Update postgres Docker tag to v18

The previous attempt (inline `# renovate:` comment in termix.yaml) silently
did nothing -- after merge + manual run, the dashboard's
`termix-system/termix.yaml (2)` was the resource count (Deployment +
Ingress), not detected updates. No PRs opened, no termix branches, no
queue entries anywhere.

Root cause: Renovate's `kubernetes` manager does NOT process inline
`# renovate:` comments. Those work for dockerfile/flux/helmfile/github-
actions/helm-values/etc., but kubernetes is missing from that list.

Correct fix: a `customManagers.regex` entry that extracts termix's image
directly with the right datasource/versioning/extractVersion set at
EXTRACTION time -- before any docker-version pre-check can reject the
prefixed tag. Plus a packageRule disabling the kubernetes manager for
termix so it doesn't silently skip the dep and clutter the dashboard.

Changes:
  - admin-system/renovate.yaml:
    * enabledManagers += "custom.regex"
    * customManagers: termix.yaml regex extraction -> github-releases
      datasource on Termix-SSH/Termix with `extractVersion=^release-(?<version>.+)$`
    * packageRules: disable kubernetes manager for ghcr.io/lukegus/termix
  - termix-system/termix.yaml: drop the useless inline comment, leave a
    NOTE explaining where the actual config lives.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin-system/renovate.yaml

@@ -46,10 +46,24 @@ data:
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
       "prHourlyLimit": 16,
       "prConcurrentLimit": 16,
-      "enabledManagers": ["kubernetes", "helm-values"],
+      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
+      "customManagers": [
+        {
+          "description": "termix uses a release-X.Y.Z prefixed tag that the kubernetes manager's docker-versioning pre-check rejects (so no PRs are ever created). This customManager extracts the image directly, redirects the version lookup to GitHub Releases at Termix-SSH/Termix (which exposes timestamps the 3-day stability gate needs), and uses extractVersion to strip the `release-` prefix so loose semver can parse it.",
+          "customType": "regex",
+          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "github-releases",
+          "packageNameTemplate": "Termix-SSH/Termix",
+          "versioningTemplate": "loose",
+          "extractVersionTemplate": "^release-(?<version>.+)$"
+        }
+      ],
       "packageRules": [
         {
           "description": "All apps: 3-day stability gate before any PR opens",
@@ -94,6 +108,12 @@ data:
           "description": "wanderer: db + web update together in one PR",
           "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
           "groupName": "wanderer"
+        },
+        {
+          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "enabled": false
         }
       ],
       "labels": ["renovate"]

arcade-system/romm.yaml

@@ -56,7 +56,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.2-alpine
+          image: redis:7.4-alpine
           ports:
             - containerPort: 6379
               name: redis

code-system/code.yaml

@@ -50,7 +50,7 @@ spec:
         fsGroup: 1000
       containers:
         - name: code-server
-          image: codercom/code-server:4.121.0
+          image: codercom/code-server:4.122.1
           args:
             - --bind-addr=0.0.0.0:8080
             - --auth=none

felhom-system/healthchecks.yaml

@@ -48,7 +48,7 @@ spec:
         fsGroup: 999
       containers:
         - name: healthchecks
-          image: healthchecks/healthchecks:v4.0
+          image: healthchecks/healthchecks:v4.2
           ports:
             - containerPort: 8000
           env:

felhom-system/umami.yaml

@@ -85,7 +85,7 @@ spec:
     spec:
       containers:
         - name: postgres
-          image: postgres:16-alpine
+          image: postgres:18-alpine
           ports:
             - containerPort: 5432
           env:
@@ -167,7 +167,7 @@ spec:
       # Wait for DB to be available before starting Umami
       initContainers:
         - name: wait-for-db
-          image: postgres:16-alpine
+          image: postgres:18-alpine
           command:
             - sh
             - -c

glance-system/glance-kisfenyo.yaml

@@ -2746,7 +2746,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000

glance-system/glance-orsi.yaml

@@ -1372,7 +1372,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000

helm/plex/values.yaml

@@ -123,7 +123,7 @@ initContainer:
     registry: index.docker.io
     repository: alpine
     # -- If unset use latest
-    tag: "3.22"
+    tag: "3.23"
     sha: ""
     pullPolicy: IfNotPresent
 
