrl}" "${PI_HOLE_LOCAL_REPO}" "${COL_NC}"
                exit 1
            }
        # get the Web git files
        getGitFiles ${webInterfaceDir} ${webInterfaceGitUrl} ||
            {
-                printf "  %b Unable to clone %s into ${webInterfaceDir}, exiting installer%b\\n" "${COL_LIGHT_RED}" "${webInterfaceGitUrl}" "${COL_NC}"
+                printf "  %b Unable to clone %s into ${webInterfaceDir}, exiting installer%b\\n" "${COL_RED}" "${webInterfaceGitUrl}" "${COL_NC}"
                exit 1
            }
    fi
@ -1869,7 +1749,6 @@ clone_or_reset_repos() {
 # Download FTL binary to random temp directory and install FTL binary
 # Disable directive for SC2120 a value _can_ be passed to this function, but it is passed from an external script that sources this one
 # shellcheck disable=SC2120
 FTLinstall() {
    # Local, named variables
    local str="Downloading and Installing FTL"
@ -1938,7 +1817,7 @@ FTLinstall() {
                return 1
            }
            printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
-            printf "  %b Error: Download of %s/%s failed (checksum error)%b\\n" "${COL_LIGHT_RED}" "${url}" "${binary}" "${COL_NC}"
+            printf "  %b Error: Download of %s/%s failed (checksum error)%b\\n" "${COL_RED}" "${url}" "${binary}" "${COL_NC}"
            # Remove temp dir
            remove_dir "${tempdir}"
@ -1952,7 +1831,7 @@ FTLinstall() {
        }
        printf "%b  %b %s\\n" "${OVER}" "${CROSS}" "${str}"
        # The URL could not be found
-        printf "  %b Error: URL %s/%s not found%b\\n" "${COL_LIGHT_RED}" "${url}" "${binary}" "${COL_NC}"
+        printf "  %b Error: URL %s/%s not found%b\\n" "${COL_RED}" "${url}" "${binary}" "${COL_NC}"
        # Remove temp dir
        remove_dir "${tempdir}"
@ -2029,7 +1908,7 @@ get_binary_name() {
        # Something else - we try to use 32bit executable and warn the user
        if [[ ! "${machine}" == "i686" ]]; then
            printf "%b  %b %s...\\n" "${OVER}" "${CROSS}" "${str}"
-            printf "  %b %bNot able to detect architecture (unknown: %s), trying x86 (32bit) executable%b\\n" "${INFO}" "${COL_LIGHT_RED}" "${machine}" "${COL_NC}"
+            printf "  %b %bNot able to detect architecture (unknown: %s), trying x86 (32bit) executable%b\\n" "${INFO}" "${COL_RED}" "${machine}" "${COL_NC}"
            printf "  %b Contact Pi-hole Support if you experience issues (e.g: FTL not running)\\n" "${INFO}"
        else
            printf "%b  %b Detected 32bit (i686) architecture\\n" "${OVER}" "${TICK}"
@ -2067,13 +1946,13 @@ FTLcheckUpdate() {
        path="${ftlBranch}/${binary}"
        # Check whether or not the binary for this FTL branch actually exists. If not, then there is no update!
-        # shellcheck disable=SC1090
+        local status
        if ! check_download_exists "$path"; then
-            if [ $? -eq 1 ]; then
+            status=$?
            if [ "${status}" -eq 1 ]; then
                printf "  %b Branch \"%s\" is not available.\\n" "${INFO}" "${ftlBranch}"
-                printf "  %b Use %bpihole checkout ftl [branchname]%b to switch to a valid branch.\\n" "${INFO}" "${COL_LIGHT_GREEN}" "${COL_NC}"
+                printf "  %b Use %bpihole checkout ftl [branchname]%b to switch to a valid branch.\\n" "${INFO}" "${COL_GREEN}" "${COL_NC}"
-                return 2
+            elif [ "${status}" -eq 2 ]; then
            elif [ $? -eq 2 ]; then
                printf "  %b Unable to download from ftl.pi-hole.net. Please check your Internet connection and try again later.\\n" "${CROSS}"
                return 3
            else
@ -2101,12 +1980,14 @@ FTLcheckUpdate() {
            # same as the remote one
            local FTLversion
            FTLversion=$(/usr/bin/pihole-FTL tag)
            local FTLlatesttag
            # Get the latest version from the GitHub API
-            if ! FTLlatesttag=$(curl -sI https://github.com/pi-hole/FTL/releases/latest | grep --color=never -i Location: | awk -F / '{print $NF}' | tr -d '[:cntrl:]'); then
+            local FTLlatesttag
            FTLlatesttag=$(curl -s https://api.github.com/repos/pi-hole/FTL/releases/latest | jq -sRr 'fromjson? | .tag_name | values')
            if [ -z "${FTLlatesttag}" ]; then
                # There was an issue while retrieving the latest version
-                printf "  %b Failed to retrieve latest FTL release metadata" "${CROSS}"
+                printf "  %b Failed to retrieve latest FTL release metadata\\n" "${CROSS}"
                return 3
            fi
@ -2124,6 +2005,7 @@ FTLcheckUpdate() {
                # Continue further down...
            fi
        else
            # FTL not installed, then download
            return 0
        fi
    fi
@ -2155,6 +2037,11 @@ FTLdetect() {
    if FTLcheckUpdate "${1}"; then
        FTLinstall "${1}" || return 1
    else
        case $? in
            1) :;; # FTL is up-to-date
            *) exit 1;; # 404 (2), other HTTP or curl error (3), unknown (4)
        esac
    fi
 }
@ -2282,7 +2169,7 @@ main() {
    else
        # Otherwise, they do not have enough privileges, so let the user know
        printf "  %b %s\\n" "${INFO}" "${str}"
-        printf "  %b %bScript called with non-root privileges%b\\n" "${INFO}" "${COL_LIGHT_RED}" "${COL_NC}"
+        printf "  %b %bScript called with non-root privileges%b\\n" "${INFO}" "${COL_RED}" "${COL_NC}"
        printf "      The Pi-hole requires elevated privileges to install and run\\n"
        printf "      Please check the installer for any concerns regarding this requirement\\n"
        printf "      Make sure to download this script from a trusted source\\n\\n"
@ -2306,7 +2193,7 @@ main() {
            # Otherwise, tell the user they need to run the script as root, and bail
            printf "%b  %b Sudo utility check\\n" "${OVER}" "${CROSS}"
            printf "  %b Sudo is needed for the Web Interface to run pihole commands\\n\\n" "${INFO}"
-            printf "  %b %bPlease re-run this installer as root${COL_NC}\\n" "${INFO}" "${COL_LIGHT_RED}"
+            printf "  %b %bPlease re-run this installer as root${COL_NC}\\n" "${INFO}" "${COL_RED}"
            exit 1
        fi
    fi
@ -2317,9 +2204,17 @@ main() {
    # Check for availability of either the "service" or "systemctl" commands
    check_service_command
    # Check if this is a fresh install or an update/repair
    check_fresh_install
    # Check for supported package managers so that we may install dependencies
    package_manager_detect
    # Update package cache only on apt based systems
    if is_command apt-get; then
            update_package_cache || exit 1
    fi
    # Notify user of package availability
    notify_package_updates_available
@ -2329,8 +2224,6 @@ main() {
    # Install Pi-hole dependencies
    install_dependent_packages
    # Check that the installed OS is officially supported - display warning if not
    os_check
    # Check if there is a usable FTL binary available on this architecture - do
    # this early on as FTL is a hard dependency for Pi-hole
@ -2342,10 +2235,7 @@ main() {
        exit 1
    fi
-    # in case of an update (can be a v5 -> v6 or v6 -> v6 update) or repair
+    if [[ "${fresh_install}" == false ]]; then
    if [[ -f "${PI_HOLE_V6_CONFIG}" ]] || [[ -f "/etc/pihole/setupVars.conf" ]]; then
        # retain settings
        fresh_install=false
        # if it's running unattended,
        if [[ "${runUnattended}" == true ]]; then
            printf "  %b Performing unattended setup, no dialogs will be displayed\\n" "${INFO}"
@ -2398,7 +2288,7 @@ main() {
    # /opt/pihole/utils.sh should be installed by installScripts now, so we can use it
    if [ -f "${PI_HOLE_INSTALL_DIR}/utils.sh" ]; then
-        # shellcheck disable=SC1091
+        # shellcheck source="./advanced/Scripts/utils.sh"
        source "${PI_HOLE_INSTALL_DIR}/utils.sh"
    else
        printf "  %b Failure: /opt/pihole/utils.sh does not exist .\\n" "${CROSS}"
@ -2411,16 +2301,28 @@ main() {
    # Migrate existing install to v6.0
    migrate_dnsmasq_configs
    # Cleanup old v5 sudoers file if it exists
    sudoers_file="/etc/sudoers.d/pihole"
    if [[ -f "${sudoers_file}" ]]; then
        # only remove the file if it contains the Pi-hole header
        if grep -q "Pi-hole: A black hole for Internet advertisements" "${sudoers_file}"; then
            rm -f "${sudoers_file}"
        fi
    fi
    # Check for and disable systemd-resolved-DNSStubListener before reloading resolved
    # DNSStubListener needs to remain in place for installer to download needed files,
    # so this change needs to be made after installation is complete,
    # but before starting or resttarting the ftl service
    disable_resolved_stublistener
-    # Check if gravity database needs to be upgraded. If so, do it without rebuilding
+    if [[ "${fresh_install}" == false ]]; then
-    # gravity altogether. This may be a very long running task needlessly blocking
+        # Check if gravity database needs to be upgraded. If so, do it without rebuilding
-    # the update process.
+        # gravity altogether. This may be a very long running task needlessly blocking
-    /opt/pihole/gravity.sh --upgrade
+        # the update process.
        # Only do this on updates, not on fresh installs as the database does not exit yet
        /opt/pihole/gravity.sh --upgrade
    fi
    printf "  %b Restarting services...\\n" "${INFO}"
    # Start services
@ -2452,6 +2354,10 @@ main() {
        if [ -n "${PRIVACY_LEVEL}" ]; then
            setFTLConfigValue "misc.privacylevel" "${PRIVACY_LEVEL}"
        fi
        if [ -n "${PIHOLE_INTERFACE}" ]; then
            setFTLConfigValue "dns.interface" "${PIHOLE_INTERFACE}"
        fi
    fi
    # Download and compile the aggregated block list
@ -2477,8 +2383,10 @@ main() {
        printf "  %b If you have not done so already, the above IP should be set to static.\\n" "${INFO}"
        printf "  %b View the web interface at http://pi.hole:${WEBPORT}/admin or http://%s/admin\\n\\n" "${INFO}" "${IPV4_ADDRESS%/*}:${WEBPORT}"
-        printf "  %b Web Interface password: %b%s%b\\n" "${INFO}" "${COL_LIGHT_GREEN}" "${pw}" "${COL_NC}"
+        printf "  %b Web Interface password: %b%s%b\\n" "${INFO}" "${COL_GREEN}" "${pw}" "${COL_NC}"
        printf "  %b This can be changed using 'pihole setpassword'\\n\\n" "${INFO}"
        printf "  %b To allow your user to use all CLI functions without authentication, refer to\\n" "${INFO}"
        printf "    our documentation at: https://docs.pi-hole.net/main/post-install/\\n\\n"
        # Final dialog message to the user
        dialog --no-shadow --keep-tite \
@ -2487,7 +2395,11 @@ main() {
 \\n\\nIPv4:	${IPV4_ADDRESS%/*}\
 \\nIPv6:	${IPV6_ADDRESS:-"Not Configured"}\
 \\nIf you have not done so already, the above IP should be set to static.\
-\\nView the web interface at http://pi.hole/admin:${WEBPORT} or http://${IPV4_ADDRESS%/*}:${WEBPORT}/admin\\n\\nYour Admin Webpage login password is ${pw}" "${r}" "${c}"
+\\nView the web interface at http://pi.hole/admin:${WEBPORT} or http://${IPV4_ADDRESS%/*}:${WEBPORT}/admin\\n\\nYour Admin Webpage login password is ${pw}\
 \\n
 \\n
 \\nTo allow your user to use all CLI functions without authentication,\
 \\nrefer to https://docs.pi-hole.net/main/post-install/" "${r}" "${c}"
        INSTALL_TYPE="Installation"
    else
@ -2496,7 +2408,7 @@ main() {
    # Display where the log file is
    printf "\\n  %b The install log is located at: %s\\n" "${INFO}" "${installLogLoc}"
-    printf "  %b %b%s complete! %b\\n" "${TICK}" "${COL_LIGHT_GREEN}" "${INSTALL_TYPE}" "${COL_NC}"
+    printf "  %b %b%s complete! %b\\n" "${TICK}" "${COL_GREEN}" "${INSTALL_TYPE}" "${COL_NC}"
    if [[ "${INSTALL_TYPE}" == "Update" ]]; then
        printf "\\n"
--- a/install/uninstall.sh
+++ b/install/uninstall.sh
@ -8,13 +8,19 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
 # shellcheck source="./advanced/Scripts/COL_TABLE"
 source "/opt/pihole/COL_TABLE"
 # shellcheck source="./advanced/Scripts/utils.sh"
 source "/opt/pihole/utils.sh"
 ADMIN_INTERFACE_DIR=$(getFTLConfigValue "webserver.paths.webroot")$(getFTLConfigValue "webserver.paths.webhome")
 readonly ADMIN_INTERFACE_DIR
 while true; do
-    read -rp "  ${QST} Are you sure you would like to remove ${COL_WHITE}Pi-hole${COL_NC}? [y/N] " answer
+    read -rp "  ${QST} Are you sure you would like to remove ${COL_BOLD}Pi-hole${COL_NC}? [y/N] " answer
    case ${answer} in
        [Yy]* ) break;;
-        * ) echo -e "${OVER}  ${COL_LIGHT_GREEN}Uninstall has been canceled${COL_NC}"; exit 0;;
+        * ) echo -e "${OVER}  ${COL_GREEN}Uninstall has been canceled${COL_NC}"; exit 0;;
    esac
 done
@ -37,6 +43,7 @@ fi
 readonly PI_HOLE_FILES_DIR="/etc/.pihole"
 SKIP_INSTALL="true"
 # shellcheck source="./automated install/basic-install.sh"
 source "${PI_HOLE_FILES_DIR}/automated install/basic-install.sh"
 # package_manager_detect() sourced from basic-install.sh
@ -53,17 +60,9 @@ removeMetaPackage() {
 }
 removePiholeFiles() {
-    # Only web directories/files that are created by Pi-hole should be removed
+    # Remove the web interface of Pi-hole
    echo -ne "  ${INFO} Removing Web Interface..."
-    ${SUDO} rm -rf /var/www/html/admin &> /dev/null
+    ${SUDO} rm -rf "${ADMIN_INTERFACE_DIR}" &> /dev/null
    # If the web directory is empty after removing these files, then the parent html directory can be removed.
    if [ -d "/var/www/html" ]; then
        if [[ ! "$(ls -A /var/www/html)" ]]; then
            ${SUDO} rm -rf /var/www/html &> /dev/null
        fi
    fi
    echo -e "${OVER}  ${TICK} Removed Web Interface"
    # Attempt to preserve backwards compatibility with older versions
@ -151,11 +150,11 @@ removePiholeFiles() {
    echo -e "\\n   We're sorry to see you go, but thanks for checking out Pi-hole!
       If you need help, reach out to us on GitHub, Discourse, Reddit or Twitter
-       Reinstall at any time: ${COL_WHITE}curl -sSL https://install.pi-hole.net | bash${COL_NC}
+       Reinstall at any time: ${COL_BOLD}curl -sSL https://install.pi-hole.net | bash${COL_NC}
-      ${COL_LIGHT_RED}Please reset the DNS on your router/clients to restore internet connectivity${COL_NC}
+      ${COL_RED}Please reset the DNS on your router/clients to restore internet connectivity${COL_NC}
      ${INFO} Pi-hole's meta package has been removed, use the 'autoremove' function from your package manager to remove unused dependencies${COL_NC}
-      ${COL_LIGHT_GREEN}Uninstallation Complete! ${COL_NC}"
+      ${COL_GREEN}Uninstallation Complete! ${COL_NC}"
 }
 ######### SCRIPT ###########
--- a/gravity.sh
+++ b/gravity.sh
@ -1,5 +1,4 @@
 #!/usr/bin/env bash
 # shellcheck disable=SC1090
 # Pi-hole: A black hole for Internet advertisements
 # (c) 2017 Pi-hole, LLC (https://pi-hole.net)
@ -16,13 +15,13 @@ export LC_ALL=C
 PI_HOLE_SCRIPT_DIR="/opt/pihole"
 # Source utils.sh for GetFTLConfigValue
 utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
-# shellcheck disable=SC1090
+# shellcheck source=./advanced/Scripts/utils.sh
 . "${utilsfile}"
 coltable="${PI_HOLE_SCRIPT_DIR}/COL_TABLE"
-# shellcheck disable=SC1090
+# shellcheck source=./advanced/Scripts/COL_TABLE
 . "${coltable}"
-# shellcheck disable=SC1091
+# shellcheck source=./advanced/Scripts/database_migration/gravity-db.sh
 . "/etc/.pihole/advanced/Scripts/database_migration/gravity-db.sh"
 basename="pihole"
@ -51,14 +50,14 @@ etag_support=false
 # Check gravity temp directory
 if [ ! -d "${GRAVITY_TMPDIR}" ] || [ ! -w "${GRAVITY_TMPDIR}" ]; then
-  echo -e "  ${COL_LIGHT_RED}Gravity temporary directory does not exist or is not a writeable directory, falling back to /tmp. ${COL_NC}"
+  echo -e "  ${COL_RED}Gravity temporary directory does not exist or is not a writeable directory, falling back to /tmp. ${COL_NC}"
  GRAVITY_TMPDIR="/tmp"
 fi
 # Set this only after sourcing pihole-FTL.conf as the gravity database path may
 # have changed
 gravityDBfile="${GRAVITYDB}"
-gravityDBfile_default="/etc/pihole/gravity.db"
+gravityDBfile_default="${piholeDir}/gravity.db"
 gravityTEMPfile="${GRAVITYDB}_temp"
 gravityDIR="$(dirname -- "${gravityDBfile}")"
 gravityOLDfile="${gravityDIR}/gravity_old.db"
@ -127,7 +126,7 @@ gravity_swap_databases() {
  oldAvail=false
  if [ "${availableBlocks}" -gt "$((gravityBlocks * 2))" ] && [ -f "${gravityDBfile}" ]; then
    oldAvail=true
-    cp "${gravityDBfile}" "${gravityOLDfile}"
+    cp -p "${gravityDBfile}" "${gravityOLDfile}"
  fi
  # Drop the gravity and antigravity tables + subsequent VACUUM the current
@ -140,7 +139,7 @@ gravity_swap_databases() {
  else
    # Check if the backup directory exists
    if [ ! -d "${gravityBCKdir}" ]; then
-      mkdir -p "${gravityBCKdir}"
+      mkdir -p "${gravityBCKdir}" && chown pihole:pihole "${gravityBCKdir}"
    fi
    # If multiple gravityBCKfile's are present (appended with a number), rotate them
@ -306,7 +305,7 @@ migrate_to_database() {
    fi
    # Check if gravity database needs to be updated
-    upgrade_gravityDB "${gravityDBfile}" "${piholeDir}"
+    upgrade_gravityDB "${gravityDBfile}"
    # Migrate list files to new database
    if [ -e "${adListFile}" ]; then
@ -334,7 +333,7 @@ migrate_to_database() {
  fi
  # Check if gravity database needs to be updated
-  upgrade_gravityDB "${gravityDBfile}" "${piholeDir}"
+  upgrade_gravityDB "${gravityDBfile}"
 }
 # Determine if DNS resolution is available before proceeding
@ -349,17 +348,24 @@ gravity_CheckDNSResolutionAvailable() {
    echo -e "  ${CROSS} DNS resolution is currently unavailable"
  fi
-  str="Waiting until DNS resolution is available..."
+  str="Waiting up to 120 seconds for DNS resolution..."
  echo -ne "  ${INFO} ${str}"
-  until getent hosts github.com &> /dev/null; do
+
-  # Append one dot for each second waiting
+ # Default DNS timeout is two seconds, plus 1 second for each dot > 120 seconds
-    str="${str}."
+  for ((i = 0; i < 40; i++)); do
-    echo -ne "  ${OVER}  ${INFO} ${str}"
+      if getent hosts github.com &> /dev/null; then
-    sleep 1
+        # If we reach this point, DNS resolution is available
        echo -e "${OVER}  ${TICK} DNS resolution is available"
        return 0
      fi
      # Append one dot for each second waiting
      echo -ne "."
      sleep 1
  done
-  # If we reach this point, DNS resolution is available
+  # DNS resolution is still unavailable after 120 seconds
-  echo -e "${OVER}  ${TICK} DNS resolution is available"
+  return 1
 }
 # Function: try_restore_backup
@ -418,7 +424,7 @@ gravity_DownloadBlocklists() {
    echo -e "  ${INFO} Storing gravity database in ${COL_BOLD}${gravityDBfile}${COL_NC}"
  fi
-  local url domain str target compression adlist_type directory success
+  local url domain str compression adlist_type directory success
  echo ""
  # Prepare new gravity database
@ -541,16 +547,14 @@ gravity_DownloadBlocklists() {
    # it (in case it doesn't exist)
    # First, check if the directory is writable
    directory="$(dirname -- "${saveLocation}")"
-    directory_permissions=$(stat -c %a ${directory})
+    if [ ! -w "${directory}" ]; then
    if [ $directory_permissions -lt 700 ]; then
      echo -e "  ${CROSS} Unable to write to ${directory}"
      echo "      Please run pihole -g as root"
      echo ""
      continue
    fi
    # Then, check if the file is writable (if it exists)
-    saveLocation_permissions=$(stat -c %a ${saveLocation})
+    if [ -e "${saveLocation}" ] && [ ! -w "${saveLocation}" ]; then
    if [ -e "${saveLocation}" ] && [ ${saveLocation_permissions} -lt 600 ]; then
      echo -e "  ${CROSS} Unable to write to ${saveLocation}"
      echo "      Please run pihole -g as root"
      echo ""
@ -569,12 +573,12 @@ gravity_DownloadBlocklists() {
    if [[ "${check_url}" =~ ${regex} ]]; then
      echo -e "  ${CROSS} Invalid Target"
    else
-      timeit gravity_DownloadBlocklistFromUrl "${url}" "${sourceIDs[$i]}" "${saveLocation}" "${target}" "${compression}" "${adlist_type}" "${domain}"
+      timeit gravity_DownloadBlocklistFromUrl "${url}" "${sourceIDs[$i]}" "${saveLocation}" "${compression}" "${adlist_type}" "${domain}"
    fi
    echo ""
  done
-  gravity_Blackbody=true
+  DownloadBlocklists_done=true
 }
 compareLists() {
@ -603,9 +607,11 @@ compareLists() {
 # Download specified URL and perform checks on HTTP status and file content
 gravity_DownloadBlocklistFromUrl() {
-  local url="${1}" adlistID="${2}" saveLocation="${3}" target="${4}" compression="${5}" gravity_type="${6}" domain="${7}"
+  local url="${1}" adlistID="${2}" saveLocation="${3}" compression="${4}" gravity_type="${5}" domain="${6}"
-  local modifiedOptions="" listCurlBuffer str httpCode success="" ip cmd_ext
+  local listCurlBuffer str httpCode success="" ip customUpstreamResolver=""
  local file_path permissions ip_addr port blocked=false download=true
  # modifiedOptions is an array to store all the options used to check if the adlist has been changed upstream
  local modifiedOptions=()
  # Create temp file to store content on disk instead of RAM
  # We don't use '--suffix' here because not all implementations of mktemp support it, e.g. on Alpine
@ -622,14 +628,14 @@ gravity_DownloadBlocklistFromUrl() {
      # Save HTTP ETag to the specified file. An ETag is a caching related header,
      # usually returned in a response. If no ETag is sent by the server, an empty
      # file is created and can later be used consistently.
-      modifiedOptions="--etag-save ${saveLocation}.etag"
+      modifiedOptions=("${modifiedOptions[@]}" --etag-save "${saveLocation}".etag)
      if [[ -f "${saveLocation}.etag" ]]; then
        # This option makes a conditional HTTP request for the specific ETag read
        # from the given file by sending a custom If-None-Match header using the
        # stored ETag. This way, the server will only send the file if it has
        # changed since the last request.
-        modifiedOptions="${modifiedOptions} --etag-compare ${saveLocation}.etag"
+        modifiedOptions=("${modifiedOptions[@]}" --etag-compare "${saveLocation}".etag)
      fi
    fi
@ -642,39 +648,13 @@ gravity_DownloadBlocklistFromUrl() {
      # Interstingly, this option is not supported by raw.githubusercontent.com
      # URLs, however, it is still supported by many older web servers which may
      # not support the HTTP ETag method so we keep it as a fallback.
-      modifiedOptions="${modifiedOptions} -z ${saveLocation}"
+      modifiedOptions=("${modifiedOptions[@]}" -z "${saveLocation}")
    fi
  fi
  str="Status:"
  echo -ne "  ${INFO} ${str} Pending..."
