renovate: termix via customManagers (kubernetes manager doesn't honor inline comments)

The previous attempt (inline `# renovate:` comment in termix.yaml) silently
did nothing -- after merge + manual run, the dashboard's
`termix-system/termix.yaml (2)` was the resource count (Deployment +
Ingress), not detected updates. No PRs opened, no termix branches, no
queue entries anywhere.

Root cause: Renovate's `kubernetes` manager does NOT process inline
`# renovate:` comments. Those work for dockerfile/flux/helmfile/github-
actions/helm-values/etc., but kubernetes is missing from that list.

Correct fix: a `customManagers.regex` entry that extracts termix's image
directly with the right datasource/versioning/extractVersion set at
EXTRACTION time -- before any docker-version pre-check can reject the
prefixed tag. Plus a packageRule disabling the kubernetes manager for
termix so it doesn't silently skip the dep and clutter the dashboard.

Changes:
  - admin-system/renovate.yaml:
    * enabledManagers += "custom.regex"
    * customManagers: termix.yaml regex extraction -> github-releases
      datasource on Termix-SSH/Termix with `extractVersion=^release-(?<version>.+)$`
    * packageRules: disable kubernetes manager for ghcr.io/lukegus/termix
  - termix-system/termix.yaml: drop the useless inline comment, leave a
    NOTE explaining where the actual config lives.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

actualbudget-system/actualbudget.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: actualbudget
-          image: actualbudget/actual-server:26.2.0
+          image: actualbudget/actual-server:26.6.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

admin-system/renovate.yaml

@@ -44,12 +44,26 @@ data:
       "requireConfig": "optional",
       "dependencyDashboard": true,
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 8,
-      "prConcurrentLimit": 8,
-      "enabledManagers": ["kubernetes", "helm-values"],
+      "prHourlyLimit": 16,
+      "prConcurrentLimit": 16,
+      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
+      "customManagers": [
+        {
+          "description": "termix uses a release-X.Y.Z prefixed tag that the kubernetes manager's docker-versioning pre-check rejects (so no PRs are ever created). This customManager extracts the image directly, redirects the version lookup to GitHub Releases at Termix-SSH/Termix (which exposes timestamps the 3-day stability gate needs), and uses extractVersion to strip the `release-` prefix so loose semver can parse it.",
+          "customType": "regex",
+          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "github-releases",
+          "packageNameTemplate": "Termix-SSH/Termix",
+          "versioningTemplate": "loose",
+          "extractVersionTemplate": "^release-(?<version>.+)$"
+        }
+      ],
       "packageRules": [
         {
           "description": "All apps: 3-day stability gate before any PR opens",
@@ -90,17 +104,16 @@ data:
           ],
           "automerge": false
         },
-        {
-          "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).",
-          "matchPackageNames": ["ghcr.io/lukegus/termix"],
-          "datasource": "github-releases",
-          "packageName": "Termix-SSH/Termix",
-          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
-        },
         {
           "description": "wanderer: db + web update together in one PR",
           "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
           "groupName": "wanderer"
+        },
+        {
+          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "enabled": false
         }
       ],
       "labels": ["renovate"]

immich-system/immich.yaml

@@ -416,7 +416,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
+          image: docker.io/valkey/valkey:9.0-alpine@sha256:d1cc70645bbcef743615463a2fa4616e841407545e18f560aed0c49671a90147
           imagePullPolicy: IfNotPresent
           livenessProbe:
             exec:

nextcloud-system/nextcloud.yaml

@@ -395,7 +395,7 @@ spec:
     spec:
       containers:
         - name: nextcloud
-          image: docker.io/library/nextcloud:32.0.2-apache
+          image: docker.io/library/nextcloud:32.0.10-apache
           imagePullPolicy: IfNotPresent
           env:
             - name: SMTP_HOST

termix-system/termix.yaml

@@ -41,6 +41,10 @@ spec:
     spec:
       containers:
         - name: termix
+          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
+          # Renovate handles it via a customManagers regex defined in
+          # admin-system/renovate.yaml (the kubernetes manager doesn't
+          # process inline `# renovate:` comments).
           image: ghcr.io/lukegus/termix:release-1.11.0
           imagePullPolicy: IfNotPresent
           ports: