outline 1.8.1

seerr: migrate fallenbagel/jellyseerr:preview-OIDC -> ghcr.io/seerr-team/seerr:v3.3.0
Switching from the third-party OIDC-capable jellyseerr fork to the mainline successor project (Seerr - the combined Overseerr+Jellyseerr team rebrand, v3.0.0 / Feb 2026 onward). Mainline now has native OIDC support so the custom preview-OIDC build isn't needed. - Image : docker.io/fallenbagel/jellyseerr:preview-OIDC -> ghcr.io/seerr-team/seerr:v3.3.0 (Jun 2, 2026) - Migration: automatic on first start per docs.seerr.dev/migration-guide; existing sqlite db + settings.json in /app/config are directly compatible. v3.1.x added CVE-2026-40175 fix + auth-related security patches, so v3.3.0 is the right floor anyway. - Backup : ~/seerr-backups/seerr-config-20260606-153633.tar.gz on dooplex (covers db.sqlite3 + settings.json + logs). Rollback = revert image + restore tarball into the PVC. Worth verifying after rollout: - Pod becomes Ready (readiness probe path /api/v1/status -- should still exist in seerr). - Authentik OIDC sign-in still works. If the custom build used different config keys than mainline seerr expects, OIDC may need re-configuration in the seerr UI (Authentik side unchanged). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 15:42:47 +02:00 · 2026-06-06 15:37:21 +02:00 · 2026-06-06 13:24:40 +00:00 · 2026-06-06 15:24:39 +02:00 · 2026-06-06 13:11:53 +00:00 · 2026-06-06 15:11:52 +02:00
43 changed files with 304 additions and 1003 deletions
@@ -30,7 +30,7 @@ spec:
    spec:
      containers:
        - name: actualbudget
-          image: actualbudget/actual-server:26.2.0
+          image: actualbudget/actual-server:26.6.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -6,7 +6,7 @@
 #        -slim suffix was retired after v37.440.x, so we pin the plain tag)
 #
 # PILOT SCOPE (intentionally narrow):
-#   Runs weekly (Sun 04:00 Europe/Budapest) as a CronJob and opens
+#   Runs weekly (Sat 02:00 Europe/Budapest) as a CronJob and opens
 #   dependency-update PRs against admin/homelab-manifests on Gitea.
 #   Only the `kubernetes` and `helm-values` managers are enabled, and a
 #   default-deny packageRule limits updates to exactly four pilot images:
@@ -44,12 +44,37 @@ data:
      "requireConfig": "optional",
      "dependencyDashboard": true,
      "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 8,
-      "prConcurrentLimit": 8,
-      "enabledManagers": ["kubernetes", "helm-values"],
+      "prHourlyLimit": 16,
+      "prConcurrentLimit": 16,
+      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
      "kubernetes": {
        "managerFilePatterns": ["/.+\\.ya?ml$/"]
      },
+      "customManagers": [
+        {
+          "description": "termix: docker image tag is `release-X.Y.Z` but the upstream GitHub release tag_name is `release-X.Y.Z-tag` (different from the release name). regex versioning parses currentValue (no -tag); extractVersion strips the -tag suffix from candidate tag_names so they normalize to the same shape Renovate writes back to the manifest.",
+          "customType": "regex",
+          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "github-releases",
+          "packageNameTemplate": "Termix-SSH/Termix",
+          "versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
+          "extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
+        },
+        {
+          "description": "linuxserver servarr apps (prowlarr, radarr, sonarr) use tag pattern `version-X.Y.Z.B` (4 segments + `version-` prefix). The kubernetes manager's default docker versioning rejects them at the pre-check (same failure class as termix), so no PRs ever open. Use regex versioning to parse the prefixed 4-segment form; depName is captured from the regex so the same customManager handles all three apps.",
+          "customType": "regex",
+          "managerFilePatterns": ["/servarr-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+linuxserver/(?<depName>prowlarr|radarr|sonarr):(?<currentValue>version-\\d+\\.\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "docker",
+          "packageNameTemplate": "linuxserver/{{depName}}",
+          "versioningTemplate": "regex:^version-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)$"
+        }
+      ],
      "packageRules": [
        {
          "description": "All apps: 3-day stability gate before any PR opens",
@@ -90,17 +115,40 @@ data:
          ],
          "automerge": false
        },
-        {
-          "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).",
-          "matchPackageNames": ["ghcr.io/lukegus/termix"],
-          "datasource": "github-releases",
-          "packageName": "Termix-SSH/Termix",
-          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
-        },
        {
