renovate: default-allow + codify ArgoCD auto-sync in git

Two coordinated changes — open PR only, do NOT merge until dry-run passes.

1) admin-system/renovate.yaml: flip packageRules from Tier 1 allowlist to
   default-allow with safety gates. Adds prHourlyLimit=8 + prConcurrentLimit=8
   to throttle the first wave. New rules (7 total, order-sensitive):
   - "*"                    : 3-day stability gate (minimumReleaseAge)
   - minor/patch            : automerge via platformAutomerge
   - major                  : dependencyDashboardApproval (manual gate)
   - k3s-bundled (3 images) : disabled (ride k3s upgrades)
   - critical-core (6 imgs) : automerge=false (Viktor merges manually)
     - gitea/gitea, ghcr.io/goauthentik/{server,ldap,proxy},
       ghcr.io/cloudnative-pg/cloudnative-pg, quay.io/argoproj/argocd
     - ArgoCD + authentik /ldap and /proxy are no-ops (not pinned in repo)
   - termix                 : versioning=loose, extractVersion for "release-X.Y.Z"
   - wanderer-db + -web     : groupName=wanderer (one PR, prevents file race)
   enabledManagers unchanged ([kubernetes, helm-values]) — keeps Helmfile-
   managed infra invisible.

2) argocd-apps/homelab.yaml: codify per-app auto-sync intent in git
   (currently lives only on live CRs via UI — DR risk).
   - 35 existing bare-AUTO apps: add `automated: {enabled: true}` (matches live).
   - jarr, version-checker: add `automated: {enabled: true, prune: true,
     selfHeal: true}` (flipping MANUAL -> AUTO so Renovate merges deploy).
   - Untouched: admin-tools, authentik, cnpg-operator, root-apps (already
     have strict automated in git); monitoring, infrastructure, felhom,
     gitea, pihole, database-system (explicitly kept MANUAL per Viktor).
   NOTE: root-apps does NOT enforce syncPolicy.automated drift between git
   and live, so jarr + version-checker will also need a one-off kubectl
   patch after merge to actually become AUTO live. Done in go-live step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin-system/renovate.yaml

@@ -44,92 +44,62 @@ data:
       "requireConfig": "optional",
       "dependencyDashboard": true,
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 0,
-      "prConcurrentLimit": 0,
+      "prHourlyLimit": 8,
+      "prConcurrentLimit": 8,
       "enabledManagers": ["kubernetes", "helm-values"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
       "packageRules": [
         {
-          "description": "Default-deny everything",
+          "description": "All apps: 3-day stability gate before any PR opens",
           "matchPackageNames": ["*"],
-          "enabled": false
-        },
-        {
-          "description": "Tier 1: enable updates for low-risk leaf apps",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
-          "enabled": true
-        },
-        {
-          "description": "Tier 1: automerge minor/patch after 3-day stability window",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
-          "matchUpdateTypes": ["minor", "patch"],
-          "automerge": true,
-          "automergeType": "pr",
-          "platformAutomerge": true,
           "minimumReleaseAge": "3 days"
         },
         {
-          "description": "Tier 1: major bumps require dashboard approval (no automerge)",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
+          "description": "Auto-merge minor/patch after the stability window",
+          "matchUpdateTypes": ["minor", "patch"],
+          "automerge": true,
+          "automergeType": "pr",
+          "platformAutomerge": true
+        },
+        {
+          "description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)",
           "matchUpdateTypes": ["major"],
           "automerge": false,
           "dependencyDashboardApproval": true
+        },
+        {
+          "description": "k3s-bundled components: never touch, they ride k3s upgrades",
+          "matchPackageNames": [
+            "rancher/local-path-provisioner",
+            "rancher/mirrored-coredns/coredns",
+            "rancher/mirrored-metrics-server"
+          ],
+          "enabled": false
+        },
+        {
+          "description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).",
+          "matchPackageNames": [
+            "gitea/gitea",
+            "quay.io/argoproj/argocd",
+            "ghcr.io/goauthentik/server",
+            "ghcr.io/goauthentik/ldap",
+            "ghcr.io/goauthentik/proxy",
+            "ghcr.io/cloudnative-pg/cloudnative-pg"
+          ],
+          "automerge": false
+        },
+        {
+          "description": "termix: non-semver release- tag",
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "versioning": "loose",
+          "extractVersion": "^release-(?<version>.+)$"
+        },
+        {
+          "description": "wanderer: db + web update together in one PR",
+          "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
+          "groupName": "wanderer"
         }
       ],
       "labels": ["renovate"]