homelab-manifests

admin/homelab-manifests

Fork 0

Commit Graph

Author	SHA1	Message	Date
admin	c308c0a85e	renovate: default-allow + codify ArgoCD auto-sync in git Two coordinated changes — open PR only, do NOT merge until dry-run passes. 1) admin-system/renovate.yaml: flip packageRules from Tier 1 allowlist to default-allow with safety gates. Adds prHourlyLimit=8 + prConcurrentLimit=8 to throttle the first wave. New rules (7 total, order-sensitive): - "*" : 3-day stability gate (minimumReleaseAge) - minor/patch : automerge via platformAutomerge - major : dependencyDashboardApproval (manual gate) - k3s-bundled (3 images) : disabled (ride k3s upgrades) - critical-core (6 imgs) : automerge=false (Viktor merges manually) - gitea/gitea, ghcr.io/goauthentik/{server,ldap,proxy}, ghcr.io/cloudnative-pg/cloudnative-pg, quay.io/argoproj/argocd - ArgoCD + authentik /ldap and /proxy are no-ops (not pinned in repo) - termix : versioning=loose, extractVersion for "release-X.Y.Z" - wanderer-db + -web : groupName=wanderer (one PR, prevents file race) enabledManagers unchanged ([kubernetes, helm-values]) — keeps Helmfile- managed infra invisible. 2) argocd-apps/homelab.yaml: codify per-app auto-sync intent in git (currently lives only on live CRs via UI — DR risk). - 35 existing bare-AUTO apps: add `automated: {enabled: true}` (matches live). - jarr, version-checker: add `automated: {enabled: true, prune: true, selfHeal: true}` (flipping MANUAL -> AUTO so Renovate merges deploy). - Untouched: admin-tools, authentik, cnpg-operator, root-apps (already have strict automated in git); monitoring, infrastructure, felhom, gitea, pihole, database-system (explicitly kept MANUAL per Viktor). NOTE: root-apps does NOT enforce syncPolicy.automated drift between git and live, so jarr + version-checker will also need a one-off kubectl patch after merge to actually become AUTO live. Done in go-live step. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-05 07:07:39 +02:00
admin	454cce9691	renovate: expand to Tier 1 allowlist + 3-day stability delay Grows the Renovate pilot from 4 apps to a 16-app Tier 1 allowlist of low-risk leaf apps (no DBs / schema migrations). packageRules keeps the same 4-rule shape (default-deny, enable, automerge-minor/patch, major-dashboard-approval) with the expanded package list in all three Tier 1 rules. Behavior changes: - minimumReleaseAge "3 days" on the automerge rule: Renovate won't open a minor/patch PR until the tag has been published upstream for 3 days (stability gate; chosen over branch protection, which would disable automerge entirely). Image-string corrections vs. the planned list (Renovate matches the exact image as written in the manifest; verified against the YAML): - homepage -> ghcr.io/gethomepage/homepage (had no registry) - reloader -> ghcr.io/stakater/reloader (had no registry) - termix -> ghcr.io/lukegus/termix (had no registry) Notes: - registry.k8s.io/kube-state-metrics/kube-state-metrics is kept in the list but currently matches nothing: ksm has no image in this repo (only a Prometheus scrape target), so it's a harmless no-op until ksm is ever deployed via a manifest here. - ghcr.io/lukegus/termix uses a non-semver tag (release-1.11.0); watch whether Renovate categorizes its updates as minor/patch. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 22:00:49 +02:00
admin	05de03d1d3	admin-system: add Renovate Bot pilot (CronJob + config) Self-hosted Renovate as a weekly CronJob (Sun 04:00 Europe/Budapest) opening dependency-update PRs against admin/homelab-manifests on Gitea. Pilot is deliberately narrow: - Only the kubernetes + helm-values managers are enabled. - Default-deny packageRule; only four images may update: opengist, uptime-kuma, gokapi, cal.com. - minor/patch -> PR with Gitea native auto-merge (platformAutomerge). - major -> held for manual approval via Dependency Dashboard checkbox. Image pinned to renovate/renovate:43.197.0 (the plain tag is the minimal image; the -slim suffix was retired upstream after v37.440.x). Stateless: no Service/Ingress/PVC. Read-only root FS with a 2Gi /tmp emptyDir for git clones + cache. Secrets from existing renovate-secrets. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-27 21:27:35 +02:00

Author

SHA1

Message

Date

admin

c308c0a85e

renovate: default-allow + codify ArgoCD auto-sync in git

Two coordinated changes — open PR only, do NOT merge until dry-run passes.

1) admin-system/renovate.yaml: flip packageRules from Tier 1 allowlist to
   default-allow with safety gates. Adds prHourlyLimit=8 + prConcurrentLimit=8
   to throttle the first wave. New rules (7 total, order-sensitive):
   - "*"                    : 3-day stability gate (minimumReleaseAge)
   - minor/patch            : automerge via platformAutomerge
   - major                  : dependencyDashboardApproval (manual gate)
   - k3s-bundled (3 images) : disabled (ride k3s upgrades)
   - critical-core (6 imgs) : automerge=false (Viktor merges manually)
     - gitea/gitea, ghcr.io/goauthentik/{server,ldap,proxy},
       ghcr.io/cloudnative-pg/cloudnative-pg, quay.io/argoproj/argocd
     - ArgoCD + authentik /ldap and /proxy are no-ops (not pinned in repo)
   - termix                 : versioning=loose, extractVersion for "release-X.Y.Z"
   - wanderer-db + -web     : groupName=wanderer (one PR, prevents file race)
   enabledManagers unchanged ([kubernetes, helm-values]) — keeps Helmfile-
   managed infra invisible.

2) argocd-apps/homelab.yaml: codify per-app auto-sync intent in git
   (currently lives only on live CRs via UI — DR risk).
   - 35 existing bare-AUTO apps: add `automated: {enabled: true}` (matches live).
   - jarr, version-checker: add `automated: {enabled: true, prune: true,
     selfHeal: true}` (flipping MANUAL -> AUTO so Renovate merges deploy).
   - Untouched: admin-tools, authentik, cnpg-operator, root-apps (already
     have strict automated in git); monitoring, infrastructure, felhom,
     gitea, pihole, database-system (explicitly kept MANUAL per Viktor).
   NOTE: root-apps does NOT enforce syncPolicy.automated drift between git
   and live, so jarr + version-checker will also need a one-off kubectl
   patch after merge to actually become AUTO live. Done in go-live step.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-06-05 07:07:39 +02:00

admin

454cce9691

renovate: expand to Tier 1 allowlist + 3-day stability delay

Grows the Renovate pilot from 4 apps to a 16-app Tier 1 allowlist of
low-risk leaf apps (no DBs / schema migrations). packageRules keeps the
same 4-rule shape (default-deny, enable, automerge-minor/patch,
major-dashboard-approval) with the expanded package list in all three
Tier 1 rules.

Behavior changes:
- minimumReleaseAge "3 days" on the automerge rule: Renovate won't open
  a minor/patch PR until the tag has been published upstream for 3 days
  (stability gate; chosen over branch protection, which would disable
  automerge entirely).

Image-string corrections vs. the planned list (Renovate matches the
exact image as written in the manifest; verified against the YAML):
- homepage  -> ghcr.io/gethomepage/homepage   (had no registry)
- reloader  -> ghcr.io/stakater/reloader      (had no registry)
- termix    -> ghcr.io/lukegus/termix         (had no registry)

Notes:
- registry.k8s.io/kube-state-metrics/kube-state-metrics is kept in the
  list but currently matches nothing: ksm has no image in this repo
  (only a Prometheus scrape target), so it's a harmless no-op until ksm
  is ever deployed via a manifest here.
- ghcr.io/lukegus/termix uses a non-semver tag (release-1.11.0); watch
  whether Renovate categorizes its updates as minor/patch.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 22:00:49 +02:00

admin

05de03d1d3

admin-system: add Renovate Bot pilot (CronJob + config)

Self-hosted Renovate as a weekly CronJob (Sun 04:00 Europe/Budapest)
opening dependency-update PRs against admin/homelab-manifests on Gitea.

Pilot is deliberately narrow:
- Only the kubernetes + helm-values managers are enabled.
- Default-deny packageRule; only four images may update:
  opengist, uptime-kuma, gokapi, cal.com.
- minor/patch -> PR with Gitea native auto-merge (platformAutomerge).
- major -> held for manual approval via Dependency Dashboard checkbox.

Image pinned to renovate/renovate:43.197.0 (the plain tag is the
minimal image; the -slim suffix was retired upstream after v37.440.x).
Stateless: no Service/Ingress/PVC. Read-only root FS with a 2Gi /tmp
emptyDir for git clones + cache. Secrets from existing renovate-secrets.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-27 21:27:35 +02:00

3 Commits