          "description": "wanderer: db + web update together in one PR",
          "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
          "groupName": "wanderer"
+        },
+        {
+          "description": "meilisearch: every version bump can require an index format migration via dump/restore (see https://www.meilisearch.com/docs/learn/update_and_migration/updating). PR #32 (v1.11.3 -> v1.45.2) on 2026-06-06 broke wanderer with `Your database version (1.11.3) is incompatible with your current engine version (1.45.2)`. Hold ALL meilisearch updates behind dashboard approval so the migration is planned before the PR even opens.",
+          "matchPackageNames": ["getmeili/meilisearch"],
+          "dependencyDashboardApproval": true
+        },
+        {
+          "description": "Postgres-family images: a major bump (e.g. 16 -> 17) requires pg_upgrade or dump/restore — the new server binary refuses to open the old data directory (`database files are incompatible with server`). PR #76 (immich-app/postgres 16 -> 17) on 2026-06-06 crashlooped immich-postgres and immich-server. Renovate's docker versioning treats these custom tag formats inconsistently, so don't trust the major/minor classification: hold ALL updates for these images behind explicit dashboard approval. Includes vanilla postgres, postgis/postgis (where the tag prefix IS the pg major), and ghcr.io/immich-app/postgres (custom `N-vectorchordX.Y.Z` form).",
+          "matchPackageNames": [
+            "postgres",
+            "postgis/postgis",
+            "ghcr.io/immich-app/postgres"
+          ],
+          "dependencyDashboardApproval": true
+        },
+        {
+          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "enabled": false
+        },
+        {
+          "description": "linuxserver servarr apps: same disable pattern as termix. The customManager above handles extraction with the right versioning; turn off the default kubernetes-manager extraction so it doesn't silently skip + clutter the dashboard.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": [
+            "linuxserver/prowlarr",
+            "linuxserver/radarr",
+            "linuxserver/sonarr"
+          ],
+          "enabled": false
        }
      ],
      "labels": ["renovate"]
@@ -114,9 +162,11 @@ metadata:
  labels:
    app.kubernetes.io/instance: renovate
    app.kubernetes.io/name: renovate
-    app.kubernetes.io/version: "43.197.0"
+    app.kubernetes.io/version: "43.209.3"
 spec:
-  schedule: "0 4 * * 0"
+  # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
+  # if a Renovate-merged update breaks something.
+  schedule: "0 2 * * 6"
  timeZone: "Europe/Budapest"
  concurrencyPolicy: Forbid
  successfulJobsHistoryLimit: 3
@@ -127,14 +177,14 @@ spec:
      labels:
        app.kubernetes.io/instance: renovate
        app.kubernetes.io/name: renovate
-        app.kubernetes.io/version: "43.197.0"
+        app.kubernetes.io/version: "43.209.3"
    spec:
      template:
        metadata:
          labels:
            app.kubernetes.io/instance: renovate
            app.kubernetes.io/name: renovate
-            app.kubernetes.io/version: "43.197.0"
+            app.kubernetes.io/version: "43.209.3"
          annotations:
            # Renovate uses plain X.Y.Z semver tags (no -slim suffix anymore)
            match-regex.version-checker.io/renovate: '^\d+\.\d+\.\d+$'
@@ -143,7 +193,7 @@ spec:
          restartPolicy: OnFailure
          containers:
            - name: renovate
-              image: renovate/renovate:43.197.0
+              image: renovate/renovate:43.209.3
              imagePullPolicy: IfNotPresent
              envFrom:
                - secretRef:
@@ -90,7 +90,7 @@ spec:
      dnsPolicy: ClusterFirstWithHostNet
      containers:
        - name: tailscale
-          image: tailscale/tailscale:v1.94.1
+          image: tailscale/tailscale:v1.98.4
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -56,7 +56,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7.2-alpine
+          image: redis:8.8-alpine
          ports:
            - containerPort: 6379
              name: redis
@@ -96,7 +96,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: init-config
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -54,7 +54,7 @@ spec:
    spec:
      containers:
        - name: audiobookshelf
-          image: advplyr/audiobookshelf:2.35.0
+          image: advplyr/audiobookshelf:2.35.1
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -77,7 +77,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          args:
            - redis-server
@@ -168,7 +168,7 @@ spec:
      initContainers:
        # Wait for PostgreSQL
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -181,7 +181,7 @@ spec:
              echo "PostgreSQL is ready!"
        # Wait for Redis
        - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -175,7 +175,7 @@ spec:
    spec:
      containers:
        - name: bookstack
-          image: linuxserver/bookstack:25.12.3
+          image: linuxserver/bookstack:26.05.20260601
          imagePullPolicy: IfNotPresent
          env:
            # LinuxServer.io specific
@@ -50,7 +50,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: code-server
-          image: codercom/code-server:4.121.0
+          image: codercom/code-server:4.123.0
          args:
            - --bind-addr=0.0.0.0:8080
            - --auth=none
@@ -169,7 +169,7 @@ spec:
          type: RuntimeDefault
      containers:
      - name: reloader
-        image: ghcr.io/stakater/reloader:v1.4.12
+        image: ghcr.io/stakater/reloader:v1.4.17
        imagePullPolicy: IfNotPresent
        env:
        - name: GOMAXPROCS
@@ -57,7 +57,7 @@ replicaCount: 1
 # Image configuration (optional - use defaults)
 image:
  repository: ghcr.io/cloudnative-pg/cloudnative-pg
-  tag: 1.28.1
+  tag: 1.29.1

 # Service configuration
 service:
@@ -1,142 +0,0 @@
-# Contact Mailer - Lightweight email sender for felhom.eu contact form
-# Uses Resend.com API for transactional email delivery.
-#
-# PREREQUISITES:
-#   1. Build and push the container image:
-#      docker build -t contact-mailer:latest .
-#      # Option A: Push to Gitea registry (if configured):
-#      #   docker tag contact-mailer:latest gitea.felhom.eu/felhom/contact-mailer:latest
-#      #   docker push gitea.felhom.eu/felhom/contact-mailer:latest
-#      # Option B: Import directly into k3s (single node):
-#      #   docker save contact-mailer:latest | sudo k3s ctr images import -
-#
-#   2. Create the Secret with your Resend API key:
-#      kubectl create secret generic contact-mailer-config \
-#        --namespace=felhom-system \
-#        --from-literal=RESEND_API_KEY='re_xxxxxxxxxxxx'
-#
-#   3. Apply this manifest:
-#      kubectl apply -f contact-mailer.yaml
-#
-#   4. Test:
-#      # Health check:
-#      curl https://felhom.eu/api/healthz
-#      # Send test email (only works if DEBUG=true):
-#      curl -X POST https://felhom.eu/api/debug/test
-#
-#   5. Update contact form endpoint in kapcsolat.html:
-#      CONFIG.formEndpoint = '/api/contact';
-#
-# DEBUGGING:
-#   kubectl logs -n felhom-system deploy/contact-mailer -f
-#   kubectl exec -it -n felhom-system deploy/contact-mailer -- wget -qO- http://localhost:8080/healthz
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: contact-mailer
-  namespace: felhom-system
-  labels:
-    app: contact-mailer
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: contact-mailer
-  template:
-    metadata:
-      labels:
-        app: contact-mailer
-    spec:
-      containers:
-        - name: contact-mailer
-          image: contact-mailer:latest
-          # Use 'Never' for locally imported images, 'Always' for registry
-          imagePullPolicy: Never
-          ports:
-            - containerPort: 8080
-          env:
-            - name: RESEND_API_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: contact-mailer-config
-                  key: RESEND_API_KEY
-            - name: FROM_EMAIL
-              value: "Felhom.eu <noreply@felhom.eu>"
-            - name: TO_EMAIL
-              value: "info@felhom.eu"
-            - name: ALLOWED_ORIGIN
-              value: "https://felhom.eu"
-            - name: TZ
-              value: "Europe/Budapest"
-            # Set to "true" to enable /debug/test endpoint
-            - name: DEBUG
-              value: "false"
-          resources:
-            requests:
-              memory: "16Mi"
-              cpu: "5m"
-            limits:
-              memory: "64Mi"
-              cpu: "100m"
-          livenessProbe:
-            httpGet:
-              path: /healthz
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 30
-          readinessProbe:
-            httpGet:
-              path: /healthz
-              port: 8080
-            initialDelaySeconds: 3
-            periodSeconds: 10
-          securityContext:
-            runAsNonRoot: true
-            runAsUser: 1000
-            readOnlyRootFilesystem: true
-            allowPrivilegeEscalation: false
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: contact-mailer
-  namespace: felhom-system
-spec:
-  selector:
-    app: contact-mailer
-  ports:
-    - port: 80
-      targetPort: 8080
---
-# Ingress: routes felhom.eu/api/* to the contact mailer
-# This is a SEPARATE ingress from the website - nginx-ingress merges them
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: contact-mailer
-  namespace: felhom-system
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    # Allow larger uploads for attachments
-    nginx.ingress.kubernetes.io/proxy-body-size: "25m"
-    # Timeout for large file uploads
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
-spec:
-  ingressClassName: nginx-internal
-  tls:
-    - hosts:
-        - felhom.eu
-      secretName: felhom-webpage-tls
-  rules:
-    - host: felhom.eu
-      http:
-        paths:
-          - path: /api
-            pathType: Prefix
-            backend:
-              service:
-                name: contact-mailer
-                port:
-                  number: 80
@@ -1,194 +0,0 @@
-# Healthchecks - Self-hosted cron/backup monitoring with dead man's switch
-# Dashboard: https://status.felhom.eu
-# Ping endpoint: https://status.felhom.eu/ping/<uuid>
-#
-# Customer servers ping this after successful backup.
-# If a ping is missed, Healthchecks sends email alerts.
-#
-# After deploying, create superuser:
-#   kubectl exec -it -n felhom-system deploy/healthchecks -- python manage.py createsuperuser
-#
-# SMTP: Configure the Secret below with your email provider credentials.
-#   Recommended free options:
-#   - Resend.com (3000 emails/month free, easy setup)
-#   - Brevo/Sendinblue (300 emails/day free)
-#   - SMTP2GO (1000 emails/month free)
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: healthchecks-data
-  namespace: felhom-system
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 1Gi
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: healthchecks
-  namespace: felhom-system
-  labels:
-    app: healthchecks
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: healthchecks
-  template:
-    metadata:
-      labels:
-        app: healthchecks
-    spec:
-      securityContext:
-        fsGroup: 999
-      containers:
-        - name: healthchecks
-          image: healthchecks/healthchecks:v4.0
-          ports:
-            - containerPort: 8000
-          env:
-            # --- Site settings ---
-            - name: SITE_ROOT
-              value: "https://status.felhom.eu"
-            - name: SITE_NAME
-              value: "Felhom Monitoring"
-            - name: ALLOWED_HOSTS
-              value: "status.felhom.eu"
-            - name: PING_ENDPOINT
-              value: "https://status.felhom.eu/ping/"
-            - name: DEBUG
-              value: "False"
-            - name: REGISTRATION_OPEN
-              value: "False"
-            - name: DB
-              value: "sqlite"
-            - name: DB_NAME
-              value: "/data/hc.sqlite"
-            - name: TZ
-              value: "Europe/Budapest"
-
-            # --- Secrets (from Secret) ---
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: SECRET_KEY
-            - name: SUPERUSER_EMAIL
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: SUPERUSER_EMAIL
-            - name: SUPERUSER_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: SUPERUSER_PASSWORD
