diff --git a/admin-system/renovate.yaml b/admin-system/renovate.yaml index 3934443..49f099c 100644 --- a/admin-system/renovate.yaml +++ b/admin-system/renovate.yaml @@ -44,92 +44,63 @@ data: "requireConfig": "optional", "dependencyDashboard": true, "dependencyDashboardTitle": "Renovate Dependency Dashboard", - "prHourlyLimit": 0, - "prConcurrentLimit": 0, + "prHourlyLimit": 8, + "prConcurrentLimit": 8, "enabledManagers": ["kubernetes", "helm-values"], "kubernetes": { "managerFilePatterns": ["/.+\\.ya?ml$/"] }, "packageRules": [ { - "description": "Default-deny everything", + "description": "All apps: 3-day stability gate before any PR opens", "matchPackageNames": ["*"], - "enabled": false - }, - { - "description": "Tier 1: enable updates for low-risk leaf apps", - "matchPackageNames": [ - "ghcr.io/thomiceli/opengist", - "louislam/uptime-kuma", - "f0rc3/gokapi", - "docker.io/calcom/cal.com", - "advplyr/audiobookshelf", - "arcadiatechnology/crafty-4", - "codercom/code-server", - "ghcr.io/gethomepage/homepage", - "ghcr.io/headlamp-k8s/headlamp", - "prom/node-exporter", - "rommapp/romm", - "ghcr.io/stakater/reloader", - "privatebin/nginx-fpm-alpine", - "flomp/wanderer-db", - "flomp/wanderer-web", - "registry.k8s.io/kube-state-metrics/kube-state-metrics", - "ghcr.io/lukegus/termix" - ], - "enabled": true - }, - { - "description": "Tier 1: automerge minor/patch after 3-day stability window", - "matchPackageNames": [ - "ghcr.io/thomiceli/opengist", - "louislam/uptime-kuma", - "f0rc3/gokapi", - "docker.io/calcom/cal.com", - "advplyr/audiobookshelf", - "arcadiatechnology/crafty-4", - "codercom/code-server", - "ghcr.io/gethomepage/homepage", - "ghcr.io/headlamp-k8s/headlamp", - "prom/node-exporter", - "rommapp/romm", - "ghcr.io/stakater/reloader", - "privatebin/nginx-fpm-alpine", - "flomp/wanderer-db", - "flomp/wanderer-web", - "registry.k8s.io/kube-state-metrics/kube-state-metrics", - "ghcr.io/lukegus/termix" - ], - "matchUpdateTypes": ["minor", "patch"], - "automerge": true, - "automergeType": "pr", - "platformAutomerge": true, "minimumReleaseAge": "3 days" }, { - "description": "Tier 1: major bumps require dashboard approval (no automerge)", - "matchPackageNames": [ - "ghcr.io/thomiceli/opengist", - "louislam/uptime-kuma", - "f0rc3/gokapi", - "docker.io/calcom/cal.com", - "advplyr/audiobookshelf", - "arcadiatechnology/crafty-4", - "codercom/code-server", - "ghcr.io/gethomepage/homepage", - "ghcr.io/headlamp-k8s/headlamp", - "prom/node-exporter", - "rommapp/romm", - "ghcr.io/stakater/reloader", - "privatebin/nginx-fpm-alpine", - "flomp/wanderer-db", - "flomp/wanderer-web", - "registry.k8s.io/kube-state-metrics/kube-state-metrics", - "ghcr.io/lukegus/termix" - ], + "description": "Auto-merge minor/patch after the stability window", + "matchUpdateTypes": ["minor", "patch"], + "automerge": true, + "automergeType": "pr", + "platformAutomerge": true + }, + { + "description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)", "matchUpdateTypes": ["major"], "automerge": false, "dependencyDashboardApproval": true + }, + { + "description": "k3s-bundled components: never touch, they ride k3s upgrades", + "matchPackageNames": [ + "rancher/local-path-provisioner", + "rancher/mirrored-coredns/coredns", + "rancher/mirrored-metrics-server" + ], + "enabled": false + }, + { + "description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).", + "matchPackageNames": [ + "gitea/gitea", + "quay.io/argoproj/argocd", + "ghcr.io/goauthentik/server", + "ghcr.io/goauthentik/ldap", + "ghcr.io/goauthentik/proxy", + "ghcr.io/cloudnative-pg/cloudnative-pg" + ], + "automerge": false + }, + { + "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).", + "matchPackageNames": ["ghcr.io/lukegus/termix"], + "datasource": "github-releases", + "packageName": "Termix-SSH/Termix", + "versioning": "regex:^release-(?\\d+)\\.(?\\d+)\\.(?\\d+)$" + }, + { + "description": "wanderer: db + web update together in one PR", + "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"], + "groupName": "wanderer" } ], "labels": ["renovate"] diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml index df0df2a..56cad1d 100644 --- a/argocd-apps/homelab.yaml +++ b/argocd-apps/homelab.yaml @@ -47,6 +47,8 @@ spec: server: https://kubernetes.default.svc namespace: servarr-system syncPolicy: + automated: + enabled: true # Start with manual sync until you're comfortable # automated: # prune: true @@ -82,6 +84,8 @@ spec: server: https://kubernetes.default.svc namespace: paperless-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -104,6 +108,8 @@ spec: server: https://kubernetes.default.svc namespace: actualbudget-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -126,6 +132,8 @@ spec: server: https://kubernetes.default.svc namespace: audiobookshelf-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -148,6 +156,8 @@ spec: server: https://kubernetes.default.svc namespace: bookstack-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -170,6 +180,8 @@ spec: server: https://kubernetes.default.svc namespace: immich-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -214,6 +226,8 @@ spec: server: https://kubernetes.default.svc namespace: nextcloud-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -236,6 +250,8 @@ spec: server: https://kubernetes.default.svc namespace: outline-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -258,6 +274,8 @@ spec: server: https://kubernetes.default.svc namespace: tandoor-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -280,6 +298,8 @@ spec: server: https://kubernetes.default.svc namespace: uptimekuma-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -302,6 +322,8 @@ spec: server: https://kubernetes.default.svc namespace: vaultwarden-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -369,6 +391,8 @@ spec: server: https://kubernetes.default.svc namespace: pihole-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true @@ -397,6 +421,8 @@ spec: server: https://kubernetes.default.svc namespace: mediaserver-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true --- @@ -418,6 +444,8 @@ spec: server: https://kubernetes.default.svc namespace: calibre-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -440,6 +468,8 @@ spec: server: https://kubernetes.default.svc namespace: adventurelog-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -592,6 +622,8 @@ spec: server: https://kubernetes.default.svc namespace: termix-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -614,6 +646,8 @@ spec: server: https://kubernetes.default.svc namespace: privatebin-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -636,6 +670,8 @@ spec: server: https://kubernetes.default.svc namespace: headlamp-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -658,6 +694,8 @@ spec: server: https://kubernetes.default.svc namespace: homepage-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -680,6 +718,8 @@ spec: server: https://kubernetes.default.svc namespace: code-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -702,6 +742,8 @@ spec: server: https://kubernetes.default.svc namespace: plantit-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -724,6 +766,8 @@ spec: server: https://kubernetes.default.svc namespace: fileshare-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -746,6 +790,8 @@ spec: server: https://kubernetes.default.svc namespace: arcade-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -768,6 +814,8 @@ spec: server: https://kubernetes.default.svc namespace: workout-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -790,6 +838,8 @@ spec: server: https://kubernetes.default.svc namespace: wanderer-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -812,6 +862,8 @@ spec: server: https://kubernetes.default.svc namespace: opengist-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -834,6 +886,8 @@ spec: server: https://kubernetes.default.svc namespace: zipline-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -856,6 +910,8 @@ spec: server: https://kubernetes.default.svc namespace: crafty-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -878,6 +934,8 @@ spec: server: https://kubernetes.default.svc namespace: booking-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -900,6 +958,8 @@ spec: server: https://kubernetes.default.svc namespace: web-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -922,6 +982,8 @@ spec: server: https://kubernetes.default.svc namespace: control-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -944,6 +1006,8 @@ spec: server: https://kubernetes.default.svc namespace: glance-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - PruneLast=true @@ -967,6 +1031,10 @@ spec: server: https://kubernetes.default.svc namespace: version-checker-system syncPolicy: + automated: + enabled: true + prune: true + selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1033,6 +1101,8 @@ spec: server: https://kubernetes.default.svc namespace: orsi-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1075,6 +1145,8 @@ spec: server: https://kubernetes.default.svc namespace: kisfenyo-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1096,6 +1168,8 @@ spec: server: https://kubernetes.default.svc namespace: office-system syncPolicy: + automated: + enabled: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1118,6 +1192,10 @@ spec: server: https://kubernetes.default.svc namespace: jarrs-system syncPolicy: + automated: + enabled: true + prune: true + selfHeal: true syncOptions: - CreateNamespace=true - PruneLast=true