Switching from the third-party OIDC-capable jellyseerr fork to the
mainline successor project (Seerr - the combined Overseerr+Jellyseerr
team rebrand, v3.0.0 / Feb 2026 onward). Mainline now has native OIDC
support so the custom preview-OIDC build isn't needed.
- Image : docker.io/fallenbagel/jellyseerr:preview-OIDC
-> ghcr.io/seerr-team/seerr:v3.3.0 (Jun 2, 2026)
- Migration: automatic on first start per docs.seerr.dev/migration-guide;
existing sqlite db + settings.json in /app/config are
directly compatible. v3.1.x added CVE-2026-40175 fix +
auth-related security patches, so v3.3.0 is the right
floor anyway.
- Backup : ~/seerr-backups/seerr-config-20260606-153633.tar.gz on
dooplex (covers db.sqlite3 + settings.json + logs).
Rollback = revert image + restore tarball into the PVC.
Worth verifying after rollout:
- Pod becomes Ready (readiness probe path /api/v1/status -- should
still exist in seerr).
- Authentik OIDC sign-in still works. If the custom build used
different config keys than mainline seerr expects, OIDC may need
re-configuration in the seerr UI (Authentik side unchanged).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
codewithcj changed sparkyfitness versioning on 2026-06-01:
- Old (through v0.16.6.3 / 2026-05-24): vMAJOR.MINOR.PATCH.BUILD
- New (from v0.16.7 / 2026-06-01) : vMAJOR.MINOR.PATCH
Our version-checker regex was `^v\d+\.\d+\.\d+\.\d+$` (4 segments
only), so the new v0.16.7 / v0.16.8 tags were invisible to it. The
"newest matching" became an arbitrarily-chosen old 4-segment tag
(v0.16.5.9 in the latest scan), which then showed up as an "upgrade
to an older version" -- nonsense, but predictable given the filter.
Two changes:
1. Bump both `codewithcj/sparkyfitness` (frontend) and
`codewithcj/sparkyfitness_server` (backend) from v0.16.6.3 to
v0.16.8 (the actual upstream latest).
2. Loosen the regex to `^v\d+\.\d+\.\d+(\.\d+)?$` so it matches
both the legacy 4-segment form and the new 3-segment form.
Once everything's on 3-segment we can tighten it again if we
want, but the current form is harmless.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
The previous PR deleted the umami packageRule but left a stray closing
brace after it, which broke the embedded config.json. ArgoCD applied
the manifest as a string (it's a ConfigMap; k8s doesn't validate the
JSON inside data), so the live ConfigMap also has the invalid JSON --
next Renovate run would fail to parse the config.
Removing the orphan brace restores valid JSON. Verified `json.loads`
parses to 3 customManagers + 7 packageRules.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Three coordinated changes, all surfaced by the question "will Renovate
track the manually-bumped packages going forward":
1) Delete `felhom-system/` directory (4 files).
These were never the source of truth -- the `felhom` ArgoCD app
pulls from `felhom.eu`, path `manifests`. The copies in this repo
fell out of sync over time and were misleading. Renovate was about
to start opening DEAD PRs against them (the customManager below
targeted `felhom-system/umami.yaml`). Removing the directory is the
cleanest fix; manual bumps for the real felhom-system manifests go
into the felhom.eu repo.
2) Fix plex inline `# renovate:` comment in helm/plex/values.yaml.
It referenced `datasource=custom.plex` but no such customDatasource
exists in the config -- Renovate would silently skip plex. Switched
to the standard docker datasource with regex versioning that parses
`1.X.Y.Z-<hash>` (4 segments + git short-hash suffix, same pattern
approach as servarr and termix).
3) Remove the now-obsolete umami customManager + packageRule.
The customManager was for the `postgresql-vX.Y.Z` tag form we've
abandoned -- the real felhom.eu deployment is on `3.1.0` (plain
semver). The packageRule disabled the kubernetes manager for the
umami image to silence its failure on `postgresql-vX.Y.Z`; not
needed since the default versioning handles `3.X.Y` fine. (Moot
anyway since Renovate doesn't watch felhom.eu -- but cleanup
reduces config noise.)
After this PR, Renovate's effective tracking:
- servarr (sonarr/radarr/prowlarr) -> YES (customManager)
- plex -> YES (inline comment, docker)
- termix -> YES (customManager)
- umami / filebrowser in felhom.eu -> NO (different repo, manual)
- all standard semver/named tags in homelab-manifests -> YES (defaults)
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
- sonarr version-4.0.16.2944 -> version-4.0.17.2952 (patch within 4.0.x)
- radarr×2 version-6.0.4.10291 -> version-6.1.1.10360 (minor within 6.x)
- prowlarr version-2.3.0.5236 -> version-2.3.5.5327 (patch within 2.3.x)
- plex 1.43.0.10467-... -> 1.43.2.10687-... (patch within 1.43.x)
All four were stuck because of tag-format issues that I addressed in
PR #82 (servarr customManager) / PR #83. Renovate isn't auto-creating
the PRs yet (DH rate-limit), so doing them manually so version-checker
clears.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renovate can't propose updates for moving tags (the tag string never
changes; the registry just points it at a different image). These three
were pinned to moving variants:
felhom-system/webpage.yaml : filebrowser/filebrowser:v2-alpine
felhom-system/umami.yaml : ghcr.io/umami-software/umami:postgresql-latest
tandoor-system/tandoor.yaml: vabene1111/recipes:2.6
Pin each to the current actual version per Viktor's call:
- filebrowser -> v2.63.13 (matches the other 4 filebrowser pinnings
in the repo; dropped the `-alpine` variant so Renovate can group
them via the existing default datasource path)
- umami -> postgresql-v1.38.0 (current upstream postgresql
variant latest; tracked via new customManager below)
- recipes -> 2.6.9 (current actual semver of the 2.6 series)
For umami, the `postgresql-vX.Y.Z` tag pattern is rejected by Renovate's
default docker versioning pre-check (same failure class as termix +
linuxserver servarr). Added a customManager regex + packageRule disable
pair so Renovate can track future `postgresql-vX.Y.Z` updates via regex
versioning. filebrowser and recipes use standard semver `X.Y.Z` after
the re-pin and need no special handling.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Several images were showing as outdated in version-checker / unhandled by
Renovate. Each had a distinct cause; this PR fixes the auto-tractable ones.
1) admin-system/renovate.yaml: bump `app.kubernetes.io/version` labels
`43.197.0 -> 43.209.3` (3 occurrences) to match the live image.
Renovate's own self-update PR bumped the image tag but left the
labels stale; the version-checker widget appears to read the label.
Long-term, this label will drift again on each self-update -- worth
a customManager later if it becomes a recurring annoyance.
2) admin-system/renovate.yaml: add a customManager + packageRule pair
for linuxserver servarr apps. Tag pattern is `version-X.Y.Z.B`
(4 segments + `version-` prefix) which the kubernetes manager's
default docker versioning rejects at the pre-check, same failure
class as termix. Regex versioning parses the prefixed 4-segment
form; the same customManager handles prowlarr/radarr/sonarr (depName
captured from the regex). kubernetes-manager extraction for these
three depnames is disabled via packageRule so the dashboard isn't
cluttered with the failing fallback.
3) nextcloud-system/nextcloud.yaml: add
`match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'`
so version-checker doesn't treat the bare `33.0.5` server tag as a
newer version of our `33.0.5-apache` image. The widget was showing
`33.0.5-apache -> 33.0.5` -- false positive; image is already current.
4) helm/plex/values.yaml: tighten the version-checker regex from
`^\d+\.\d+\.\d+\.\d+-.*$` to `^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$` so
per-arch tags (`-armhf`, `-arm64`, ...) are excluded. The widget
was showing an `-armhf` tag as "newer" than our x86_64 install.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Pi-hole 2026.05.0 bundles FTL v6.6.2 which imports six upstream dnsmasq
security fixes, covering all publicly disclosed CVEs against the
dnsmasq 2.92/2.93 line. Per the upstream release notes the fixes are
"minimal, self-contained changes to the embedded dnsmasq sources. No
FTL-side configuration or API changes; users should see no observable
behavior change beyond the closed vulnerabilities."
Override the chart's default image.tag in helm/pihole/values.yaml (no
chart version bump). The pihole ArgoCD app is intentionally MANUAL
sync per Viktor's call -- after merge, sync the pihole app from the
ArgoCD UI to roll the pod over.
https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renovate's `Pending Approval` checkbox for the termix v2 major was ticked
on Dashboard #6, but the manual Renovate runs that should have processed
it both aborted on Docker Hub's authenticated rate-limit:
HTTP 429: You have reached your pull rate limit as 'kisfenyo'
The free DH plan caps authenticated pulls at 100/6h; with ~270 deps in
this repo and the multiple runs we've done today, we've exhausted it.
Renovate's behavior on a host 429 is to abort the entire repository run
(`result: external-host-error`), so no further work — including ticked
dashboard approvals — gets done until the quota window resets.
Rather than wait ~3-4 hours, this PR does the bump by hand. Upstream
ghcr.io/lukegus/termix:release-2.3.2 is verified present (Termix-SSH
GitHub Release of 2026-06-04). Termix is stateless (host/cred config
stored in PocketBase but compatible across release-1 and release-2),
so the rollout should be a straightforward image swap.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renovate PR #76 (merged 2026-06-06 10:48) bumped ghcr.io/immich-app/postgres
from `16-vectorchord0.3.0` to `17-vectorchord0.3.0`. PostgreSQL major
upgrades require pg_upgrade or pg_dump/restore — the new server binary
refuses to open a data directory initialized by the previous major:
FATAL: database files are incompatible with server
DETAIL: The data directory was initialized by PostgreSQL version 16,
which is not compatible with this version 17.6
Both immich-postgres and immich-server (depends on Postgres) went into
CrashLoopBackOff. PVC still holds the v16 datadir.
This PR:
1. Reverts ghcr.io/immich-app/postgres back to `16-vectorchord0.3.0`
so immich recovers immediately.
2. Adds a packageRule with `dependencyDashboardApproval: true` covering
`postgres`, `postgis/postgis`, and `ghcr.io/immich-app/postgres`.
Any update to these images is now held on the Dashboard's "Pending
Approval" section -- Renovate won't even open a PR until the user
explicitly ticks the box. Forces the migration plan to be made
BEFORE the change reaches main.
This is the same recovery pattern we just used for meilisearch (PR #77)
-- a class of stateful images where the on-disk format isn't
forward-compatible across version bumps.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Renovate PR #32 (merged 2026-06-06 09:30) bumped getmeili/meilisearch
from v1.11.3 to v1.45.2 under the default-allow + 3-day stability rule.
Meilisearch's on-disk index format is NOT forward-compatible across
that range; wanderer-meilisearch went into CrashLoopBackOff with:
Error: Your database version (1.11.3) is incompatible with your
current engine version (1.45.2).
The PVC still holds the v1.11.x index, so the safest immediate recovery
is reverting the image tag. Wanderer's search starts working again the
moment the pod comes up on v1.11.3.
To prevent recurrence, add a packageRule that holds ALL meilisearch
updates behind the dashboard's "Pending Approval" checkbox via
`dependencyDashboardApproval: true`. PRs won't be opened until the
user explicitly approves them on the dashboard, so the version bump
can be planned around the documented dump/restore migration path
(https://www.meilisearch.com/docs/learn/update_and_migration/updating).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
admin
Renovate Bot