@@ -181,7 +181,7 @@ rclone:
     registry: index.docker.io
     repository: rclone/rclone
     # -- If unset use latest
-    tag: 1.70.3
+    tag: 1.74.2
     sha: ""
     pullPolicy: IfNotPresent
 

immich-system/immich.yaml

@@ -416,7 +416,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: docker.io/valkey/valkey:9.0-alpine@sha256:d1cc70645bbcef743615463a2fa4616e841407545e18f560aed0c49671a90147
+          image: docker.io/valkey/valkey:9.1-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
           imagePullPolicy: IfNotPresent
           livenessProbe:
             exec:

jarrs-system/jarr-dev.yaml

@@ -81,7 +81,7 @@ spec:
         fsGroup: 999
       containers:
         - name: postgres
-          image: postgres:16-alpine
+          image: postgres:18-alpine
           imagePullPolicy: IfNotPresent
           env:
             - name: POSTGRES_USER

mon-system/monitoring.yaml

@@ -348,7 +348,7 @@ spec:
     spec:
       containers:
         - name: prometheus
-          image: prom/prometheus:v3.9.1
+          image: prom/prometheus:v3.12.0
           args:
             - --config.file=/etc/prometheus/prometheus.yml
             - --storage.tsdb.path=/prometheus
@@ -529,7 +529,7 @@ spec:
         runAsGroup: 472
       containers:
         - name: grafana
-          image: grafana/grafana:12.3.2
+          image: grafana/grafana:12.4.4
           ports:
             - containerPort: 3000
               name: http

nextcloud-system/nextcloud.yaml

@@ -552,7 +552,7 @@ spec:
             failureThreshold: 3
       initContainers:
         - name: postgresql-isready
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
           resources: {}
           securityContext: {}
           env:
@@ -637,7 +637,7 @@ spec:
       hostIPC: false
       containers:
         - name: postgresql
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false

office-system/onlyoffice.yaml

@@ -27,7 +27,7 @@ spec:
     spec:
       containers:
         - name: onlyoffice
-          image: onlyoffice/documentserver:9.0.2
+          image: onlyoffice/documentserver:9.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

orsi-system/filebrowser.yaml

@@ -89,7 +89,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - sh
             - -c
@@ -109,7 +109,7 @@ spec:
             runAsGroup: 1001
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - filebrowser
             - --database=/config/filebrowser.db

outline-system/outline.yaml

@@ -31,7 +31,7 @@ spec:
     spec:
       containers:
         - name: outline
-          image: outlinewiki/outline:1.4.0
+          image: outlinewiki/outline:1.8.0
           imagePullPolicy: IfNotPresent
           env:
             - name: NODE_ENV

plantit-system/plantit.yaml

@@ -121,7 +121,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.2.1
+          image: redis:7.4.9
           ports:
             - containerPort: 6379
               name: redis

servarr-system/servarr.yaml

@@ -244,7 +244,7 @@ spec:
     spec:
       containers:
         - name: qbittorrent
-          image: linuxserver/qbittorrent:5.1.4
+          image: linuxserver/qbittorrent:5.2.1
           imagePullPolicy: IfNotPresent
           env:
             - name: PUID

termix-system/termix.yaml

@@ -41,7 +41,10 @@ spec:
     spec:
       containers:
         - name: termix
-          # renovate: datasource=github-releases depName=Termix-SSH/Termix versioning=loose extractVersion=^release-(?<version>.+)$
+          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
+          # Renovate handles it via a customManagers regex defined in
+          # admin-system/renovate.yaml (the kubernetes manager doesn't
+          # process inline `# renovate:` comments).
           image: ghcr.io/lukegus/termix:release-1.11.0
           imagePullPolicy: IfNotPresent
           ports:

uptimekuma-system/uptimekuma.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: uptimekuma
-          image: louislam/uptime-kuma:2.3.2
+          image: louislam/uptime-kuma:2.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

wanderer-system/wanderer.yaml

@@ -57,7 +57,7 @@ spec:
     spec:
       containers:
         - name: meilisearch
-          image: getmeili/meilisearch:v1.11.3
+          image: getmeili/meilisearch:v1.45.2
           env:
             - name: MEILI_MASTER_KEY
               valueFrom:

web-system/web.yaml

@@ -130,7 +130,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - sh
             - -c
@@ -151,7 +151,7 @@ spec:
             runAsGroup: 1000
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - filebrowser
             - --database=/config/filebrowser.db
@@ -324,7 +324,7 @@ spec:
             runAsUser: 0
       containers:
         - name: nginx
-          image: nginx:1.27-alpine
+          image: nginx:1.31-alpine
           ports:
             - containerPort: 8080
               name: http

workout-system/sparkyfitness.yaml

@@ -69,7 +69,7 @@ spec:
         fsGroup: 999
       containers:
         - name: postgres
-          image: postgres:15-alpine
+          image: postgres:18-alpine
           env:
             - name: POSTGRES_USER
               valueFrom: