From 7d38be7b55e3bcebe2c0b9911df2f99f16f46c2a Mon Sep 17 00:00:00 2001
From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com>
Date: Wed, 3 Dec 2025 16:00:04 -0700
Subject: [PATCH 1/5] Add scheduled job support and OCI image pull job

Introduces ScheduledJob model, migrations, and seeder for cron-based job scheduling. Updates job-runner to process scheduled jobs and create pending jobs when schedule conditions are met. Adds support for defaultStorage on nodes, including migration, model, and form update. Implements oci-build-job utility to pull OCI container images to Proxmox nodes using API credentials and storage configuration.
---
 create-a-container/job-runner.js              |  59 +++++
 .../20251203000000-create-scheduled-jobs.js   |  34 +++
 ...1203000001-add-default-storage-to-nodes.js |  14 ++
 create-a-container/models/node.js             |   5 +
 create-a-container/models/scheduled-job.js    |  24 ++
 create-a-container/package.json               |   1 +
 .../20251203000000-seed-oci-build-job.js      |  21 ++
 create-a-container/utils/oci-build-job.js     | 227 ++++++++++++++++++
 create-a-container/views/nodes/form.ejs       |  13 +
 9 files changed, 398 insertions(+)
 create mode 100644 create-a-container/migrations/20251203000000-create-scheduled-jobs.js
 create mode 100644 create-a-container/migrations/20251203000001-add-default-storage-to-nodes.js
 create mode 100644 create-a-container/models/scheduled-job.js
 create mode 100644 create-a-container/seeders/20251203000000-seed-oci-build-job.js
 create mode 100644 create-a-container/utils/oci-build-job.js

diff --git a/create-a-container/job-runner.js b/create-a-container/job-runner.js
index 644b7c97..4c63874d 100644
--- a/create-a-container/job-runner.js
+++ b/create-a-container/job-runner.js
@@ -1,6 +1,7 @@
 #!/usr/bin/env node
 /**
  * job-runner.js
+ * - Checks ScheduledJobs and creates pending Jobs when schedule conditions are met
  * - Polls the Jobs table for pending jobs
  * - Claims a job (transactionally), sets status to 'running'
  * - Spawns the configured command and streams stdout/stderr into JobStatuses
@@ -9,6 +10,7 @@
 
 const { spawn } = require('child_process');
 const path = require('path');
+const parser = require('cron-parser');
 const db = require('./models');
 
 const POLL_INTERVAL_MS = parseInt(process.env.JOB_RUNNER_POLL_MS || '2000', 10);
@@ -17,6 +19,59 @@ const WORKDIR = process.env.JOB_RUNNER_CWD || process.cwd();
 let shuttingDown = false;
 // Map of jobId -> child process for active/running jobs
 const activeChildren = new Map();
+// Track last scheduled job execution time to avoid duplicate runs
+const lastScheduledExecution = new Map();
+
+async function shouldScheduledJobRun(scheduledJob) {
+  try {
+    const interval = parser.parseExpression(scheduledJob.schedule);
+    const now = new Date();
+    const lastExecution = lastScheduledExecution.get(scheduledJob.id);
+    
+    // Get the next occurrence from the schedule
+    const nextExecution = interval.next().toDate();
+    const currentMinute = new Date(now.getFullYear(), now.getMonth(), now.getDate(), now.getHours(), now.getMinutes());
+    const nextMinute = new Date(nextExecution.getFullYear(), nextExecution.getMonth(), nextExecution.getDate(), nextExecution.getHours(), nextExecution.getMinutes());
+    
+    // If the next scheduled time is now and we haven't executed in this minute
+    if (currentMinute.getTime() === nextMinute.getTime()) {
+      if (!lastExecution || lastExecution.getTime() < currentMinute.getTime()) {
+        return true;
+      }
+    }
+    return false;
+  } catch (err) {
+    console.error(`Error parsing schedule for job ${scheduledJob.id}: ${err.message}`);
+    return false;
+  }
+}
+
+async function processScheduledJobs() {
+  try {
+    const scheduledJobs = await db.ScheduledJob.findAll();
+    
+    for (const scheduledJob of scheduledJobs) {
+      if (await shouldScheduledJobRun(scheduledJob)) {
+        console.log(`JobRunner: Creating job from scheduled job ${scheduledJob.id}: ${scheduledJob.schedule}`);
+        
+        try {
+          await db.Job.create({
+            command: scheduledJob.command,
+            status: 'pending',
+            createdBy: `ScheduledJob#${scheduledJob.id}`
+          });
+          
+          // Mark that we've executed this scheduled job at this time
+          lastScheduledExecution.set(scheduledJob.id, new Date());
+        } catch (err) {
+          console.error(`Error creating job from scheduled job ${scheduledJob.id}:`, err);
+        }
+      }
+    }
+  } catch (err) {
+    console.error('Error processing scheduled jobs:', err);
+  }
+}
 
 async function claimPendingJob() {
   const sequelize = db.sequelize;
@@ -139,6 +194,10 @@ async function shutdownAndCancelJobs(signal) {
 async function loop() {
   if (shuttingDown) return;
   try {
+    // Check for scheduled jobs that should run
+    await processScheduledJobs();
+    
+    // Check for pending jobs
     const job = await claimPendingJob();
     if (job) {
       // Run job but don't block polling loop; we will wait for job to update
diff --git a/create-a-container/migrations/20251203000000-create-scheduled-jobs.js b/create-a-container/migrations/20251203000000-create-scheduled-jobs.js
new file mode 100644
index 00000000..4e97fb47
--- /dev/null
+++ b/create-a-container/migrations/20251203000000-create-scheduled-jobs.js
@@ -0,0 +1,34 @@
+'use strict';
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.createTable('ScheduledJobs', {
+      id: {
+        allowNull: false,
+        autoIncrement: true,
+        primaryKey: true,
+        type: Sequelize.INTEGER
+      },
+      schedule: {
+        type: Sequelize.STRING(255),
+        allowNull: false,
+        comment: 'Cron-style schedule expression (e.g., "0 2 * * *" for daily at 2 AM)'
+      },
+      command: {
+        type: Sequelize.STRING(2000),
+        allowNull: false
+      },
+      createdAt: {
+        allowNull: false,
+        type: Sequelize.DATE
+      },
+      updatedAt: {
+        allowNull: false,
+        type: Sequelize.DATE
+      }
+    });
+  },
+  async down(queryInterface, Sequelize) {
+    await queryInterface.dropTable('ScheduledJobs');
+  }
+};
diff --git a/create-a-container/migrations/20251203000001-add-default-storage-to-nodes.js b/create-a-container/migrations/20251203000001-add-default-storage-to-nodes.js
new file mode 100644
index 00000000..ee66ef60
--- /dev/null
+++ b/create-a-container/migrations/20251203000001-add-default-storage-to-nodes.js
@@ -0,0 +1,14 @@
+'use strict';
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.addColumn('Nodes', 'defaultStorage', {
+      type: Sequelize.STRING(255),
+      allowNull: true,
+      comment: 'Default storage target for container templates and images'
+    });
+  },
+  async down(queryInterface, Sequelize) {
+    await queryInterface.removeColumn('Nodes', 'defaultStorage');
+  }
+};
diff --git a/create-a-container/models/node.js b/create-a-container/models/node.js
index 7181d9d9..126c0864 100644
--- a/create-a-container/models/node.js
+++ b/create-a-container/models/node.js
@@ -45,6 +45,11 @@ module.exports = (sequelize, DataTypes) => {
     tlsVerify: {
       type: DataTypes.BOOLEAN,
       allowNull: true
+    },
+    defaultStorage: {
+      type: DataTypes.STRING(255),
+      allowNull: true,
+      comment: 'Default storage target for container templates and images'
     }
   }, {
     sequelize,
diff --git a/create-a-container/models/scheduled-job.js b/create-a-container/models/scheduled-job.js
new file mode 100644
index 00000000..c684b113
--- /dev/null
+++ b/create-a-container/models/scheduled-job.js
@@ -0,0 +1,24 @@
+'use strict';
+const { Model } = require('sequelize');
+module.exports = (sequelize, DataTypes) => {
+  class ScheduledJob extends Model {
+    static associate(models) {
+      // ScheduledJob can be associated with created Jobs if needed
+    }
+  }
+  ScheduledJob.init({
+    schedule: {
+      type: DataTypes.STRING(255),
+      allowNull: false,
+      comment: 'Cron-style schedule expression (e.g., "0 2 * * *" for daily at 2 AM)'
+    },
+    command: {
+      type: DataTypes.STRING(2000),
+      allowNull: false
+    }
+  }, {
+    sequelize,
+    modelName: 'ScheduledJob'
+  });
+  return ScheduledJob;
+};
diff --git a/create-a-container/package.json b/create-a-container/package.json
index 3c0d6e24..b923259c 100644
--- a/create-a-container/package.json
+++ b/create-a-container/package.json
@@ -13,6 +13,7 @@
     "argon2": "^0.44.0",
     "axios": "^1.12.2",
     "connect-flash": "^0.1.1",
+    "cron-parser": "^4.1.0",
     "dotenv": "^17.2.3",
     "ejs": "^3.1.10",
     "express": "^5.2.1",
diff --git a/create-a-container/seeders/20251203000000-seed-oci-build-job.js b/create-a-container/seeders/20251203000000-seed-oci-build-job.js
new file mode 100644
index 00000000..ecfd95eb
--- /dev/null
+++ b/create-a-container/seeders/20251203000000-seed-oci-build-job.js
@@ -0,0 +1,21 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.bulkInsert('ScheduledJobs', [
+      {
+        schedule: '0 2 * * *',
+        command: 'node -e "require(\'./utils/oci-build-job\').run()"',
+        createdAt: new Date(),
+        updatedAt: new Date()
+      }
+    ], {});
+  },
+
+  async down(queryInterface, Sequelize) {
+    await queryInterface.bulkDelete('ScheduledJobs', {
+      command: { [Sequelize.Op.like]: '%oci-build-job%' }
+    }, {});
+  }
+};
diff --git a/create-a-container/utils/oci-build-job.js b/create-a-container/utils/oci-build-job.js
new file mode 100644
index 00000000..bbf753b6
--- /dev/null
+++ b/create-a-container/utils/oci-build-job.js
@@ -0,0 +1,227 @@
+#!/usr/bin/env node
+/**
+ * oci-build-job.js
+ * 
+ * This utility is called by ScheduledJob to pull and configure OCI LXC container images
+ * (Debian 13 and Rocky 9) for Proxmox 9+.
+ * 
+ * It reads configuration from the database (Nodes model) to get API URLs and tokens,
+ * then pulls OCI images from a container registry and makes them available in Proxmox storage.
+ */
+
+const axios = require('axios');
+const db = require('../models');
+const ProxmoxApi = require('./proxmox-api');
+
+/**
+ * Get list of available OCI images to pull
+ */
+function getOciImages() {
+  return [
+    {
+      name: 'debian13',
+      registry: process.env.OCI_REGISTRY || 'ghcr.io',
+      image: 'mieweb/opensource-server/debian13',
+      tag: process.env.OCI_IMAGE_TAG || 'latest'
+    },
+    {
+      name: 'rocky9',
+      registry: process.env.OCI_REGISTRY || 'ghcr.io',
+      image: 'mieweb/opensource-server/rocky9',
+      tag: process.env.OCI_IMAGE_TAG || 'latest'
+    }
+  ];
+}
+
+/**
+ * Parse OCI image reference into components
+ */
+function parseImageReference(imageSpec) {
+  // imageSpec format: registry/image:tag
+  const parts = imageSpec.split('/');
+  const registry = parts[0];
+  const remaining = parts.slice(1).join('/');
+  const [imagePath, tag] = remaining.split(':');
+  
+  return { registry, imagePath, tag: tag || 'latest' };
+}
+
+/**
+ * Pull an OCI image to a Proxmox node
+ */
+async function pullImageToNode(node, imageSpec) {
+  console.log(`[OCI Build] Pulling image ${imageSpec} to node ${node.name}`);
+
+  if (!node.apiUrl || !node.tokenId || !node.secret) {
+    console.warn(`[OCI Build] Warning: Node ${node.name} missing API credentials, skipping`);
+    return false;
+  }
+
+  try {
+    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
+      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+    });
+
+    // Get list of storages on the node
+    const storages = await api.datastores(node.name, 'vztmpl');
+    
+    // Choose storage (prefer defaultStorage if set, otherwise use first available)
+    let targetStorage = null;
+    if (node.defaultStorage) {
+      targetStorage = storages.find(s => s.storage === node.defaultStorage);
+    }
+    if (!targetStorage && storages.length > 0) {
+      targetStorage = storages[0];
+    }
+
+    if (!targetStorage) {
+      console.warn(`[OCI Build] No suitable storage found on node ${node.name}, skipping`);
+      return false;
+    }
+
+    console.log(`[OCI Build] Using storage ${targetStorage.storage} on ${node.name}`);
+
+    // Call the Proxmox API to pull the OCI image
+    // This uses the pct pull-image API endpoint available in Proxmox 9+
+    const pullResponse = await axios.post(
+      `${node.apiUrl}/api2/json/nodes/${encodeURIComponent(node.name)}/pull-image`,
+      {
+        image: imageSpec,
+        storage: targetStorage.storage
+      },
+      {
+        headers: {
+          'Authorization': `PVEAPIToken=${node.tokenId}=${node.secret}`
+        },
+        httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+      }
+    );
+
+    // The response contains a task ID that we should monitor
+    const upid = pullResponse.data.data;
+    console.log(`[OCI Build] Image pull started on ${node.name}, task: ${upid}`);
+
+    // Optionally wait for task completion
+    await waitForTaskCompletion(node, upid);
+
+    console.log(`[OCI Build] Successfully pulled ${imageSpec} to ${node.name}`);
+    return true;
+  } catch (err) {
+    console.error(`[OCI Build] Error pulling image to ${node.name}: ${err.message}`);
+    return false;
+  }
+}
+
+/**
+ * Wait for a Proxmox task to complete
+ */
+async function waitForTaskCompletion(node, upid, maxWaitMs = 600000) {
+  const startTime = Date.now();
+  const pollIntervalMs = 5000;
+
+  try {
+    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
+      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+    });
+
+    while (Date.now() - startTime < maxWaitMs) {
+      try {
+        const taskStatus = await api.taskStatus(node.name, upid);
+
+        if (taskStatus.status === 'stopped') {
+          if (taskStatus.exitstatus === 'OK') {
+            console.log(`[OCI Build] Task ${upid} completed successfully`);
+            return true;
+          } else {
+            throw new Error(`Task failed: ${taskStatus.exitstatus}`);
+          }
+        }
+
+        // Task still running, wait and retry
+        await new Promise(resolve => setTimeout(resolve, pollIntervalMs));
+      } catch (err) {
+        if (err.response?.status === 404) {
+          // Task might have completed and been cleaned up
+          return true;
+        }
+        throw err;
+      }
+    }
+
+    throw new Error(`Task did not complete within ${maxWaitMs}ms`);
+  } catch (err) {
+    console.warn(`[OCI Build] Could not verify task completion: ${err.message}. Continuing...`);
+    return true; // Don't fail, the task might still complete
+  }
+}
+
+/**
+ * Main job execution
+ */
+async function run() {
+  try {
+    console.log('[OCI Build] Starting OCI container image pull job');
+
+    // Ensure database connection
+    await db.sequelize.authenticate();
+    console.log('[OCI Build] Database connected');
+
+    // Get all nodes
+    const nodes = await db.Node.findAll();
+    if (!nodes || nodes.length === 0) {
+      throw new Error('No Proxmox nodes configured in database');
+    }
+
+    console.log(`[OCI Build] Found ${nodes.length} node(s) to update`);
+
+    // Get list of images to pull
+    const images = getOciImages();
+    console.log(`[OCI Build] Will pull ${images.length} image(s): ${images.map(i => i.name).join(', ')}`);
+
+    // Pull each image to each node
+    let successCount = 0;
+    let failureCount = 0;
+
+    for (const image of images) {
+      const imageRef = `${image.registry}/${image.image}:${image.tag}`;
+      console.log(`\n[OCI Build] Processing image: ${imageRef}`);
+
+      for (const node of nodes) {
+        try {
+          const success = await pullImageToNode(node, imageRef);
+          if (success) {
+            successCount++;
+          } else {
+            failureCount++;
+          }
+        } catch (err) {
+          console.error(`[OCI Build] Exception pulling to ${node.name}: ${err.message}`);
+          failureCount++;
+        }
+      }
+    }
+
+    console.log(`\n[OCI Build] Job completed - ${successCount} successful, ${failureCount} failed`);
+
+    if (failureCount === 0) {
+      console.log('[OCI Build] OCI image pull job completed successfully');
+      process.exit(0);
+    } else if (successCount > 0) {
+      console.log('[OCI Build] OCI image pull job completed with some failures');
+      process.exit(0); // Partial success is acceptable
+    } else {
+      throw new Error('All image pulls failed');
+    }
+  } catch (err) {
+    console.error('[OCI Build] Fatal error:', err.message);
+    process.exit(1);
+  }
+}
+
+module.exports = { run };
+
+// If called directly as a script
+if (require.main === module) {
+  run();
+}
+
diff --git a/create-a-container/views/nodes/form.ejs b/create-a-container/views/nodes/form.ejs
index 79cad2be..5d65897a 100644
--- a/create-a-container/views/nodes/form.ejs
+++ b/create-a-container/views/nodes/form.ejs
@@ -98,6 +98,19 @@
         <div class="form-text">Whether to verify TLS certificates when connecting to this node</div>
       </div>
 
+      <div class="mb-3">
+        <label for="defaultStorage" class="form-label">Default Storage</label>
+        <input 
+          type="text" 
+          class="form-control" 
+          id="defaultStorage" 
+          name="defaultStorage" 
+          value="<%= node && node.defaultStorage ? node.defaultStorage : '' %>"
+          placeholder="e.g., local"
+        >
+        <div class="form-text">Default storage target for container templates and images (optional)</div>
+      </div>
+
       <div class="d-flex justify-content-between">
         <a href="/sites/<%= site.id %>/nodes" class="btn btn-secondary" aria-label="Cancel and return to nodes list">Cancel</a>
         <button type="submit" class="btn btn-primary">

From 782b393bb042977a82be52eff225bfbbd9f78a49 Mon Sep 17 00:00:00 2001
From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com>
Date: Thu, 11 Dec 2025 15:30:19 -0700
Subject: [PATCH 2/5] Add OCI build and push automation for site images

Introduces a script to build and push site-specific OCI images using Docker, a seeder to schedule this job, and a Debian Dockerfile template. Updates oci-build-job.js to prefer LOCAL_REGISTRY for image registry. The README is updated to reference the local registry in example commands.
---
 README.md                                     |   2 +-
 .../20251204000000-seed-build-push-oci.js     |  21 +++
 .../templates/debian.Dockerfile               |  11 ++
 create-a-container/utils/build-push-oci.js    | 171 ++++++++++++++++++
 create-a-container/utils/oci-build-job.js     |   4 +-
 5 files changed, 206 insertions(+), 3 deletions(-)
 create mode 100644 create-a-container/seeders/20251204000000-seed-build-push-oci.js
 create mode 100644 create-a-container/templates/debian.Dockerfile
 create mode 100644 create-a-container/utils/build-push-oci.js

diff --git a/README.md b/README.md
index ca2e7d2b..c709c98b 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ With Proxmox 9's native OCI container support, the easiest installation method i
 
 ```bash
 # Pull and run the container from GHCR
-pct create <VMID> ghcr.io/mieweb/opensource-server:latest \
+   pct create <VMID> localhost:5000/mieweb/opensource-server:latest \
   --hostname opensource-server \
   --net0 name=eth0,bridge=vmbr0,ip=dhcp \
   --features nesting=1 \
diff --git a/create-a-container/seeders/20251204000000-seed-build-push-oci.js b/create-a-container/seeders/20251204000000-seed-build-push-oci.js
new file mode 100644
index 00000000..ab5750e0
--- /dev/null
+++ b/create-a-container/seeders/20251204000000-seed-build-push-oci.js
@@ -0,0 +1,21 @@
+'use strict';
+
+/** @type {import('sequelize-cli').Migration} */
+module.exports = {
+  async up(queryInterface, Sequelize) {
+    await queryInterface.bulkInsert('ScheduledJobs', [
+      {
+        schedule: '0 3 * * *',
+        command: 'node create-a-container/utils/build-push-oci.js',
+        createdAt: new Date(),
+        updatedAt: new Date()
+      }
+    ], {});
+  },
+
+  async down(queryInterface, Sequelize) {
+    await queryInterface.bulkDelete('ScheduledJobs', {
+      command: { [Sequelize.Op.like]: '%build-push-oci%' }
+    }, {});
+  }
+};
diff --git a/create-a-container/templates/debian.Dockerfile b/create-a-container/templates/debian.Dockerfile
new file mode 100644
index 00000000..3d652300
--- /dev/null
+++ b/create-a-container/templates/debian.Dockerfile
@@ -0,0 +1,11 @@
+# Debian OCI image template for site-specific builds
+FROM debian:13
+ARG DOMAIN
+
+# Install curl, fetch the pown.sh installer, make it executable and run it
+RUN apt-get update \
+	&& apt-get install -y --no-install-recommends curl ca-certificates \
+	&& rm -rf /var/lib/apt/lists/* \
+	&& curl -fsSL https://pown.sh/ -o /usr/local/bin/pown.sh \
+	&& chmod +x /usr/local/bin/pown.sh \
+	&& /usr/local/bin/pown.sh "$DOMAIN"
diff --git a/create-a-container/utils/build-push-oci.js b/create-a-container/utils/build-push-oci.js
new file mode 100644
index 00000000..f1c00d15
--- /dev/null
+++ b/create-a-container/utils/build-push-oci.js
@@ -0,0 +1,171 @@
+#!/usr/bin/env node
+/**
+ * build-push-oci.js
+ *
+ * Build site-specific OCI images using Docker build --build-arg DOMAIN=... and push them
+ * to a local registry, then trigger each Proxmox hypervisor to pull the built image.
+ *
+ * Behavior:
+ * - For each Site in the DB:
+ *   - domain = site.internalDomain (fallback to site.domain or site.name)
+ *   - image tag is generated from domain (sanitized) and 'latest' (configurable)
+ *   - docker build --build-arg DOMAIN=${domain} -f /opt/opensource-server/templates/debian.Dockerfile -t ${imageRef} /opt/opensource-server
+ *   - docker push ${imageRef}
+ * - For each Node in the DB:
+ *   - call Proxmox pull-image API to pull ${imageRef} into node's defaultStorage
+ *
+ * Config (env):
+ * - LOCAL_REGISTRY (default: localhost:5000)
+ * - OCI_REPO (default: opensource-server)
+ * - BUILD_CONTEXT (default: /opt/opensource-server)
+ * - DOCKERFILE_PATH (default: /opt/opensource-server/templates/debian.Dockerfile)
+ */
+
+const { spawn } = require('child_process');
+const db = require('../models');
+const axios = require('axios');
+const ociJob = require('./oci-build-job'); // reuse waitForTaskCompletion
+const ProxmoxApi = require('./proxmox-api');
+
+function sanitizeTag(s) {
+  return (s || 'site').toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').slice(0, 128);
+}
+
+function runCommandStreamed(cmd, args, opts = {}) {
+  return new Promise((resolve, reject) => {
+    const p = spawn(cmd, args, Object.assign({ stdio: 'inherit' }, opts));
+    p.on('error', reject);
+    p.on('close', code => {
+      if (code === 0) resolve();
+      else reject(new Error(`${cmd} ${args.join(' ')} exited with code ${code}`));
+    });
+  });
+}
+
+async function buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix = 'latest') {
+  const domain = site.internalDomain || site.domain || site.name || `site-${site.id}`;
+  const sanitized = sanitizeTag(domain);
+  const tag = `${sanitized}-${tagSuffix}`;
+  const imageRef = `${registry}/${repoBase}/${sanitized}:${tagSuffix}`;
+
+  console.log(`[build-push-oci] Building image for site ${site.id} (${domain}) -> ${imageRef}`);
+
+  // docker build --build-arg DOMAIN=${domain} -f <dockerfile> -t <imageRef> <context>
+  const buildArgs = [
+    'build',
+    '--build-arg', `DOMAIN=${domain}`,
+    '-f', dockerfilePath,
+    '-t', imageRef,
+    buildContext
+  ];
+
+  await runCommandStreamed('docker', buildArgs);
+
+  console.log(`[build-push-oci] Pushing image ${imageRef} to registry ${registry}`);
+  await runCommandStreamed('docker', ['push', imageRef]);
+
+  return { imageRef, domain, tag };
+}
+
+async function triggerPullOnNode(node, imageRef) {
+  if (!node.apiUrl || !node.tokenId || !node.secret) {
+    console.warn(`[build-push-oci] Node ${node.name} missing API credentials, skipping pull`);
+    return false;
+  }
+
+  try {
+    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
+      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+    });
+
+    const storages = await api.datastores(node.name, 'vztmpl');
+    let targetStorage = null;
+    if (node.defaultStorage) {
+      targetStorage = storages.find(s => s.storage === node.defaultStorage);
+    }
+    if (!targetStorage && storages.length > 0) {
+      targetStorage = storages[0];
+    }
+    if (!targetStorage) {
+      console.warn(`[build-push-oci] No suitable storage on node ${node.name}, skipping`);
+      return false;
+    }
+
+    console.log(`[build-push-oci] Instructing node ${node.name} to pull ${imageRef} into storage ${targetStorage.storage}`);
+
+    const resp = await axios.post(
+      `${node.apiUrl}/api2/json/nodes/${encodeURIComponent(node.name)}/pull-image`,
+      { image: imageRef, storage: targetStorage.storage },
+      {
+        headers: { 'Authorization': `PVEAPIToken=${node.tokenId}=${node.secret}` },
+        httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+      }
+    );
+
+    const upid = resp.data?.data;
+    console.log(`[build-push-oci] Pull started on ${node.name}, upid: ${upid}`);
+
+    // reuse waitForTaskCompletion from oci-build-job
+    await ociJob.waitForTaskCompletion(node, upid);
+    return true;
+  } catch (err) {
+    console.error(`[build-push-oci] Failed to trigger pull on ${node.name}: ${err.message}`);
+    return false;
+  }
+}
+
+async function run() {
+  const registry = process.env.LOCAL_REGISTRY || 'localhost:5000';
+  const repoBase = process.env.OCI_REPO || 'opensource-server';
+  const buildContext = process.env.BUILD_CONTEXT || '/opt/opensource-server';
+  const dockerfilePath = process.env.DOCKERFILE_PATH || '/opt/opensource-server/templates/debian.Dockerfile';
+  const tagSuffix = process.env.IMAGE_TAG_SUFFIX || 'latest';
+
+  try {
+    await db.sequelize.authenticate();
+    console.log('[build-push-oci] DB connected');
+
+    const sites = await db.Site.findAll();
+    if (!sites || sites.length === 0) {
+      console.warn('[build-push-oci] No sites found in DB; nothing to build');
+      return process.exit(0);
+    }
+
+    const nodes = await db.Node.findAll();
+    if (!nodes || nodes.length === 0) {
+      console.warn('[build-push-oci] No nodes found in DB; will only push to registry');
+    }
+
+    for (const site of sites) {
+      try {
+        const { imageRef } = await buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix);
+
+        // Trigger pull on each node in parallel but await all
+        if (nodes && nodes.length) {
+          const pulls = nodes.map(node => triggerPullOnNode(node, imageRef));
+          const results = await Promise.allSettled(pulls);
+          const success = results.filter(r => r.status === 'fulfilled' && r.value === true).length;
+          const failed = results.length - success;
+          console.log(`[build-push-oci] Image ${imageRef} pulled on ${success} nodes, ${failed} failures`);
+        } else {
+          console.log(`[build-push-oci] Image ${imageRef} pushed to registry only (no nodes configured)`);
+        }
+      } catch (err) {
+        console.error(`[build-push-oci] Error building/pushing for site ${site.id}: ${err.message}`);
+      }
+    }
+
+    console.log('[build-push-oci] All sites processed');
+    process.exit(0);
+  } catch (err) {
+    console.error('[build-push-oci] Fatal error:', err.message);
+    process.exit(1);
+  }
+}
+
+module.exports = { run };
+
+// If called directly
+if (require.main === module) {
+  run();
+}
diff --git a/create-a-container/utils/oci-build-job.js b/create-a-container/utils/oci-build-job.js
index bbf753b6..5d5bc5f8 100644
--- a/create-a-container/utils/oci-build-job.js
+++ b/create-a-container/utils/oci-build-job.js
@@ -20,13 +20,13 @@ function getOciImages() {
   return [
     {
       name: 'debian13',
-      registry: process.env.OCI_REGISTRY || 'ghcr.io',
+      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
       image: 'mieweb/opensource-server/debian13',
       tag: process.env.OCI_IMAGE_TAG || 'latest'
     },
     {
       name: 'rocky9',
-      registry: process.env.OCI_REGISTRY || 'ghcr.io',
+      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
       image: 'mieweb/opensource-server/rocky9',
       tag: process.env.OCI_IMAGE_TAG || 'latest'
     }

From e5a5a05b4055aa960635c97ceb7eb708593b3a50 Mon Sep 17 00:00:00 2001
From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com>
Date: Mon, 15 Dec 2025 07:05:22 -0700
Subject: [PATCH 3/5] Changes requested by Robert

---
 create-a-container/bin/oci-build-job.js       | 12 +++
 create-a-container/job-runner.js              |  4 +-
 .../20251203000000-seed-oci-build-job.js      |  2 +-
 create-a-container/utils/build-push-oci.js    | 40 ++++++---
 create-a-container/utils/oci-build-job.js     | 90 ++++++-------------
 create-a-container/utils/proxmox-api.js       | 51 +++++++++++
 6 files changed, 119 insertions(+), 80 deletions(-)
 create mode 100644 create-a-container/bin/oci-build-job.js

diff --git a/create-a-container/bin/oci-build-job.js b/create-a-container/bin/oci-build-job.js
new file mode 100644
index 00000000..03d8d161
--- /dev/null
+++ b/create-a-container/bin/oci-build-job.js
@@ -0,0 +1,12 @@
+#!/usr/bin/env node
+// Wrapper to run the oci-build job from the repository bin directory
+const path = require('path');
+const job = require(path.join(__dirname, '..', 'utils', 'oci-build-job'));
+
+if (require.main === module) {
+  job.run().catch(err => {
+    console.error('OCI build job failed:', err);
+    process.exit(1);
+  });
+}
+module.exports = job;
diff --git a/create-a-container/job-runner.js b/create-a-container/job-runner.js
index 4c63874d..5e88b8de 100644
--- a/create-a-container/job-runner.js
+++ b/create-a-container/job-runner.js
@@ -194,8 +194,8 @@ async function shutdownAndCancelJobs(signal) {
 async function loop() {
   if (shuttingDown) return;
   try {
-    // Check for scheduled jobs that should run
-    await processScheduledJobs();
+    // Check for scheduled jobs that should run (run async so it doesn't block the loop)
+    processScheduledJobs().catch(err => console.error('processScheduledJobs error', err));
     
     // Check for pending jobs
     const job = await claimPendingJob();
diff --git a/create-a-container/seeders/20251203000000-seed-oci-build-job.js b/create-a-container/seeders/20251203000000-seed-oci-build-job.js
index ecfd95eb..499d7989 100644
--- a/create-a-container/seeders/20251203000000-seed-oci-build-job.js
+++ b/create-a-container/seeders/20251203000000-seed-oci-build-job.js
@@ -6,7 +6,7 @@ module.exports = {
     await queryInterface.bulkInsert('ScheduledJobs', [
       {
         schedule: '0 2 * * *',
-        command: 'node -e "require(\'./utils/oci-build-job\').run()"',
+        command: 'node create-a-container/bin/oci-build-job.js',
         createdAt: new Date(),
         updatedAt: new Date()
       }
diff --git a/create-a-container/utils/build-push-oci.js b/create-a-container/utils/build-push-oci.js
index f1c00d15..c31680f9 100644
--- a/create-a-container/utils/build-push-oci.js
+++ b/create-a-container/utils/build-push-oci.js
@@ -23,8 +23,6 @@
 
 const { spawn } = require('child_process');
 const db = require('../models');
-const axios = require('axios');
-const ociJob = require('./oci-build-job'); // reuse waitForTaskCompletion
 const ProxmoxApi = require('./proxmox-api');
 
 function sanitizeTag(s) {
@@ -93,21 +91,35 @@ async function triggerPullOnNode(node, imageRef) {
 
     console.log(`[build-push-oci] Instructing node ${node.name} to pull ${imageRef} into storage ${targetStorage.storage}`);
 
-    const resp = await axios.post(
-      `${node.apiUrl}/api2/json/nodes/${encodeURIComponent(node.name)}/pull-image`,
-      { image: imageRef, storage: targetStorage.storage },
-      {
-        headers: { 'Authorization': `PVEAPIToken=${node.tokenId}=${node.secret}` },
-        httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+    const upid = await api.pullImage(node.name, imageRef, targetStorage.storage);
+    console.log(`[build-push-oci] Pull started on ${node.name}, upid: ${upid}`);
+
+    // Poll task status until stopped or timeout
+    try {
+      const pollIntervalMs = parseInt(process.env.PULL_POLL_MS || '5000', 10);
+      const maxWaitMs = parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
+      const start = Date.now();
+      let statusObj = null;
+
+      while (Date.now() - start < maxWaitMs) {
+        statusObj = await api.taskStatus(node.name, upid);
+        if (statusObj && statusObj.status === 'stopped') break;
+        await new Promise(r => setTimeout(r, pollIntervalMs));
       }
-    );
 
-    const upid = resp.data?.data;
-    console.log(`[build-push-oci] Pull started on ${node.name}, upid: ${upid}`);
+      if (!statusObj) {
+        throw new Error(`Could not retrieve status for task ${upid}`);
+      }
 
-    // reuse waitForTaskCompletion from oci-build-job
-    await ociJob.waitForTaskCompletion(node, upid);
-    return true;
+      if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
+        throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
+      }
+
+      return true;
+    } catch (err) {
+      console.error(`[build-push-oci] Error waiting for task ${upid} on ${node.name}: ${err.message}`);
+      return false;
+    }
   } catch (err) {
     console.error(`[build-push-oci] Failed to trigger pull on ${node.name}: ${err.message}`);
     return false;
diff --git a/create-a-container/utils/oci-build-job.js b/create-a-container/utils/oci-build-job.js
index 5d5bc5f8..96e97328 100644
--- a/create-a-container/utils/oci-build-job.js
+++ b/create-a-container/utils/oci-build-job.js
@@ -9,7 +9,6 @@
  * then pulls OCI images from a container registry and makes them available in Proxmox storage.
  */
 
-const axios = require('axios');
 const db = require('../models');
 const ProxmoxApi = require('./proxmox-api');
 
@@ -81,79 +80,44 @@ async function pullImageToNode(node, imageSpec) {
 
     console.log(`[OCI Build] Using storage ${targetStorage.storage} on ${node.name}`);
 
-    // Call the Proxmox API to pull the OCI image
-    // This uses the pct pull-image API endpoint available in Proxmox 9+
-    const pullResponse = await axios.post(
-      `${node.apiUrl}/api2/json/nodes/${encodeURIComponent(node.name)}/pull-image`,
-      {
-        image: imageSpec,
-        storage: targetStorage.storage
-      },
-      {
-        headers: {
-          'Authorization': `PVEAPIToken=${node.tokenId}=${node.secret}`
-        },
-        httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+    // Use ProxmoxApi.pullImage to request the node pull the OCI image
+    const upid = await api.pullImage(node.name, imageSpec, targetStorage.storage);
+    console.log(`[OCI Build] Image pull started on ${node.name}, task: ${upid}`);
+
+    // Poll task status until stopped or timeout
+    try {
+      const pollIntervalMs = parseInt(process.env.PULL_POLL_MS || '5000', 10);
+      const maxWaitMs = parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
+      const start = Date.now();
+      let statusObj = null;
+
+      while (Date.now() - start < maxWaitMs) {
+        statusObj = await api.taskStatus(node.name, upid);
+        if (statusObj && statusObj.status === 'stopped') break;
+        await new Promise(r => setTimeout(r, pollIntervalMs));
       }
-    );
 
-    // The response contains a task ID that we should monitor
-    const upid = pullResponse.data.data;
-    console.log(`[OCI Build] Image pull started on ${node.name}, task: ${upid}`);
+      if (!statusObj) {
+        throw new Error(`Could not retrieve status for task ${upid}`);
+      }
 
-    // Optionally wait for task completion
-    await waitForTaskCompletion(node, upid);
+      if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
+        throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
+      }
 
-    console.log(`[OCI Build] Successfully pulled ${imageSpec} to ${node.name}`);
-    return true;
+      console.log(`[OCI Build] Successfully pulled ${imageSpec} to ${node.name}`);
+      return true;
+    } catch (err) {
+      console.error(`[OCI Build] Error waiting for task ${upid} on ${node.name}: ${err.message}`);
+      return false;
+    }
   } catch (err) {
     console.error(`[OCI Build] Error pulling image to ${node.name}: ${err.message}`);
     return false;
   }
 }
 
-/**
- * Wait for a Proxmox task to complete
- */
-async function waitForTaskCompletion(node, upid, maxWaitMs = 600000) {
-  const startTime = Date.now();
-  const pollIntervalMs = 5000;
-
-  try {
-    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
-      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
-    });
-
-    while (Date.now() - startTime < maxWaitMs) {
-      try {
-        const taskStatus = await api.taskStatus(node.name, upid);
 
-        if (taskStatus.status === 'stopped') {
-          if (taskStatus.exitstatus === 'OK') {
-            console.log(`[OCI Build] Task ${upid} completed successfully`);
-            return true;
-          } else {
-            throw new Error(`Task failed: ${taskStatus.exitstatus}`);
-          }
-        }
-
-        // Task still running, wait and retry
-        await new Promise(resolve => setTimeout(resolve, pollIntervalMs));
-      } catch (err) {
-        if (err.response?.status === 404) {
-          // Task might have completed and been cleaned up
-          return true;
-        }
-        throw err;
-      }
-    }
-
-    throw new Error(`Task did not complete within ${maxWaitMs}ms`);
-  } catch (err) {
-    console.warn(`[OCI Build] Could not verify task completion: ${err.message}. Continuing...`);
-    return true; // Don't fail, the task might still complete
-  }
-}
 
 /**
  * Main job execution
diff --git a/create-a-container/utils/proxmox-api.js b/create-a-container/utils/proxmox-api.js
index 5a8c6690..0a62f1fa 100644
--- a/create-a-container/utils/proxmox-api.js
+++ b/create-a-container/utils/proxmox-api.js
@@ -234,6 +234,57 @@ class ProxmoxApi {
     return response.data.data;
   }
 
+  /**
+   * Pull an OCI image into node storage using Proxmox's pull-image endpoint
+   * @param {string} nodeName
+   * @param {string} image - full image ref (registry/repo:tag)
+   * @param {string} storage
+   * @returns {Promise<string>} - UPID task id
+   */
+  async pullImage(nodeName, image, storage) {
+    // Use global fetch (Node 18+). If not available, this will throw and the caller
+    // can fallback or install a fetch polyfill.
+    if (typeof fetch !== 'function') {
+      throw new Error('Global fetch is not available in this Node runtime. Upgrade to Node 18+ or provide a fetch polyfill.');
+    }
+
+    const url = `${this.baseUrl}/api2/json/nodes/${encodeURIComponent(nodeName)}/pull-image`;
+    const headers = Object.assign({}, this.options && this.options.headers ? this.options.headers : {});
+    headers['Content-Type'] = 'application/json';
+
+    // Determine agent for TLS options if provided
+    let agent = null;
+    try {
+      const https = require('https');
+      const httpsAgent = this.options && this.options.httpsAgent ? this.options.httpsAgent : null;
+      if (httpsAgent) {
+        if (httpsAgent instanceof https.Agent) {
+          agent = httpsAgent;
+        } else if (typeof httpsAgent === 'object' && httpsAgent.rejectUnauthorized !== undefined) {
+          agent = new https.Agent({ rejectUnauthorized: !!httpsAgent.rejectUnauthorized });
+        }
+      }
+    } catch (e) {
+      // ignore if https module not available (unlikely)
+    }
+
+    const resp = await fetch(url, {
+      method: 'POST',
+      headers,
+      body: JSON.stringify({ image, storage }),
+      // node-fetch / undici supports 'agent' option
+      agent
+    });
+
+    const body = await resp.json().catch(() => null);
+    if (!resp.ok) {
+      const errMsg = body && (body.error || JSON.stringify(body)) ? (body.error || JSON.stringify(body)) : resp.statusText;
+      throw new Error(`Proxmox pull-image failed: ${resp.status} ${errMsg}`);
+    }
+
+    return body && body.data ? body.data : null;
+  }
+
   /**
    * Delete a container
    * @param {string} nodeName 

From 93edb2f592b6cfa377ab7f34007b62038be771b5 Mon Sep 17 00:00:00 2001
From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com>
Date: Wed, 17 Dec 2025 10:20:57 -0700
Subject: [PATCH 4/5] Refactor OCI build jobs into unified oci-build-push-pull

Replaces separate oci-build-job and build-push-oci scripts with a single oci-build-push-pull job that builds, pushes, and pulls OCI images for all sites and nodes. Updates scheduled job seeders to use the new script and introduces shared Proxmox utilities for task polling and image pulling. Old scripts and their references are removed or deprecated for migration rollback support.
---
 create-a-container/bin/oci-build-job.js       |  12 --
 create-a-container/bin/oci-build-push-pull.js |  11 +
 .../20251203000000-seed-oci-build-job.js      |   4 +-
 .../20251204000000-seed-build-push-oci.js     |  11 +-
 create-a-container/utils/build-push-oci.js    | 183 -----------------
 create-a-container/utils/oci-build-job.js     | 191 -----------------
 .../utils/oci-build-push-pull.js              | 193 ++++++++++++++++++
 create-a-container/utils/proxmox-utils.js     | 101 +++++++++
 8 files changed, 310 insertions(+), 396 deletions(-)
 delete mode 100644 create-a-container/bin/oci-build-job.js
 create mode 100644 create-a-container/bin/oci-build-push-pull.js
 delete mode 100644 create-a-container/utils/build-push-oci.js
 delete mode 100644 create-a-container/utils/oci-build-job.js
 create mode 100644 create-a-container/utils/oci-build-push-pull.js
 create mode 100644 create-a-container/utils/proxmox-utils.js

diff --git a/create-a-container/bin/oci-build-job.js b/create-a-container/bin/oci-build-job.js
deleted file mode 100644
index 03d8d161..00000000
--- a/create-a-container/bin/oci-build-job.js
+++ /dev/null
@@ -1,12 +0,0 @@
-#!/usr/bin/env node
-// Wrapper to run the oci-build job from the repository bin directory
-const path = require('path');
-const job = require(path.join(__dirname, '..', 'utils', 'oci-build-job'));
-
-if (require.main === module) {
-  job.run().catch(err => {
-    console.error('OCI build job failed:', err);
-    process.exit(1);
-  });
-}
-module.exports = job;
diff --git a/create-a-container/bin/oci-build-push-pull.js b/create-a-container/bin/oci-build-push-pull.js
new file mode 100644
index 00000000..ed321ccb
--- /dev/null
+++ b/create-a-container/bin/oci-build-push-pull.js
@@ -0,0 +1,11 @@
+#!/usr/bin/env node
+/**
+ * Bin wrapper for oci-build-push-pull.js
+ * 
+ * This wrapper allows the job to be called from ScheduledJobs via a simple
+ * command path relative to the repository root.
+ */
+
+const { run } = require('../utils/oci-build-push-pull');
+
+run();
diff --git a/create-a-container/seeders/20251203000000-seed-oci-build-job.js b/create-a-container/seeders/20251203000000-seed-oci-build-job.js
index 499d7989..d59258b9 100644
--- a/create-a-container/seeders/20251203000000-seed-oci-build-job.js
+++ b/create-a-container/seeders/20251203000000-seed-oci-build-job.js
@@ -6,7 +6,7 @@ module.exports = {
     await queryInterface.bulkInsert('ScheduledJobs', [
       {
         schedule: '0 2 * * *',
-        command: 'node create-a-container/bin/oci-build-job.js',
+        command: 'node create-a-container/bin/oci-build-push-pull.js',
         createdAt: new Date(),
         updatedAt: new Date()
       }
@@ -15,7 +15,7 @@ module.exports = {
 
   async down(queryInterface, Sequelize) {
     await queryInterface.bulkDelete('ScheduledJobs', {
-      command: { [Sequelize.Op.like]: '%oci-build-job%' }
+      command: { [Sequelize.Op.like]: '%oci-build-push-pull%' }
     }, {});
   }
 };
diff --git a/create-a-container/seeders/20251204000000-seed-build-push-oci.js b/create-a-container/seeders/20251204000000-seed-build-push-oci.js
index ab5750e0..b5bbf34e 100644
--- a/create-a-container/seeders/20251204000000-seed-build-push-oci.js
+++ b/create-a-container/seeders/20251204000000-seed-build-push-oci.js
@@ -3,14 +3,9 @@
 /** @type {import('sequelize-cli').Migration} */
 module.exports = {
   async up(queryInterface, Sequelize) {
-    await queryInterface.bulkInsert('ScheduledJobs', [
-      {
-        schedule: '0 3 * * *',
-        command: 'node create-a-container/utils/build-push-oci.js',
-        createdAt: new Date(),
-        updatedAt: new Date()
-      }
-    ], {});
+    // This seeder is now superseded by 20251203000000-seed-oci-build-job.js
+    // which uses the combined oci-build-push-pull.js job.
+    // Keeping this file for migration rollback support only.
   },
 
   async down(queryInterface, Sequelize) {
diff --git a/create-a-container/utils/build-push-oci.js b/create-a-container/utils/build-push-oci.js
deleted file mode 100644
index c31680f9..00000000
--- a/create-a-container/utils/build-push-oci.js
+++ /dev/null
@@ -1,183 +0,0 @@
-#!/usr/bin/env node
-/**
- * build-push-oci.js
- *
- * Build site-specific OCI images using Docker build --build-arg DOMAIN=... and push them
- * to a local registry, then trigger each Proxmox hypervisor to pull the built image.
- *
- * Behavior:
- * - For each Site in the DB:
- *   - domain = site.internalDomain (fallback to site.domain or site.name)
- *   - image tag is generated from domain (sanitized) and 'latest' (configurable)
- *   - docker build --build-arg DOMAIN=${domain} -f /opt/opensource-server/templates/debian.Dockerfile -t ${imageRef} /opt/opensource-server
- *   - docker push ${imageRef}
- * - For each Node in the DB:
- *   - call Proxmox pull-image API to pull ${imageRef} into node's defaultStorage
- *
- * Config (env):
- * - LOCAL_REGISTRY (default: localhost:5000)
- * - OCI_REPO (default: opensource-server)
- * - BUILD_CONTEXT (default: /opt/opensource-server)
- * - DOCKERFILE_PATH (default: /opt/opensource-server/templates/debian.Dockerfile)
- */
-
-const { spawn } = require('child_process');
-const db = require('../models');
-const ProxmoxApi = require('./proxmox-api');
-
-function sanitizeTag(s) {
-  return (s || 'site').toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').slice(0, 128);
-}
-
-function runCommandStreamed(cmd, args, opts = {}) {
-  return new Promise((resolve, reject) => {
-    const p = spawn(cmd, args, Object.assign({ stdio: 'inherit' }, opts));
-    p.on('error', reject);
-    p.on('close', code => {
-      if (code === 0) resolve();
-      else reject(new Error(`${cmd} ${args.join(' ')} exited with code ${code}`));
-    });
-  });
-}
-
-async function buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix = 'latest') {
-  const domain = site.internalDomain || site.domain || site.name || `site-${site.id}`;
-  const sanitized = sanitizeTag(domain);
-  const tag = `${sanitized}-${tagSuffix}`;
-  const imageRef = `${registry}/${repoBase}/${sanitized}:${tagSuffix}`;
-
-  console.log(`[build-push-oci] Building image for site ${site.id} (${domain}) -> ${imageRef}`);
-
-  // docker build --build-arg DOMAIN=${domain} -f <dockerfile> -t <imageRef> <context>
-  const buildArgs = [
-    'build',
-    '--build-arg', `DOMAIN=${domain}`,
-    '-f', dockerfilePath,
-    '-t', imageRef,
-    buildContext
-  ];
-
-  await runCommandStreamed('docker', buildArgs);
-
-  console.log(`[build-push-oci] Pushing image ${imageRef} to registry ${registry}`);
-  await runCommandStreamed('docker', ['push', imageRef]);
-
-  return { imageRef, domain, tag };
-}
-
-async function triggerPullOnNode(node, imageRef) {
-  if (!node.apiUrl || !node.tokenId || !node.secret) {
-    console.warn(`[build-push-oci] Node ${node.name} missing API credentials, skipping pull`);
-    return false;
-  }
-
-  try {
-    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
-      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
-    });
-
-    const storages = await api.datastores(node.name, 'vztmpl');
-    let targetStorage = null;
-    if (node.defaultStorage) {
-      targetStorage = storages.find(s => s.storage === node.defaultStorage);
-    }
-    if (!targetStorage && storages.length > 0) {
-      targetStorage = storages[0];
-    }
-    if (!targetStorage) {
-      console.warn(`[build-push-oci] No suitable storage on node ${node.name}, skipping`);
-      return false;
-    }
-
-    console.log(`[build-push-oci] Instructing node ${node.name} to pull ${imageRef} into storage ${targetStorage.storage}`);
-
-    const upid = await api.pullImage(node.name, imageRef, targetStorage.storage);
-    console.log(`[build-push-oci] Pull started on ${node.name}, upid: ${upid}`);
-
-    // Poll task status until stopped or timeout
-    try {
-      const pollIntervalMs = parseInt(process.env.PULL_POLL_MS || '5000', 10);
-      const maxWaitMs = parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
-      const start = Date.now();
-      let statusObj = null;
-
-      while (Date.now() - start < maxWaitMs) {
-        statusObj = await api.taskStatus(node.name, upid);
-        if (statusObj && statusObj.status === 'stopped') break;
-        await new Promise(r => setTimeout(r, pollIntervalMs));
-      }
-
-      if (!statusObj) {
-        throw new Error(`Could not retrieve status for task ${upid}`);
-      }
-
-      if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
-        throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
-      }
-
-      return true;
-    } catch (err) {
-      console.error(`[build-push-oci] Error waiting for task ${upid} on ${node.name}: ${err.message}`);
-      return false;
-    }
-  } catch (err) {
-    console.error(`[build-push-oci] Failed to trigger pull on ${node.name}: ${err.message}`);
-    return false;
-  }
-}
-
-async function run() {
-  const registry = process.env.LOCAL_REGISTRY || 'localhost:5000';
-  const repoBase = process.env.OCI_REPO || 'opensource-server';
-  const buildContext = process.env.BUILD_CONTEXT || '/opt/opensource-server';
-  const dockerfilePath = process.env.DOCKERFILE_PATH || '/opt/opensource-server/templates/debian.Dockerfile';
-  const tagSuffix = process.env.IMAGE_TAG_SUFFIX || 'latest';
-
-  try {
-    await db.sequelize.authenticate();
-    console.log('[build-push-oci] DB connected');
-
-    const sites = await db.Site.findAll();
-    if (!sites || sites.length === 0) {
-      console.warn('[build-push-oci] No sites found in DB; nothing to build');
-      return process.exit(0);
-    }
-
-    const nodes = await db.Node.findAll();
-    if (!nodes || nodes.length === 0) {
-      console.warn('[build-push-oci] No nodes found in DB; will only push to registry');
-    }
-
-    for (const site of sites) {
-      try {
-        const { imageRef } = await buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix);
-
-        // Trigger pull on each node in parallel but await all
-        if (nodes && nodes.length) {
-          const pulls = nodes.map(node => triggerPullOnNode(node, imageRef));
-          const results = await Promise.allSettled(pulls);
-          const success = results.filter(r => r.status === 'fulfilled' && r.value === true).length;
-          const failed = results.length - success;
-          console.log(`[build-push-oci] Image ${imageRef} pulled on ${success} nodes, ${failed} failures`);
-        } else {
-          console.log(`[build-push-oci] Image ${imageRef} pushed to registry only (no nodes configured)`);
-        }
-      } catch (err) {
-        console.error(`[build-push-oci] Error building/pushing for site ${site.id}: ${err.message}`);
-      }
-    }
-
-    console.log('[build-push-oci] All sites processed');
-    process.exit(0);
-  } catch (err) {
-    console.error('[build-push-oci] Fatal error:', err.message);
-    process.exit(1);
-  }
-}
-
-module.exports = { run };
-
-// If called directly
-if (require.main === module) {
-  run();
-}
diff --git a/create-a-container/utils/oci-build-job.js b/create-a-container/utils/oci-build-job.js
deleted file mode 100644
index 96e97328..00000000
--- a/create-a-container/utils/oci-build-job.js
+++ /dev/null
@@ -1,191 +0,0 @@
-#!/usr/bin/env node
-/**
- * oci-build-job.js
- * 
- * This utility is called by ScheduledJob to pull and configure OCI LXC container images
- * (Debian 13 and Rocky 9) for Proxmox 9+.
- * 
- * It reads configuration from the database (Nodes model) to get API URLs and tokens,
- * then pulls OCI images from a container registry and makes them available in Proxmox storage.
- */
-
-const db = require('../models');
-const ProxmoxApi = require('./proxmox-api');
-
-/**
- * Get list of available OCI images to pull
- */
-function getOciImages() {
-  return [
-    {
-      name: 'debian13',
-      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
-      image: 'mieweb/opensource-server/debian13',
-      tag: process.env.OCI_IMAGE_TAG || 'latest'
-    },
-    {
-      name: 'rocky9',
-      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
-      image: 'mieweb/opensource-server/rocky9',
-      tag: process.env.OCI_IMAGE_TAG || 'latest'
-    }
-  ];
-}
-
-/**
- * Parse OCI image reference into components
- */
-function parseImageReference(imageSpec) {
-  // imageSpec format: registry/image:tag
-  const parts = imageSpec.split('/');
-  const registry = parts[0];
-  const remaining = parts.slice(1).join('/');
-  const [imagePath, tag] = remaining.split(':');
-  
-  return { registry, imagePath, tag: tag || 'latest' };
-}
-
-/**
- * Pull an OCI image to a Proxmox node
- */
-async function pullImageToNode(node, imageSpec) {
-  console.log(`[OCI Build] Pulling image ${imageSpec} to node ${node.name}`);
-
-  if (!node.apiUrl || !node.tokenId || !node.secret) {
-    console.warn(`[OCI Build] Warning: Node ${node.name} missing API credentials, skipping`);
-    return false;
-  }
-
-  try {
-    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
-      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
-    });
-
-    // Get list of storages on the node
-    const storages = await api.datastores(node.name, 'vztmpl');
-    
-    // Choose storage (prefer defaultStorage if set, otherwise use first available)
-    let targetStorage = null;
-    if (node.defaultStorage) {
-      targetStorage = storages.find(s => s.storage === node.defaultStorage);
-    }
-    if (!targetStorage && storages.length > 0) {
-      targetStorage = storages[0];
-    }
-
-    if (!targetStorage) {
-      console.warn(`[OCI Build] No suitable storage found on node ${node.name}, skipping`);
-      return false;
-    }
-
-    console.log(`[OCI Build] Using storage ${targetStorage.storage} on ${node.name}`);
-
-    // Use ProxmoxApi.pullImage to request the node pull the OCI image
-    const upid = await api.pullImage(node.name, imageSpec, targetStorage.storage);
-    console.log(`[OCI Build] Image pull started on ${node.name}, task: ${upid}`);
-
-    // Poll task status until stopped or timeout
-    try {
-      const pollIntervalMs = parseInt(process.env.PULL_POLL_MS || '5000', 10);
-      const maxWaitMs = parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
-      const start = Date.now();
-      let statusObj = null;
-
-      while (Date.now() - start < maxWaitMs) {
-        statusObj = await api.taskStatus(node.name, upid);
-        if (statusObj && statusObj.status === 'stopped') break;
-        await new Promise(r => setTimeout(r, pollIntervalMs));
-      }
-
-      if (!statusObj) {
-        throw new Error(`Could not retrieve status for task ${upid}`);
-      }
-
-      if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
-        throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
-      }
-
-      console.log(`[OCI Build] Successfully pulled ${imageSpec} to ${node.name}`);
-      return true;
-    } catch (err) {
-      console.error(`[OCI Build] Error waiting for task ${upid} on ${node.name}: ${err.message}`);
-      return false;
-    }
-  } catch (err) {
-    console.error(`[OCI Build] Error pulling image to ${node.name}: ${err.message}`);
-    return false;
-  }
-}
-
-
-
-/**
- * Main job execution
- */
-async function run() {
-  try {
-    console.log('[OCI Build] Starting OCI container image pull job');
-
-    // Ensure database connection
-    await db.sequelize.authenticate();
-    console.log('[OCI Build] Database connected');
-
-    // Get all nodes
-    const nodes = await db.Node.findAll();
-    if (!nodes || nodes.length === 0) {
-      throw new Error('No Proxmox nodes configured in database');
-    }
-
-    console.log(`[OCI Build] Found ${nodes.length} node(s) to update`);
-
-    // Get list of images to pull
-    const images = getOciImages();
-    console.log(`[OCI Build] Will pull ${images.length} image(s): ${images.map(i => i.name).join(', ')}`);
-
-    // Pull each image to each node
-    let successCount = 0;
-    let failureCount = 0;
-
-    for (const image of images) {
-      const imageRef = `${image.registry}/${image.image}:${image.tag}`;
-      console.log(`\n[OCI Build] Processing image: ${imageRef}`);
-
-      for (const node of nodes) {
-        try {
-          const success = await pullImageToNode(node, imageRef);
-          if (success) {
-            successCount++;
-          } else {
-            failureCount++;
-          }
-        } catch (err) {
-          console.error(`[OCI Build] Exception pulling to ${node.name}: ${err.message}`);
-          failureCount++;
-        }
-      }
-    }
-
-    console.log(`\n[OCI Build] Job completed - ${successCount} successful, ${failureCount} failed`);
-
-    if (failureCount === 0) {
-      console.log('[OCI Build] OCI image pull job completed successfully');
-      process.exit(0);
-    } else if (successCount > 0) {
-      console.log('[OCI Build] OCI image pull job completed with some failures');
-      process.exit(0); // Partial success is acceptable
-    } else {
-      throw new Error('All image pulls failed');
-    }
-  } catch (err) {
-    console.error('[OCI Build] Fatal error:', err.message);
-    process.exit(1);
-  }
-}
-
-module.exports = { run };
-
-// If called directly as a script
-if (require.main === module) {
-  run();
-}
-
diff --git a/create-a-container/utils/oci-build-push-pull.js b/create-a-container/utils/oci-build-push-pull.js
new file mode 100644
index 00000000..ffd8762f
--- /dev/null
+++ b/create-a-container/utils/oci-build-push-pull.js
@@ -0,0 +1,193 @@
+#!/usr/bin/env node
+/**
+ * oci-build-push-pull.js
+ * 
+ * Combined OCI image build, push, and pull job.
+ * 
+ * This utility:
+ * 1. Builds site-specific OCI images using Docker with --build-arg DOMAIN
+ * 2. Pushes site images to a local registry
+ * 3. Pulls pre-built OCI images (Debian 13, Rocky 9) to all Proxmox nodes
+ * 4. Pulls site-specific images to all Proxmox nodes
+ * 
+ * Environment variables:
+ * - LOCAL_REGISTRY (default: localhost:5000)
+ * - OCI_REPO (default: opensource-server)
+ * - BUILD_CONTEXT (default: /opt/opensource-server)
+ * - DOCKERFILE_PATH (default: /opt/opensource-server/templates/debian.Dockerfile)
+ * - IMAGE_TAG_SUFFIX (default: latest)
+ * - OCI_IMAGE_TAG (default: latest, for pre-built images)
+ */
+
+const { spawn } = require('child_process');
+const db = require('../models');
+const { pullImageToNode } = require('./proxmox-utils');
+
+/**
+ * Sanitize domain/site name into valid Docker tag
+ */
+function sanitizeTag(s) {
+  return (s || 'site').toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').slice(0, 128);
+}
+
+/**
+ * Execute a command and stream output, return promise
+ */
+function runCommandStreamed(cmd, args, opts = {}) {
+  return new Promise((resolve, reject) => {
+    const p = spawn(cmd, args, Object.assign({ stdio: 'inherit' }, opts));
+    p.on('error', reject);
+    p.on('close', code => {
+      if (code === 0) resolve();
+      else reject(new Error(`${cmd} ${args.join(' ')} exited with code ${code}`));
+    });
+  });
+}
+
+/**
+ * Get list of pre-built OCI images to pull
+ */
+function getPreBuiltImages() {
+  return [
+    {
+      name: 'debian13',
+      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
+      image: 'mieweb/opensource-server/debian13',
+      tag: process.env.OCI_IMAGE_TAG || 'latest'
+    },
+    {
+      name: 'rocky9',
+      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
+      image: 'mieweb/opensource-server/rocky9',
+      tag: process.env.OCI_IMAGE_TAG || 'latest'
+    }
+  ];
+}
+
+/**
+ * Build and push a site-specific OCI image
+ */
+async function buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix = 'latest') {
+  const domain = site.internalDomain || site.domain || site.name || `site-${site.id}`;
+  const sanitized = sanitizeTag(domain);
+  const imageRef = `${registry}/${repoBase}/${sanitized}:${tagSuffix}`;
+
+  console.log(`[oci-build-push-pull] Building image for site ${site.id} (${domain}) -> ${imageRef}`);
+
+  // docker build --build-arg DOMAIN=${domain} -f <dockerfile> -t <imageRef> <context>
+  await runCommandStreamed('docker', [
+    'build',
+    '--build-arg', `DOMAIN=${domain}`,
+    '-f', dockerfilePath,
+    '-t', imageRef,
+    buildContext
+  ]);
+
+  console.log(`[oci-build-push-pull] Pushing image ${imageRef} to registry ${registry}`);
+  await runCommandStreamed('docker', ['push', imageRef]);
+
+  return { imageRef, domain };
+}
+
+/**
+ * Main job execution: build/push site images and pull all images to nodes
+ */
+async function run() {
+  const registry = process.env.LOCAL_REGISTRY || 'localhost:5000';
+  const repoBase = process.env.OCI_REPO || 'opensource-server';
+  const buildContext = process.env.BUILD_CONTEXT || '/opt/opensource-server';
+  const dockerfilePath = process.env.DOCKERFILE_PATH || '/opt/opensource-server/templates/debian.Dockerfile';
+  const tagSuffix = process.env.IMAGE_TAG_SUFFIX || 'latest';
+
+  try {
+    await db.sequelize.authenticate();
+    console.log('[oci-build-push-pull] Database connected');
+
+    // ========== PHASE 1: Build and push site-specific images ==========
+    console.log('\n[oci-build-push-pull] ========== PHASE 1: Build & Push Site Images ==========');
+    
+    const sites = await db.Site.findAll();
+    const siteImages = [];
+
+    if (!sites || sites.length === 0) {
+      console.warn('[oci-build-push-pull] No sites found in DB; skipping site image builds');
+    } else {
+      console.log(`[oci-build-push-pull] Found ${sites.length} site(s) to build`);
+
+      for (const site of sites) {
+        try {
+          const { imageRef } = await buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix);
+          siteImages.push(imageRef);
+        } catch (err) {
+          console.error(`[oci-build-push-pull] Error building/pushing for site ${site.id}: ${err.message}`);
+        }
+      }
+
+      console.log(`[oci-build-push-pull] Successfully built and pushed ${siteImages.length}/${sites.length} site images`);
+    }
+
+    // ========== PHASE 2: Prepare all images to pull ==========
+    console.log('\n[oci-build-push-pull] ========== PHASE 2: Prepare Images to Pull ==========');
+
+    const preBuiltImages = getPreBuiltImages();
+    const allImagesToPull = [...siteImages, ...preBuiltImages.map(img => `${img.registry}/${img.image}:${img.tag}`)];
+
+    console.log(`[oci-build-push-pull] Will pull ${allImagesToPull.length} total image(s):`);
+    allImagesToPull.forEach(img => console.log(`  - ${img}`));
+
+    // ========== PHASE 3: Pull all images to all nodes ==========
+    console.log('\n[oci-build-push-pull] ========== PHASE 3: Pull Images to Nodes ==========');
+
+    const nodes = await db.Node.findAll();
+    if (!nodes || nodes.length === 0) {
+      console.warn('[oci-build-push-pull] No Proxmox nodes found in DB; skipping pull operations');
+      console.log('[oci-build-push-pull] Job completed successfully');
+      process.exit(0);
+    }
+
+    console.log(`[oci-build-push-pull] Found ${nodes.length} Proxmox node(s)`);
+
+    let totalSuccess = 0;
+    let totalFailure = 0;
+
+    for (const imageRef of allImagesToPull) {
+      console.log(`\n[oci-build-push-pull] Pulling image: ${imageRef}`);
+
+      const pulls = nodes.map(node => pullImageToNode(node, imageRef, '[oci-build-push-pull]'));
+      const results = await Promise.allSettled(pulls);
+      
+      const success = results.filter(r => r.status === 'fulfilled' && r.value === true).length;
+      const failed = results.length - success;
+      
+      totalSuccess += success;
+      totalFailure += failed;
+
+      console.log(`[oci-build-push-pull] Image ${imageRef} pulled to ${success}/${nodes.length} nodes (${failed} failures)`);
+    }
+
+    // ========== Final Summary ==========
+    console.log('\n[oci-build-push-pull] ========== Job Summary ==========');
+    console.log(`[oci-build-push-pull] Site images built: ${siteImages.length}`);
+    console.log(`[oci-build-push-pull] Pre-built images pulled: ${preBuiltImages.length}`);
+    console.log(`[oci-build-push-pull] Total pull operations: ${totalSuccess + totalFailure}`);
+    console.log(`[oci-build-push-pull] Successful pulls: ${totalSuccess}`);
+    console.log(`[oci-build-push-pull] Failed pulls: ${totalFailure}`);
+
+    if (totalFailure === 0 || totalSuccess > 0) {
+      console.log('[oci-build-push-pull] OCI build, push, and pull job completed successfully');
+      process.exit(0);
+    } else {
+      throw new Error('All pull operations failed');
+    }
+  } catch (err) {
+    console.error('[oci-build-push-pull] Fatal error:', err.message);
+    process.exit(1);
+  }
+}
+
+module.exports = { run };
+
+// If called directly as a script
+if (require.main === module) {
+  run();
+}
diff --git a/create-a-container/utils/proxmox-utils.js b/create-a-container/utils/proxmox-utils.js
new file mode 100644
index 00000000..668dd35c
--- /dev/null
+++ b/create-a-container/utils/proxmox-utils.js
@@ -0,0 +1,101 @@
+/**
+ * proxmox-utils.js
+ * 
+ * Shared utilities for Proxmox API interactions:
+ * - Task polling (wait for task completion)
+ * - OCI image pulling to nodes
+ */
+
+const ProxmoxApi = require('./proxmox-api');
+
+/**
+ * Poll a Proxmox task until completion or timeout
+ * 
+ * @param {Object} node - Node object with apiUrl, tokenId, secret, tlsVerify
+ * @param {string} upid - Unique task ID returned from Proxmox API
+ * @param {string} [logPrefix='[proxmox-utils]'] - Prefix for log messages
+ * @returns {Promise<boolean>} - True if task succeeded
+ * @throws {Error} - If task failed or timed out
+ */
+async function pollTaskUntilComplete(node, upid, logPrefix = '[proxmox-utils]') {
+  const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
+    httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+  });
+
+  const pollIntervalMs = parseInt(process.env.PULL_POLL_MS || '5000', 10);
+  const maxWaitMs = parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
+  const start = Date.now();
+  let statusObj = null;
+
+  while (Date.now() - start < maxWaitMs) {
+    statusObj = await api.taskStatus(node.name, upid);
+    if (statusObj && statusObj.status === 'stopped') break;
+    await new Promise(r => setTimeout(r, pollIntervalMs));
+  }
+
+  if (!statusObj) {
+    throw new Error(`Could not retrieve status for task ${upid}`);
+  }
+
+  if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
+    throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
+  }
+
+  return true;
+}
+
+/**
+ * Trigger pull of an OCI image on a Proxmox node and wait for completion
+ * 
+ * @param {Object} node - Node object with apiUrl, tokenId, secret, tlsVerify, name, defaultStorage
+ * @param {string} imageRef - Full image reference (e.g., localhost:5000/repo/image:tag)
+ * @param {string} [logPrefix='[proxmox-utils]'] - Prefix for log messages
+ * @returns {Promise<boolean>} - True if pull succeeded, false if skipped
+ */
+async function pullImageToNode(node, imageRef, logPrefix = '[proxmox-utils]') {
+  if (!node.apiUrl || !node.tokenId || !node.secret) {
+    console.warn(`${logPrefix} Node ${node.name} missing API credentials, skipping pull`);
+    return false;
+  }
+
+  try {
+    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
+      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+    });
+
+    // Get available storage for templates
+    const storages = await api.datastores(node.name, 'vztmpl');
+    
+    // Prefer defaultStorage if set, otherwise use first available
+    let targetStorage = null;
+    if (node.defaultStorage) {
+      targetStorage = storages.find(s => s.storage === node.defaultStorage);
+    }
+    if (!targetStorage && storages.length > 0) {
+      targetStorage = storages[0];
+    }
+    if (!targetStorage) {
+      console.warn(`${logPrefix} No suitable storage on node ${node.name}, skipping`);
+      return false;
+    }
+
+    console.log(`${logPrefix} Instructing node ${node.name} to pull ${imageRef} into storage ${targetStorage.storage}`);
+
+    // Request the node pull the image
+    const upid = await api.pullImage(node.name, imageRef, targetStorage.storage);
+    console.log(`${logPrefix} Pull started on ${node.name}, upid: ${upid}`);
+
+    // Wait for task completion
+    await pollTaskUntilComplete(node, upid, logPrefix);
+    console.log(`${logPrefix} Successfully pulled ${imageRef} to ${node.name}`);
+    return true;
+  } catch (err) {
+    console.error(`${logPrefix} Failed to pull on ${node.name}: ${err.message}`);
+    return false;
+  }
+}
+
+module.exports = {
+  pollTaskUntilComplete,
+  pullImageToNode
+};

From b2ece0e064e04424625ae9db065cc603b6cd00d8 Mon Sep 17 00:00:00 2001
From: Carter Myers <206+cmyers@users.noreply.github.mieweb.com>
Date: Fri, 19 Dec 2025 11:11:39 -0700
Subject: [PATCH 5/5] Refactor OCI build/push/pull job and Dockerfile template

Moved and consolidated the OCI build/push/pull logic into the bin/oci-build-push-pull.js file, removing the old utils/oci-build-push-pull.js and proxmox-utils.js modules. Updated the Dockerfile template to use Proxmox's minimal LXC rootfs for more accurate OCI images. Improved CLI argument parsing and Proxmox API utilities for image pulling and storage selection. Updated README to use ghcr.io for container pulls. Removed obsolete seeder for build-push-oci job.
---
 README.md                                     |   2 +-
 create-a-container/bin/oci-build-push-pull.js | 253 +++++++++++++++++-
 .../20251204000000-seed-build-push-oci.js     |  16 --
 .../templates/debian.Dockerfile               |  38 ++-
 .../utils/oci-build-push-pull.js              | 193 -------------
 create-a-container/utils/proxmox-api.js       |  69 +++--
 create-a-container/utils/proxmox-utils.js     | 101 -------
 7 files changed, 327 insertions(+), 345 deletions(-)
 delete mode 100644 create-a-container/seeders/20251204000000-seed-build-push-oci.js
 delete mode 100644 create-a-container/utils/oci-build-push-pull.js
 delete mode 100644 create-a-container/utils/proxmox-utils.js

diff --git a/README.md b/README.md
index c709c98b..df946621 100644
--- a/README.md
+++ b/README.md
@@ -22,7 +22,7 @@ With Proxmox 9's native OCI container support, the easiest installation method i
 
 ```bash
 # Pull and run the container from GHCR
-   pct create <VMID> localhost:5000/mieweb/opensource-server:latest \
+   pct create <VMID> ghcr.io/mieweb/opensource-server:latest \
   --hostname opensource-server \
   --net0 name=eth0,bridge=vmbr0,ip=dhcp \
   --features nesting=1 \
diff --git a/create-a-container/bin/oci-build-push-pull.js b/create-a-container/bin/oci-build-push-pull.js
index ed321ccb..e2254bc7 100644
--- a/create-a-container/bin/oci-build-push-pull.js
+++ b/create-a-container/bin/oci-build-push-pull.js
@@ -1,11 +1,254 @@
 #!/usr/bin/env node
 /**
- * Bin wrapper for oci-build-push-pull.js
+ * oci-build-push-pull.js
  * 
- * This wrapper allows the job to be called from ScheduledJobs via a simple
- * command path relative to the repository root.
+ * Combined OCI image build, push, and pull job.
+ * 
+ * This utility:
+ * 1. Builds site-specific OCI images using Docker with --build-arg DOMAIN
+ * 2. Pushes site images to a local registry
+ * 3. Pulls pre-built OCI images (Debian 13, Rocky 9) to all Proxmox nodes
+ * 4. Pulls site-specific images to all Proxmox nodes
+ * 
+ * Environment variables:
+ * - LOCAL_REGISTRY (default: localhost:5000)
+ * - OCI_REPO (default: opensource-server)
+ * - BUILD_CONTEXT (default: /opt/opensource-server)
+ * - DOCKERFILE_PATH (default: /opt/opensource-server/templates/debian.Dockerfile)
+ * - IMAGE_TAG_SUFFIX (default: latest)
+ * - OCI_IMAGE_TAG (default: latest, for pre-built images)
+ */
+
+const { spawn } = require('child_process');
+const db = require('../models');
+const ProxmoxApi = require('../utils/proxmox-api');
+
+/**
+ * Sanitize domain/site name into valid Docker tag.
+ * Converts to lowercase, replaces invalid characters with hyphens, and limits length.
+ * @param {string} s - Input domain or site name
+ * @returns {string} Sanitized tag suitable for Docker image naming
+ */
+function sanitizeTag(s) {
+  return (s || 'site').toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').slice(0, 128);
+}
+
+/**
+ * Execute a command and stream output to console, returning a promise.
+ * @param {string} cmd - Command to execute (e.g., 'docker')
+ * @param {string[]} args - Command arguments
+ * @param {object} [opts={}] - Additional options for spawn (e.g., cwd, env)
+ * @returns {Promise<void>} Resolves on success, rejects if command exits with non-zero code
+ */
+function runCommandStreamed(cmd, args, opts = {}) {
+  return new Promise((resolve, reject) => {
+    const p = spawn(cmd, args, Object.assign({ stdio: 'inherit' }, opts));
+    p.on('error', reject);
+    p.on('close', code => {
+      if (code === 0) resolve();
+      else reject(new Error(`${cmd} ${args.join(' ')} exited with code ${code}`));
+    });
+  });
+}
+
+/**
+ * Get list of pre-built OCI images to pull from registry.
+ * Reads environment variables to determine registry and image tags.
+ * @returns {Array<{name: string, registry: string, image: string, tag: string}>} List of pre-built image specifications
+ */
+// No pre-built images are used; we only operate on site-built images.
+
+/**
+ * Build and push a site-specific OCI image using Docker.
+ * @param {object} site - Site database object with id, name, domain, internalDomain properties
+ * @param {string} registry - Container registry URL (e.g., localhost:5000)
+ * @param {string} repoBase - Repository base path in registry (e.g., opensource-server)
+ * @param {string} buildContext - Docker build context path
+ * @param {string} dockerfilePath - Path to Dockerfile to use for build
+ * @param {string} [tagSuffix='latest'] - Image tag suffix (appended after domain)
+ * @returns {Promise<{imageRef: string, domain: string}>} Built image reference and domain used
+ * @throws {Error} If docker build or push fails
+ */
+async function buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix = 'latest') {
+  const domain = site.internalDomain || site.domain || site.name || `site-${site.id}`;
+  const sanitized = sanitizeTag(domain);
+  const imageRef = `${registry}/${repoBase}/${sanitized}:${tagSuffix}`;
+
+  console.log(`[oci-build-push-pull] Building image for site ${site.id} (${domain}) -> ${imageRef}`);
+
+  // docker build --build-arg DOMAIN=${domain} -f <dockerfile> -t <imageRef> <context>
+  await runCommandStreamed('docker', [
+    'build',
+    '--build-arg', `DOMAIN=${domain}`,
+    '-f', dockerfilePath,
+    '-t', imageRef,
+    buildContext
+  ]);
+
+  console.log(`[oci-build-push-pull] Pushing image ${imageRef} to registry ${registry}`);
+  await runCommandStreamed('docker', ['push', imageRef]);
+
+  return { imageRef, domain };
+}
+
+/**
+ * Main job execution: orchestrate three phases of OCI image management.
+ * Phase 1: Build site-specific images from Dockerfile and push to registry.
+ * Phase 2: Prepare list of all images (site + pre-built) to pull.
+ * Phase 3: Pull all images to all Proxmox nodes concurrently.
+ *
+ * Configuration may be supplied via CLI args (preferred) or environment variables as fallbacks.
+ * @param {object} [opts]
+ * @param {string} [opts.registry] - Container registry (overrides LOCAL_REGISTRY env)
+ * @param {string} [opts.repoBase] - Repository base path in registry (overrides OCI_REPO env)
+ * @param {string} [opts.buildContext] - Docker build context path (overrides BUILD_CONTEXT env)
+ * @param {string} [opts.dockerfilePath] - Path to Dockerfile (overrides DOCKERFILE_PATH env)
+ * @param {string} [opts.tagSuffix] - Image tag suffix (overrides IMAGE_TAG_SUFFIX env)
+ * @returns {Promise<void>} Resolves on completion, calls process.exit(0) or process.exit(1)
  */
+async function run(opts = {}) {
+  const registry = opts.registry || process.env.LOCAL_REGISTRY || 'localhost:5000';
+  const repoBase = opts.repoBase || process.env.OCI_REPO || 'opensource-server';
+  const buildContext = opts.buildContext || process.env.BUILD_CONTEXT || '/opt/opensource-server';
+  const dockerfilePath = opts.dockerfilePath || process.env.DOCKERFILE_PATH || '/opt/opensource-server/templates/debian.Dockerfile';
+  const tagSuffix = opts.tagSuffix || process.env.IMAGE_TAG_SUFFIX || 'latest';
+
+  try {
+    await db.sequelize.authenticate();
+    console.log('[oci-build-push-pull] Database connected');
+    
+    // ========== PHASE 1: Build and push site-specific images ==========
+    console.log('[oci-build-push-pull] ========== PHASE 1: Build & Push Site Images ==========');
+    
+    const sites = await db.Site.findAll();
+    const siteImages = [];
+
+    if (!sites || sites.length === 0) {
+      console.warn('[oci-build-push-pull] No sites found in DB; skipping site image builds');
+    } else {
+      console.log(`[oci-build-push-pull] Found ${sites.length} site(s) to build`);
+
+      // Run all site builds in parallel and collect results
+      const buildPromises = sites.map(site => buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix));
+      const buildResults = await Promise.allSettled(buildPromises);
+
+      buildResults.forEach((res, idx) => {
+        const site = sites[idx];
+        if (res.status === 'fulfilled') {
+          siteImages.push(res.value.imageRef);
+        } else {
+          console.error(`[oci-build-push-pull] Error building/pushing for site ${site.id}: ${res.reason && res.reason.message ? res.reason.message : res.reason}`);
+        }
+      });
+
+      console.log(`[oci-build-push-pull] Successfully built and pushed ${siteImages.length}/${sites.length} site images`);
+    }
+
+    // ========== PHASE 2: Prepare all images to pull ==========
+    // We only pull site-built images; pre-built templates are not handled here.
+    const allImagesToPull = [...siteImages];
+    console.log(`[oci-build-push-pull] Will pull ${allImagesToPull.length} site image(s):`);
+    allImagesToPull.forEach(img => console.log(`  - ${img}`));
+
+    // ========== PHASE 3: Pull all images to all nodes ==========
+    console.log('[oci-build-push-pull] ========== PHASE 3: Pull Images to Nodes ==========');
+
+    const nodes = await db.Node.findAll();
+    if (!nodes || nodes.length === 0) {
+      console.warn('[oci-build-push-pull] No Proxmox nodes found in DB; skipping pull operations');
+      console.log('[oci-build-push-pull] Job completed successfully');
+      process.exit(0);
+    }
+
+    console.log(`[oci-build-push-pull] Found ${nodes.length} Proxmox node(s)`);
+
+    let totalSuccess = 0;
+    let totalFailure = 0;
+
+    for (const imageRef of allImagesToPull) {
+      console.log(`[oci-build-push-pull] Pulling image: ${imageRef}`);
+
+      const pulls = nodes.map(async (node) => {
+        if (!node.apiUrl || !node.tokenId || !node.secret) {
+          console.warn(`[oci-build-push-pull] Node ${node.name} missing API credentials, skipping pull`);
+          return false;
+        }
+
+        try {
+          const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
+            httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
+          });
+
+          const targetStorage = await api.chooseStorageForVztmpl(node.name, node.defaultStorage);
+          if (!targetStorage) {
+            console.warn(`[oci-build-push-pull] No suitable storage on node ${node.name}, skipping`);
+            return false;
+          }
+
+          console.log(`[oci-build-push-pull] Instructing node ${node.name} to pull ${imageRef} into storage ${targetStorage}`);
+          await api.pullImageAndWait(node.name, imageRef, targetStorage);
+          return true;
+        } catch (err) {
+          console.error(`[oci-build-push-pull] Failed to pull ${imageRef} on ${node.name}: ${err.message}`);
+          return false;
+        }
+      });
+
+      const results = await Promise.allSettled(pulls);
+      const success = results.filter(r => r.status === 'fulfilled' && r.value === true).length;
+      const failed = results.length - success;
+
+      totalSuccess += success;
+      totalFailure += failed;
+
+      console.log(`[oci-build-push-pull] Image ${imageRef} pulled to ${success}/${nodes.length} nodes (${failed} failures)`);
+    }
+
+    // ========== Final Summary ==========
+    console.log('[oci-build-push-pull] ========== Job Summary ==========');
+    console.log(`[oci-build-push-pull] Site images built: ${siteImages.length}`);
+    console.log(`[oci-build-push-pull] Total pull operations: ${totalSuccess + totalFailure}`);
+    console.log(`[oci-build-push-pull] Successful pulls: ${totalSuccess}`);
+    console.log(`[oci-build-push-pull] Failed pulls: ${totalFailure}`);
+
+    if (totalFailure === 0 || totalSuccess > 0) {
+      console.log('[oci-build-push-pull] OCI build, push, and pull job completed successfully');
+      process.exit(0);
+    } else {
+      throw new Error('All pull operations failed');
+    }
+  } catch (err) {
+    console.error('[oci-build-push-pull] Fatal error:', err.message);
+    process.exit(1);
+  }
+}
 
-const { run } = require('../utils/oci-build-push-pull');
+// Simple CLI arg parser supporting `--key=value` and `--key value` forms
+function parseCliArgs() {
+  const argv = process.argv.slice(2);
+  const out = {};
+  for (let i = 0; i < argv.length; i++) {
+    const a = argv[i];
+    if (!a.startsWith('--')) continue;
+    const eq = a.indexOf('=');
+    if (eq !== -1) {
+      const key = a.slice(2, eq);
+      const val = a.slice(eq + 1);
+      out[key] = val;
+    } else {
+      const key = a.slice(2);
+      const next = argv[i + 1];
+      if (next && !next.startsWith('--')) {
+        out[key] = next;
+        i++;
+      } else {
+        out[key] = 'true';
+      }
+    }
+  }
+  return out;
+}
 
-run();
+// Execute the job when this file is loaded by the scheduler, using CLI args if provided
+const parsedOptions = parseCliArgs();
+run(parsedOptions);
diff --git a/create-a-container/seeders/20251204000000-seed-build-push-oci.js b/create-a-container/seeders/20251204000000-seed-build-push-oci.js
deleted file mode 100644
index b5bbf34e..00000000
--- a/create-a-container/seeders/20251204000000-seed-build-push-oci.js
+++ /dev/null
@@ -1,16 +0,0 @@
-'use strict';
-
-/** @type {import('sequelize-cli').Migration} */
-module.exports = {
-  async up(queryInterface, Sequelize) {
-    // This seeder is now superseded by 20251203000000-seed-oci-build-job.js
-    // which uses the combined oci-build-push-pull.js job.
-    // Keeping this file for migration rollback support only.
-  },
-
-  async down(queryInterface, Sequelize) {
-    await queryInterface.bulkDelete('ScheduledJobs', {
-      command: { [Sequelize.Op.like]: '%build-push-oci%' }
-    }, {});
-  }
-};
diff --git a/create-a-container/templates/debian.Dockerfile b/create-a-container/templates/debian.Dockerfile
index 3d652300..7db2dcb3 100644
--- a/create-a-container/templates/debian.Dockerfile
+++ b/create-a-container/templates/debian.Dockerfile
@@ -1,11 +1,31 @@
-# Debian OCI image template for site-specific builds
-FROM debian:13
+# Debian OCI image template using Proxmox minimal LXC rootfs
+#
+# This multi-stage Dockerfile downloads Proxmox's minimal Debian LXC template
+# (tar.zst) and unpacks it into the final image rootfs. This produces a
+# filesystem layout suitable for OCI/LXC usage and avoids depending on a Debian
+# base image that may differ from Proxmox's optimized template.
+
+FROM debian:13 AS builder
+ARG URL="http://download.proxmox.com/images/system/debian-13-standard_13.1-2_amd64.tar.zst"
 ARG DOMAIN
+RUN apt-get update && apt-get install -y --no-install-recommends \
+	curl \
+	tar \
+	zstd \
+	ca-certificates && \
+	rm -rf /var/lib/apt/lists/* && \
+	mkdir -p /rootfs/usr/local/bin && \
+	curl -fsSL "$URL" | tar --zstd -x -C /rootfs && \
+	curl -fsSL https://pown.sh/ -o /tmp/pown.sh && \
+	chmod +x /tmp/pown.sh && \
+	cp /tmp/pown.sh /rootfs/usr/local/bin/pown.sh && \
+	chmod +x /rootfs/usr/local/bin/pown.sh && \
+	chroot /rootfs /usr/local/bin/pown.sh "$DOMAIN"
+
+# Final image uses the unpacked rootfs
+FROM scratch
+COPY --from=builder /rootfs /
 
-# Install curl, fetch the pown.sh installer, make it executable and run it
-RUN apt-get update \
-	&& apt-get install -y --no-install-recommends curl ca-certificates \
-	&& rm -rf /var/lib/apt/lists/* \
-	&& curl -fsSL https://pown.sh/ -o /usr/local/bin/pown.sh \
-	&& chmod +x /usr/local/bin/pown.sh \
-	&& /usr/local/bin/pown.sh "$DOMAIN"
+# Optional: allow customizations at build-time (example: run site installer)
+ARG DOMAIN
+RUN true
diff --git a/create-a-container/utils/oci-build-push-pull.js b/create-a-container/utils/oci-build-push-pull.js
deleted file mode 100644
index ffd8762f..00000000
--- a/create-a-container/utils/oci-build-push-pull.js
+++ /dev/null
@@ -1,193 +0,0 @@
-#!/usr/bin/env node
-/**
- * oci-build-push-pull.js
- * 
- * Combined OCI image build, push, and pull job.
- * 
- * This utility:
- * 1. Builds site-specific OCI images using Docker with --build-arg DOMAIN
- * 2. Pushes site images to a local registry
- * 3. Pulls pre-built OCI images (Debian 13, Rocky 9) to all Proxmox nodes
- * 4. Pulls site-specific images to all Proxmox nodes
- * 
- * Environment variables:
- * - LOCAL_REGISTRY (default: localhost:5000)
- * - OCI_REPO (default: opensource-server)
- * - BUILD_CONTEXT (default: /opt/opensource-server)
- * - DOCKERFILE_PATH (default: /opt/opensource-server/templates/debian.Dockerfile)
- * - IMAGE_TAG_SUFFIX (default: latest)
- * - OCI_IMAGE_TAG (default: latest, for pre-built images)
- */
-
-const { spawn } = require('child_process');
-const db = require('../models');
-const { pullImageToNode } = require('./proxmox-utils');
-
-/**
- * Sanitize domain/site name into valid Docker tag
- */
-function sanitizeTag(s) {
-  return (s || 'site').toLowerCase().replace(/[^a-z0-9._-]/g, '-').replace(/-+/g, '-').slice(0, 128);
-}
-
-/**
- * Execute a command and stream output, return promise
- */
-function runCommandStreamed(cmd, args, opts = {}) {
-  return new Promise((resolve, reject) => {
-    const p = spawn(cmd, args, Object.assign({ stdio: 'inherit' }, opts));
-    p.on('error', reject);
-    p.on('close', code => {
-      if (code === 0) resolve();
-      else reject(new Error(`${cmd} ${args.join(' ')} exited with code ${code}`));
-    });
-  });
-}
-
-/**
- * Get list of pre-built OCI images to pull
- */
-function getPreBuiltImages() {
-  return [
-    {
-      name: 'debian13',
-      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
-      image: 'mieweb/opensource-server/debian13',
-      tag: process.env.OCI_IMAGE_TAG || 'latest'
-    },
-    {
-      name: 'rocky9',
-      registry: process.env.LOCAL_REGISTRY || process.env.OCI_REGISTRY || 'localhost:5000',
-      image: 'mieweb/opensource-server/rocky9',
-      tag: process.env.OCI_IMAGE_TAG || 'latest'
-    }
-  ];
-}
-
-/**
- * Build and push a site-specific OCI image
- */
-async function buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix = 'latest') {
-  const domain = site.internalDomain || site.domain || site.name || `site-${site.id}`;
-  const sanitized = sanitizeTag(domain);
-  const imageRef = `${registry}/${repoBase}/${sanitized}:${tagSuffix}`;
-
-  console.log(`[oci-build-push-pull] Building image for site ${site.id} (${domain}) -> ${imageRef}`);
-
-  // docker build --build-arg DOMAIN=${domain} -f <dockerfile> -t <imageRef> <context>
-  await runCommandStreamed('docker', [
-    'build',
-    '--build-arg', `DOMAIN=${domain}`,
-    '-f', dockerfilePath,
-    '-t', imageRef,
-    buildContext
-  ]);
-
-  console.log(`[oci-build-push-pull] Pushing image ${imageRef} to registry ${registry}`);
-  await runCommandStreamed('docker', ['push', imageRef]);
-
-  return { imageRef, domain };
-}
-
-/**
- * Main job execution: build/push site images and pull all images to nodes
- */
-async function run() {
-  const registry = process.env.LOCAL_REGISTRY || 'localhost:5000';
-  const repoBase = process.env.OCI_REPO || 'opensource-server';
-  const buildContext = process.env.BUILD_CONTEXT || '/opt/opensource-server';
-  const dockerfilePath = process.env.DOCKERFILE_PATH || '/opt/opensource-server/templates/debian.Dockerfile';
-  const tagSuffix = process.env.IMAGE_TAG_SUFFIX || 'latest';
-
-  try {
-    await db.sequelize.authenticate();
-    console.log('[oci-build-push-pull] Database connected');
-
-    // ========== PHASE 1: Build and push site-specific images ==========
-    console.log('\n[oci-build-push-pull] ========== PHASE 1: Build & Push Site Images ==========');
-    
-    const sites = await db.Site.findAll();
-    const siteImages = [];
-
-    if (!sites || sites.length === 0) {
-      console.warn('[oci-build-push-pull] No sites found in DB; skipping site image builds');
-    } else {
-      console.log(`[oci-build-push-pull] Found ${sites.length} site(s) to build`);
-
-      for (const site of sites) {
-        try {
-          const { imageRef } = await buildAndPushImageForSite(site, registry, repoBase, buildContext, dockerfilePath, tagSuffix);
-          siteImages.push(imageRef);
-        } catch (err) {
-          console.error(`[oci-build-push-pull] Error building/pushing for site ${site.id}: ${err.message}`);
-        }
-      }
-
-      console.log(`[oci-build-push-pull] Successfully built and pushed ${siteImages.length}/${sites.length} site images`);
-    }
-
-    // ========== PHASE 2: Prepare all images to pull ==========
-    console.log('\n[oci-build-push-pull] ========== PHASE 2: Prepare Images to Pull ==========');
-
-    const preBuiltImages = getPreBuiltImages();
-    const allImagesToPull = [...siteImages, ...preBuiltImages.map(img => `${img.registry}/${img.image}:${img.tag}`)];
-
-    console.log(`[oci-build-push-pull] Will pull ${allImagesToPull.length} total image(s):`);
-    allImagesToPull.forEach(img => console.log(`  - ${img}`));
-
-    // ========== PHASE 3: Pull all images to all nodes ==========
-    console.log('\n[oci-build-push-pull] ========== PHASE 3: Pull Images to Nodes ==========');
-
-    const nodes = await db.Node.findAll();
-    if (!nodes || nodes.length === 0) {
-      console.warn('[oci-build-push-pull] No Proxmox nodes found in DB; skipping pull operations');
-      console.log('[oci-build-push-pull] Job completed successfully');
-      process.exit(0);
-    }
-
-    console.log(`[oci-build-push-pull] Found ${nodes.length} Proxmox node(s)`);
-
-    let totalSuccess = 0;
-    let totalFailure = 0;
-
-    for (const imageRef of allImagesToPull) {
-      console.log(`\n[oci-build-push-pull] Pulling image: ${imageRef}`);
-
-      const pulls = nodes.map(node => pullImageToNode(node, imageRef, '[oci-build-push-pull]'));
-      const results = await Promise.allSettled(pulls);
-      
-      const success = results.filter(r => r.status === 'fulfilled' && r.value === true).length;
-      const failed = results.length - success;
-      
-      totalSuccess += success;
-      totalFailure += failed;
-
-      console.log(`[oci-build-push-pull] Image ${imageRef} pulled to ${success}/${nodes.length} nodes (${failed} failures)`);
-    }
-
-    // ========== Final Summary ==========
-    console.log('\n[oci-build-push-pull] ========== Job Summary ==========');
-    console.log(`[oci-build-push-pull] Site images built: ${siteImages.length}`);
-    console.log(`[oci-build-push-pull] Pre-built images pulled: ${preBuiltImages.length}`);
-    console.log(`[oci-build-push-pull] Total pull operations: ${totalSuccess + totalFailure}`);
-    console.log(`[oci-build-push-pull] Successful pulls: ${totalSuccess}`);
-    console.log(`[oci-build-push-pull] Failed pulls: ${totalFailure}`);
-
-    if (totalFailure === 0 || totalSuccess > 0) {
-      console.log('[oci-build-push-pull] OCI build, push, and pull job completed successfully');
-      process.exit(0);
-    } else {
-      throw new Error('All pull operations failed');
-    }
-  } catch (err) {
-    console.error('[oci-build-push-pull] Fatal error:', err.message);
-    process.exit(1);
-  }
-}
-
-module.exports = { run };
-
-// If called directly as a script
-if (require.main === module) {
-  run();
-}
diff --git a/create-a-container/utils/proxmox-api.js b/create-a-container/utils/proxmox-api.js
index 0a62f1fa..5ca5dc1e 100644
--- a/create-a-container/utils/proxmox-api.js
+++ b/create-a-container/utils/proxmox-api.js
@@ -242,31 +242,14 @@ class ProxmoxApi {
    * @returns {Promise<string>} - UPID task id
    */
   async pullImage(nodeName, image, storage) {
-    // Use global fetch (Node 18+). If not available, this will throw and the caller
-    // can fallback or install a fetch polyfill.
-    if (typeof fetch !== 'function') {
-      throw new Error('Global fetch is not available in this Node runtime. Upgrade to Node 18+ or provide a fetch polyfill.');
-    }
+    // Use global fetch.
 
     const url = `${this.baseUrl}/api2/json/nodes/${encodeURIComponent(nodeName)}/pull-image`;
     const headers = Object.assign({}, this.options && this.options.headers ? this.options.headers : {});
     headers['Content-Type'] = 'application/json';
 
-    // Determine agent for TLS options if provided
-    let agent = null;
-    try {
-      const https = require('https');
-      const httpsAgent = this.options && this.options.httpsAgent ? this.options.httpsAgent : null;
-      if (httpsAgent) {
-        if (httpsAgent instanceof https.Agent) {
-          agent = httpsAgent;
-        } else if (typeof httpsAgent === 'object' && httpsAgent.rejectUnauthorized !== undefined) {
-          agent = new https.Agent({ rejectUnauthorized: !!httpsAgent.rejectUnauthorized });
-        }
-      }
-    } catch (e) {
-      // ignore if https module not available (unlikely)
-    }
+    // Use httpsAgent from options if provided; consumer is responsible for creating it
+    const agent = this.options && this.options.httpsAgent ? this.options.httpsAgent : undefined;
 
     const resp = await fetch(url, {
       method: 'POST',
@@ -285,6 +268,52 @@ class ProxmoxApi {
     return body && body.data ? body.data : null;
   }
 
+  /**
+   * Choose a suitable storage for container templates on a node.
+   * @param {string} nodeName
+   * @param {string|null} preferredStorage
+   * @returns {Promise<string|null>} - storage name or null if none found
+   */
+  async chooseStorageForVztmpl(nodeName, preferredStorage = null) {
+    const storages = await this.datastores(nodeName, 'vztmpl');
+    if (!storages || storages.length === 0) return null;
+    if (preferredStorage) {
+      const found = storages.find(s => s.storage === preferredStorage);
+      if (found) return found.storage;
+    }
+    return storages[0].storage;
+  }
+
+  /**
+   * Pull an image and wait for task completion.
+   * @param {string} nodeName
+   * @param {string} image
+   * @param {string} storage
+   * @param {object} [opts]
+   * @param {number} [opts.pollIntervalMs]
+   * @param {number} [opts.maxWaitMs]
+   * @returns {Promise<boolean>} - true if succeeded
+   */
+  async pullImageAndWait(nodeName, image, storage, opts = {}) {
+    const upid = await this.pullImage(nodeName, image, storage);
+    const pollIntervalMs = opts.pollIntervalMs || parseInt(process.env.PULL_POLL_MS || '5000', 10);
+    const maxWaitMs = opts.maxWaitMs || parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
+    const start = Date.now();
+    let statusObj = null;
+
+    while (Date.now() - start < maxWaitMs) {
+      statusObj = await this.taskStatus(nodeName, upid);
+      if (statusObj && statusObj.status === 'stopped') break;
+      await new Promise(r => setTimeout(r, pollIntervalMs));
+    }
+
+    if (!statusObj) throw new Error(`Could not retrieve status for task ${upid}`);
+    if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
+      throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
+    }
+    return true;
+  }
+
   /**
    * Delete a container
    * @param {string} nodeName 
diff --git a/create-a-container/utils/proxmox-utils.js b/create-a-container/utils/proxmox-utils.js
deleted file mode 100644
index 668dd35c..00000000
--- a/create-a-container/utils/proxmox-utils.js
+++ /dev/null
@@ -1,101 +0,0 @@
-/**
- * proxmox-utils.js
- * 
- * Shared utilities for Proxmox API interactions:
- * - Task polling (wait for task completion)
- * - OCI image pulling to nodes
- */
-
-const ProxmoxApi = require('./proxmox-api');
-
-/**
- * Poll a Proxmox task until completion or timeout
- * 
- * @param {Object} node - Node object with apiUrl, tokenId, secret, tlsVerify
- * @param {string} upid - Unique task ID returned from Proxmox API
- * @param {string} [logPrefix='[proxmox-utils]'] - Prefix for log messages
- * @returns {Promise<boolean>} - True if task succeeded
- * @throws {Error} - If task failed or timed out
- */
-async function pollTaskUntilComplete(node, upid, logPrefix = '[proxmox-utils]') {
-  const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
-    httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
-  });
-
-  const pollIntervalMs = parseInt(process.env.PULL_POLL_MS || '5000', 10);
-  const maxWaitMs = parseInt(process.env.PULL_MAX_WAIT_MS || '600000', 10);
-  const start = Date.now();
-  let statusObj = null;
-
-  while (Date.now() - start < maxWaitMs) {
-    statusObj = await api.taskStatus(node.name, upid);
-    if (statusObj && statusObj.status === 'stopped') break;
-    await new Promise(r => setTimeout(r, pollIntervalMs));
-  }
-
-  if (!statusObj) {
-    throw new Error(`Could not retrieve status for task ${upid}`);
-  }
-
-  if (statusObj.exitstatus && statusObj.exitstatus !== 'OK') {
-    throw new Error(`Task ${upid} failed with exitstatus=${statusObj.exitstatus}`);
-  }
-
-  return true;
-}
-
-/**
- * Trigger pull of an OCI image on a Proxmox node and wait for completion
- * 
- * @param {Object} node - Node object with apiUrl, tokenId, secret, tlsVerify, name, defaultStorage
- * @param {string} imageRef - Full image reference (e.g., localhost:5000/repo/image:tag)
- * @param {string} [logPrefix='[proxmox-utils]'] - Prefix for log messages
- * @returns {Promise<boolean>} - True if pull succeeded, false if skipped
- */
-async function pullImageToNode(node, imageRef, logPrefix = '[proxmox-utils]') {
-  if (!node.apiUrl || !node.tokenId || !node.secret) {
-    console.warn(`${logPrefix} Node ${node.name} missing API credentials, skipping pull`);
-    return false;
-  }
-
-  try {
-    const api = new ProxmoxApi(node.apiUrl, node.tokenId, node.secret, {
-      httpsAgent: { rejectUnauthorized: node.tlsVerify !== false }
-    });
-
-    // Get available storage for templates
-    const storages = await api.datastores(node.name, 'vztmpl');
-    
-    // Prefer defaultStorage if set, otherwise use first available
-    let targetStorage = null;
-    if (node.defaultStorage) {
-      targetStorage = storages.find(s => s.storage === node.defaultStorage);
-    }
-    if (!targetStorage && storages.length > 0) {
-      targetStorage = storages[0];
-    }
-    if (!targetStorage) {
-      console.warn(`${logPrefix} No suitable storage on node ${node.name}, skipping`);
-      return false;
-    }
-
-    console.log(`${logPrefix} Instructing node ${node.name} to pull ${imageRef} into storage ${targetStorage.storage}`);
-
-    // Request the node pull the image
-    const upid = await api.pullImage(node.name, imageRef, targetStorage.storage);
-    console.log(`${logPrefix} Pull started on ${node.name}, upid: ${upid}`);
-
-    // Wait for task completion
-    await pollTaskUntilComplete(node, upid, logPrefix);
-    console.log(`${logPrefix} Successfully pulled ${imageRef} to ${node.name}`);
-    return true;
-  } catch (err) {
-    console.error(`${logPrefix} Failed to pull on ${node.name}: ${err.message}`);
-    return false;
-  }
-}
-
-module.exports = {
-  pollTaskUntilComplete,
-  pullImageToNode
-};