  blocked=false
  case $(getFTLConfigValue dns.blocking.mode) in
  "IP-NODATA-AAAA" | "IP")
    # Get IP address of this domain
    ip="$(dig "${domain}" +short)"
    # Check if this IP matches any IP of the system
    if [[ -n "${ip}" && $(grep -Ec "inet(|6) ${ip}" <<<"$(ip a)") -gt 0 ]]; then
      blocked=true
    fi
    ;;
  "NXDOMAIN")
    if [[ $(dig "${domain}" | grep "NXDOMAIN" -c) -ge 1 ]]; then
      blocked=true
    fi
    ;;
  "NODATA")
    if [[ $(dig "${domain}" | grep "NOERROR" -c) -ge 1 ]] && [[ -z $(dig +short "${domain}") ]]; then
      blocked=true
    fi
    ;;
  "NULL" | *)
    if [[ $(dig "${domain}" +short | grep "0.0.0.0" -c) -ge 1 ]]; then
      blocked=true
    fi
    ;;
  esac
  # Check if this domain is blocked by Pi-hole but only if the domain is not a
  # local file or empty
  if [[ $url != "file"* ]] && [[ -n "${domain}" ]]; then
@ -734,7 +714,7 @@ gravity_DownloadBlocklistFromUrl() {
      fi
      echo -e "${OVER}  ${CROSS} ${str} ${domain} is blocked by one of your lists. Using DNS server ${upstream} instead"
      echo -ne "  ${INFO} ${str} Pending..."
-      cmd_ext="--resolve $domain:$port:$ip"
+      customUpstreamResolver="--resolve $domain:$port:$ip"
    fi
  fi
@ -772,8 +752,7 @@ gravity_DownloadBlocklistFromUrl() {
  fi
  if [[ "${download}" == true ]]; then
-    # shellcheck disable=SC2086
+    httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression:+${compression}} ${customUpstreamResolver:+${customUpstreamResolver}} "${modifiedOptions[@]}" -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2>/dev/null)
    httpCode=$(curl --connect-timeout ${curl_connect_timeout} -s -L ${compression} ${cmd_ext} ${modifiedOptions} -w "%{http_code}" "${url}" -o "${listCurlBuffer}" 2>/dev/null)
  fi
  case $url in
@ -823,11 +802,11 @@ gravity_DownloadBlocklistFromUrl() {
      done="true"
    # Check if $listCurlBuffer is a non-zero length file
    elif [[ -s "${listCurlBuffer}" ]]; then
-      # Determine if blocklist is non-standard and parse as appropriate
+      # Move the downloaded list to the final location
-      gravity_ParseFileIntoDomains "${listCurlBuffer}" "${saveLocation}"
+      mv "${listCurlBuffer}" "${saveLocation}"
-      # Remove curl buffer file after its use
+      # Ensure the file has the correct permissions
-      rm "${listCurlBuffer}"
+      fix_owner_permissions "${saveLocation}"
-      # Compare lists if are they identical
+      # Compare lists if they are identical
      compareLists "${adlistID}" "${saveLocation}"
      # Add domains to database table file
      pihole-FTL "${gravity_type}" parseList "${saveLocation}" "${gravityTEMPfile}" "${adlistID}"
@ -842,13 +821,13 @@ gravity_DownloadBlocklistFromUrl() {
  if [[ "${done}" != "true" ]]; then
    # Determine if cached list has read permission
    if [[ -r "${saveLocation}" ]]; then
-      echo -e "  ${CROSS} List download failed: ${COL_LIGHT_GREEN}using previously cached list${COL_NC}"
+      echo -e "  ${CROSS} List download failed: ${COL_GREEN}using previously cached list${COL_NC}"
      # Set list status to "download-failed/cached"
      database_adlist_status "${adlistID}" "3"
      # Add domains to database table file
      pihole-FTL "${gravity_type}" parseList "${saveLocation}" "${gravityTEMPfile}" "${adlistID}"
    else
-      echo -e "  ${CROSS} List download failed: ${COL_LIGHT_RED}no cached list available${COL_NC}"
+      echo -e "  ${CROSS} List download failed: ${COL_RED}no cached list available${COL_NC}"
      # Manually reset these two numbers because we do not call parseList here
      database_adlist_number "${adlistID}" 0 0
      database_adlist_status "${adlistID}" "4"
@ -856,37 +835,6 @@ gravity_DownloadBlocklistFromUrl() {
  fi
 }
 # Parse source files into domains format
 gravity_ParseFileIntoDomains() {
  local src="${1}" destination="${2}"
  # Remove comments and print only the domain name
  # Most of the lists downloaded are already in hosts file format but the spacing/formatting is not contiguous
  # This helps with that and makes it easier to read
  # It also helps with debugging so each stage of the script can be researched more in depth
  # 1) Convert all characters to lowercase
  tr '[:upper:]' '[:lower:]' <"${src}" >"${destination}"
  # 2) Remove carriage returns
  # 3) Remove lines starting with ! (ABP Comments)
  # 4) Remove lines starting with [ (ABP Header)
  # 5) Remove lines containing ABP extended CSS selectors ("##", "#$#", "#@#", "#?#") and Adguard JavaScript (#%#) preceded by a letter
  # 6) Remove comments (text starting with "#", include possible spaces before the hash sign)
  # 7) Remove leading tabs, spaces, etc. (Also removes leading IP addresses)
  # 8) Remove empty lines
  sed -i -r \
    -e 's/\r$//' \
    -e 's/\s*!.*//g' \
    -e 's/\s*\[.*//g' \
    -e '/[a-z]\#[$?@%]{0,3}\#/d' \
    -e 's/\s*#.*//g' \
    -e 's/^.*\s+//g' \
    -e '/^$/d' "${destination}"
  fix_owner_permissions "${destination}"
 }
 # Report number of entries in a table
 gravity_Table_Count() {
  local table="${1}"
@ -916,7 +864,7 @@ gravity_ShowCount() {
 # Trap Ctrl-C
 gravity_Trap() {
-  trap '{ echo -e "\\n\\n  ${INFO} ${COL_LIGHT_RED}User-abort detected${COL_NC}"; gravity_Cleanup "error"; }' INT
+  trap '{ echo -e "\\n\\n  ${INFO} ${COL_RED}User-abort detected${COL_NC}"; gravity_Cleanup "error"; }' INT
 }
 # Clean up after Gravity upon exit or cancellation
@ -934,13 +882,13 @@ gravity_Cleanup() {
  # invalid_domains location
  rm "${GRAVITY_TMPDIR}"/*.ph-non-domains 2>/dev/null
-  # Ensure this function only runs when gravity_SetDownloadOptions() has completed
+  # Ensure this function only runs when gravity_DownloadBlocklists() has completed
-  if [[ "${gravity_Blackbody:-}" == true ]]; then
+  if [[ "${DownloadBlocklists_done:-}" == true ]]; then
-    # Remove any unused .domains files
+    # Remove any unused .domains/.etag/.sha files
-    for file in "${piholeDir}"/*."${domainsExtension}"; do
+    for file in "${listsCacheDir}"/*."${domainsExtension}"; do
-      # If list is not in active array, then remove it
+      # If list is not in active array, then remove it and all associated files
      if [[ ! "${activeDomains[*]}" == *"${file}"* ]]; then
-        rm -f "${file}" 2>/dev/null ||
+        rm -f "${file}"* 2>/dev/null ||
          echo -e "  ${CROSS} Failed to remove ${file##*/}"
      fi
    done
@ -1074,7 +1022,7 @@ migrate_to_listsCache_dir() {
  # If not, we need to migrate the old files to the new directory
  local str="Migrating the list's cache directory to new location"
  echo -ne "  ${INFO} ${str}..."
-  mkdir -p "${listsCacheDir}"
+  mkdir -p "${listsCacheDir}" && chown pihole:pihole "${listsCacheDir}"
  # Move the old files to the new directory
  if mv "${piholeDir}"/list.* "${listsCacheDir}/" 2>/dev/null; then
@ -1133,13 +1081,19 @@ for var in "$@"; do
  "-t" | "--timeit") timed=true ;;
  "-r" | "--repair") repairSelector "$3" ;;
  "-u" | "--upgrade")
-    upgrade_gravityDB "${gravityDBfile}" "${piholeDir}"
+    upgrade_gravityDB "${gravityDBfile}"
    exit 0
    ;;
  "-h" | "--help") helpFunc ;;
  esac
 done
 # Check if DNS is available, no need to do any database manipulation if we're not able to download adlists
 if ! timeit gravity_CheckDNSResolutionAvailable; then
  echo -e "   ${CROSS} No DNS resolution available. Please contact support."
  exit 1
 fi
 # Remove OLD (backup) gravity file, if it exists
 if [[ -f "${gravityOLDfile}" ]]; then
  rm "${gravityOLDfile}"
@ -1180,11 +1134,6 @@ if [[ "${forceDelete:-}" == true ]]; then
 fi
 # Gravity downloads blocklists next
 if ! timeit gravity_CheckDNSResolutionAvailable; then
  echo -e "   ${CROSS} Can not complete gravity update, no DNS is available. Please contact support."
  exit 1
 fi
 if ! gravity_DownloadBlocklists; then
  echo -e "   ${CROSS} Unable to create gravity database. Please try again later. If the problem persists, please contact support."
  exit 1
--- a/manpages/pihole.8
+++ b/manpages/pihole.8
@ -23,7 +23,7 @@ pihole -r
 .br
 \fBpihole -g\fR
 .br
-\fBpihole\fR -\fBq\fR [options]
+\fBpihole\fR \fB-q\fR [options]
 .br
 \fBpihole\fR \fB-l\fR (\fBon|off|off noflush\fR)
 .br
@ -43,7 +43,7 @@ pihole -r
 .br
 \fBpihole\fR \fBcheckout\fR repo [branch]
 .br
-\fBpihole\fR \api\fR endpoint
+\fBpihole\fR \fBapi\fR [verbose] endpoint
 .br
 \fBpihole\fR \fBhelp\fR
 .br
@ -234,10 +234,14 @@ Available commands and options:
      branchname        Update subsystems to the specified branchname
 .br
-\fBapi\fR endpoint
+\fBapi\fR [verbose] endpoint
 .br
    Query the Pi-hole API at <endpoint>
 .br
      verbose           Show authentication and status messages
 .br
 .SH "EXAMPLE"
 Some usage examples
@ -323,6 +327,11 @@ Switching Pi-hole subsystem branches
    Queries FTL for the stats/summary endpoint
 .br
 \fBpihole api verbose stats/summary\fR
 .br
    Same as above, but shows authentication and status messages
 .br
 .SH "COLOPHON"
 Get sucked into the latest news and community activity by entering Pi-hole's orbit. Information about Pi-hole, and the latest version of the software can be found at https://pi-hole.net.
--- a/38
+++ b/38
@ -9,7 +9,7 @@
 # This file is copyright under the latest version of the EUPL.
 # Please see LICENSE file for your rights under this license.
-readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
+PI_HOLE_SCRIPT_DIR="/opt/pihole"
 # PI_HOLE_BIN_DIR is not readonly here because in some functions (checkout),
 # they might get set again when the installer is sourced. This causes an
@ -17,13 +17,16 @@ readonly PI_HOLE_SCRIPT_DIR="/opt/pihole"
 PI_HOLE_BIN_DIR="/usr/local/bin"
 readonly colfile="${PI_HOLE_SCRIPT_DIR}/COL_TABLE"
 # shellcheck source=./advanced/Scripts/COL_TABLE
 source "${colfile}"
-readonly utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
+utilsfile="${PI_HOLE_SCRIPT_DIR}/utils.sh"
 # shellcheck source=./advanced/Scripts/utils.sh
 source "${utilsfile}"
 # Source api functions
 readonly apifile="${PI_HOLE_SCRIPT_DIR}/api.sh"
 # shellcheck source=./advanced/Scripts/api.sh
 source "${apifile}"
 versionsfile="/etc/pihole/versions"
@ -31,6 +34,7 @@ if [ -f "${versionsfile}" ]; then
    # Only source versionsfile if the file exits
    # fixes a warning during installation where versionsfile does not exist yet
    # but gravity calls `pihole -status` and thereby sourcing the file
    # shellcheck source=/dev/null
    source "${versionsfile}"
 fi
@ -234,7 +238,7 @@ Time:
    fi
    if [[ ${error} == true ]];then
-      echo -e "  ${COL_LIGHT_RED}Unknown format for blocking timer!${COL_NC}"
+      echo -e "  ${COL_RED}Unknown format for blocking timer!${COL_NC}"
      echo -e "  Try 'pihole disable --help' for more information."
      exit 1
    fi
@ -247,12 +251,14 @@ Time:
  data=$(PostFTLData "dns/blocking" "{ \"blocking\": ${1}, \"timer\": ${tt} }")
  # Check the response
-  local extra=" forever"
+  local extra timer
-  local timer="$(echo "${data}"| jq --raw-output '.timer' )"
+  extra=" forever"
  timer="$(echo "${data}"| jq --raw-output '.timer' )"
  if [[ "${timer}" != "null" ]]; then
    extra=" for ${timer}s"
  fi
-  local str="Pi-hole $(echo "${data}" | jq --raw-output '.blocking')${extra}"
+  local str
  str="Pi-hole $(echo "${data}" | jq --raw-output '.blocking')${extra}"
  # Logout from the API
  LogoutAPI
@ -287,7 +293,7 @@ Options:
    echo -e "  ${INFO} Enabling logging..."
    local str="Logging has been enabled!"
  else
-    echo -e "  ${COL_LIGHT_RED}Invalid option${COL_NC}
+    echo -e "  ${COL_RED}Invalid option${COL_NC}
  Try 'pihole logging --help' for more information."
    exit 1
  fi
@ -375,20 +381,22 @@ statusFunc() {
 tailFunc() {
  # Warn user if Pi-hole's logging is disabled
-  local logging_enabled=$(getFTLConfigValue dns.queryLogging)
+  local logging_enabled
  logging_enabled=$(getFTLConfigValue dns.queryLogging)
  if [[ "${logging_enabled}" != "true" ]]; then
    echo "  ${CROSS} Warning: Query logging is disabled"
  fi
  echo -e "  ${INFO} Press Ctrl-C to exit"
  # Get logfile path
-  readonly LOGFILE=$(getFTLConfigValue files.log.dnsmasq)
+  LOGFILE=$(getFTLConfigValue files.log.dnsmasq)
  readonly LOGFILE
  # Strip date from each line
  # Color blocklist/denylist/wildcard entries as red
  # Color A/AAAA/DHCP strings as white
  # Color everything else as gray
-  tail -f $LOGFILE | grep --line-buffered "${1}" | sed -E \
+  tail -f $LOGFILE | grep --line-buffered -- "${1}" | sed -E \
    -e "s,($(date +'%b %d ')| dnsmasq\[[0-9]*\]),,g" \
    -e "s,(.*(denied |gravity blocked ).*),${COL_RED}&${COL_NC}," \
    -e "s,.*(query\\[A|DHCP).*,${COL_NC}&${COL_NC}," \
@ -423,6 +431,7 @@ piholeCheckoutFunc() {
      exit 0
    fi
    #shellcheck source=./advanced/Scripts/piholeCheckout.sh
    source "${PI_HOLE_SCRIPT_DIR}"/piholeCheckout.sh
    shift
    checkout "$@"
@ -484,6 +493,7 @@ Debugging Options:
                      Add an optional argument to filter the log
                      (regular expressions are supported)
  api <endpoint>      Query the Pi-hole API at <endpoint>
                        Precede <endpoint> with 'verbose' option to show authentication and status messages
 Options:
@ -542,7 +552,7 @@ case "${1}" in
  "enable"                        ) need_root=0;;
  "disable"                       ) need_root=0;;
  "-d" | "debug"                  ) ;;
-  "-g" | "updateGravity"          ) ;;
+  "-g" | "updateGravity"          ) need_root=0;;
  "reloaddns"                     ) ;;
  "reloadlists"                   ) ;;
  "setpassword"                   ) ;;
@ -560,9 +570,9 @@ if [[ -z ${USER} ]]; then
  USER=$(whoami)
 fi
-# Check if the current user is neither root nor pihole and if the command
+# Check if the current user is not root and if the command
 # requires root. If so, exit with an error message.
-if [[ $EUID -ne 0 && ${USER} != "pihole" && need_root -eq 1 ]];then
+if [[ $EUID -ne 0 && need_root -eq 1 ]];then
  echo -e "  ${CROSS} The Pi-hole command requires root privileges, try:"
  echo -e "      ${COL_GREEN}sudo pihole $*${COL_NC}"
  exit 1
@ -592,6 +602,6 @@ case "${1}" in
  "updatechecker"                 ) shift; updateCheckFunc "$@";;
  "arpflush"                      ) arpFunc "$@";;
  "-t" | "tail"                   ) tailFunc "$2";;
-  "api"                           ) apiFunc "$2";;
+  "api"                           ) shift; apiFunc "$@";;
  *                               ) helpFunc;;
 esac
--- a/test/_centos_10.Dockerfile
+++ b/test/_centos_10.Dockerfile
@ -0,0 +1,19 @@
 FROM quay.io/centos/centos:stream10
 # Disable SELinux
 RUN echo "SELINUX=disabled" > /etc/selinux/config
 RUN yum install -y --allowerasing curl git initscripts
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
 RUN mkdir -p $GITDIR $SCRIPTDIR /etc/pihole
 ADD . $GITDIR
 RUN cp $GITDIR/advanced/Scripts/*.sh $GITDIR/gravity.sh $GITDIR/pihole $GITDIR/automated\ install/*.sh $GITDIR/advanced/Scripts/COL_TABLE $SCRIPTDIR/
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$SCRIPTDIR
 RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_centos_9.Dockerfile
+++ b/test/_centos_9.Dockerfile
@ -15,6 +15,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_debian_11.Dockerfile
+++ b/test/_debian_11.Dockerfile
@ -12,6 +12,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_debian_12.Dockerfile
+++ b/test/_debian_12.Dockerfile
@ -12,6 +12,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_fedora_40.Dockerfile
+++ b/test/_fedora_40.Dockerfile
@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_fedora_41.Dockerfile
+++ b/test/_fedora_41.Dockerfile
@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_fedora_42.Dockerfile
+++ b/test/_fedora_42.Dockerfile
@ -0,0 +1,17 @@
 FROM fedora:42
 RUN dnf install -y git initscripts
 ENV GITDIR=/etc/.pihole
 ENV SCRIPTDIR=/opt/pihole
 RUN mkdir -p $GITDIR $SCRIPTDIR /etc/pihole
 ADD . $GITDIR
 RUN cp $GITDIR/advanced/Scripts/*.sh $GITDIR/gravity.sh $GITDIR/pihole $GITDIR/automated\ install/*.sh $GITDIR/advanced/Scripts/COL_TABLE $SCRIPTDIR/
 ENV PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:$SCRIPTDIR
 RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_ubuntu_20.Dockerfile
+++ b/test/_ubuntu_20.Dockerfile
@ -12,6 +12,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_ubuntu_22.Dockerfile
+++ b/test/_ubuntu_22.Dockerfile
@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/_ubuntu_24.Dockerfile
+++ b/test/_ubuntu_24.Dockerfile
@ -13,6 +13,5 @@ RUN true && \
    chmod +x $SCRIPTDIR/*
 ENV SKIP_INSTALL=true
 ENV OS_CHECK_DOMAIN_NAME=dev-supportedos.pi-hole.net
 #sed '/# Start the installer/Q' /opt/pihole/basic-install.sh > /opt/pihole/stub_basic-install.sh && \
--- a/test/requirements.txt
+++ b/test/requirements.txt
@ -1,6 +1,6 @@
 pyyaml == 6.0.2
-pytest == 8.3.4
+pytest == 8.4.1
-pytest-xdist == 3.6.1
+pytest-xdist == 3.8.0
-pytest-testinfra == 10.1.1
+pytest-testinfra == 10.2.2
-tox == 4.24.1
+tox == 4.27.0
 pytest-clarity == 1.0.1
--- a/test/test_any_automated_install.py
+++ b/test/test_any_automated_install.py
@ -89,10 +89,8 @@ def test_installPihole_fresh_install_readableFiles(host):
    export DEBIAN_FRONTEND=noninteractive
    umask 0027
    runUnattended=true
    fresh_install=false
    source /opt/pihole/basic-install.sh > /dev/null
    runUnattended=true
    fresh_install=false
    main
    /opt/pihole/pihole-FTL-prestart.sh
    """
@ -245,6 +243,7 @@ def test_FTL_detect_no_errors(host, arch, detected_string, supported):
        {
            "-A /bin/sh": ("Tag_CPU_arch: " + arch, "0"),
            "-A /usr/bin/sh": ("Tag_CPU_arch: " + arch, "0"),
            "-A /usr/sbin/sh": ("Tag_CPU_arch: " + arch, "0"),
        },
        host,
    )
@ -465,50 +464,6 @@ def test_validate_ip(host):
    test_address("0.0.0.0#00001", False)
 def test_os_check_fails(host):
    """Confirms install fails on unsupported OS"""
    host.run(
        """
    source /opt/pihole/basic-install.sh
    package_manager_detect
    build_dependency_package
    install_dependent_packages
    cat <<EOT > /etc/os-release
 ID=UnsupportedOS
 VERSION_ID="2"
 EOT
    """
    )
    detectOS = host.run(
        """t
    source /opt/pihole/basic-install.sh
    os_check
    """
    )
    expected_stdout = "Unsupported OS detected: UnsupportedOS"
    assert expected_stdout in detectOS.stdout
 def test_os_check_passes(host):
    """Confirms OS meets the requirements"""
    host.run(
        """
    source /opt/pihole/basic-install.sh
    package_manager_detect
    build_dependency_package
    install_dependent_packages
    """
    )
    detectOS = host.run(
        """
    source /opt/pihole/basic-install.sh
    os_check
    """
    )
    expected_stdout = "Supported OS detected"
    assert expected_stdout in detectOS.stdout
 def test_package_manager_has_pihole_deps(host):
    """Confirms OS is able to install the required packages for Pi-hole"""
    mock_command("dialog", {"*": ("", "0")}, host)
@ -516,6 +471,7 @@ def test_package_manager_has_pihole_deps(host):
        """
    source /opt/pihole/basic-install.sh
    package_manager_detect
    update_package_cache
    build_dependency_package
    install_dependent_packages
    """
@ -532,6 +488,7 @@ def test_meta_package_uninstall(host):
        """
    source /opt/pihole/basic-install.sh
    package_manager_detect
    update_package_cache
    build_dependency_package
    install_dependent_packages
    """
--- a/test/tox.centos_10.ini
+++ b/test/tox.centos_10.ini
@ -0,0 +1,10 @@
 [tox]
 envlist = py3
 [testenv:py3]
 allowlist_externals = docker
 deps = -rrequirements.txt
 setenv =
    COLUMNS=120
 commands = docker buildx build --load --progress plain -f _centos_10.Dockerfile -t pytest_pihole:test_container ../
           pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py
--- a/test/tox.fedora_42.ini
+++ b/test/tox.fedora_42.ini
@ -0,0 +1,10 @@
 [tox]
 envlist = py3
 [testenv]
 allowlist_externals = docker
 deps = -rrequirements.txt
 setenv =
    COLUMNS=120
 commands = docker buildx build --load --progress plain -f _fedora_42.Dockerfile -t pytest_pihole:test_container ../
           pytest {posargs:-vv -n auto} ./test_any_automated_install.py ./test_any_utils.py ./test_centos_fedora_common_support.py
		`@ -0,0 +1,2 @@`
							`external-sources=true # allow shellcheck to read external sources`
							`disable=SC3043 #disable SC3043: In POSIX sh, local is undefined.`