-            - name: EMAIL_HOST
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: EMAIL_HOST
-            - name: EMAIL_PORT
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: EMAIL_PORT
-            - name: EMAIL_HOST_USER
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: EMAIL_HOST_USER
-            - name: EMAIL_HOST_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: EMAIL_HOST_PASSWORD
-            - name: EMAIL_USE_TLS
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: EMAIL_USE_TLS
-            - name: EMAIL_USE_VERIFICATION
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: EMAIL_USE_VERIFICATION
-            - name: DEFAULT_FROM_EMAIL
-              valueFrom:
-                secretKeyRef:
-                  name: healthchecks-config
-                  key: DEFAULT_FROM_EMAIL
-          volumeMounts:
-            - name: data
-              mountPath: /data
-          resources:
-            requests:
-              memory: "128Mi"
-              cpu: "50m"
-            limits:
-              memory: "512Mi"
-              cpu: "500m"
-          livenessProbe:
-            httpGet:
-              path: /api/v3/status/
-              port: 8000
-              httpHeaders:
-                - name: Host
-                  value: status.felhom.eu
-            initialDelaySeconds: 30
-            periodSeconds: 60
-          readinessProbe:
-            httpGet:
-              path: /api/v3/status/
-              port: 8000
-              httpHeaders:
-                - name: Host
-                  value: status.felhom.eu
-            initialDelaySeconds: 10
-            periodSeconds: 10
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: healthchecks-data
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: healthchecks
-  namespace: felhom-system
-spec:
-  selector:
-    app: healthchecks
-  ports:
-    - port: 80
-      targetPort: 8000
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: healthchecks
-  namespace: felhom-system
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-spec:
-  ingressClassName: nginx-internal
-  tls:
-    - hosts:
-        - status.felhom.eu
-      secretName: healthchecks-tls
-  rules:
-    - host: status.felhom.eu
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: healthchecks
-                port:
-                  number: 80
@@ -1,288 +0,0 @@
-# Umami v3 - Privacy-focused web analytics for felhom.eu
-# Dashboard: https://stats.felhom.eu
-# Tracking: Add <script> tag to website HTML pages (see bottom of file)
-#
-# Umami v3 requires PostgreSQL (no SQLite/MySQL support).
-# This manifest deploys a dedicated small PostgreSQL instance alongside Umami
-# to keep it self-contained within the felhom-system namespace.
-#
-# PREREQUISITES:
-#   1. Create the Secret with credentials:
-#      APP_SECRET: Random string for session encryption (generate with: openssl rand -hex 32)
-#      POSTGRES_PASSWORD: Database password (generate with: openssl rand -hex 16)
-#
-#      kubectl create secret generic umami-config \
-#        --namespace=felhom-system \
-#        --from-literal=APP_SECRET="$(openssl rand -hex 32)" \
-#        --from-literal=POSTGRES_PASSWORD="$(openssl rand -hex 16)"
-#
-#   2. Apply this manifest:
-#      kubectl apply -f umami.yaml
-#
-#   3. Wait for pods to be ready (~30-60 seconds for first start, DB init):
-#      kubectl get pods -n felhom-system -l app=umami -w
-#      kubectl get pods -n felhom-system -l app=umami-db -w
-#
-#   4. Login at https://stats.felhom.eu
-#      Default credentials: admin / umami
-#      ⚠️  CHANGE THE PASSWORD IMMEDIATELY after first login!
-#
-#   5. Add your website in Umami:
-#      Settings → Websites → Add website → Name: "felhom.eu", Domain: "felhom.eu"
-#      Copy the tracking code and add it to your HTML pages (see bottom of file).
-#
-# DEBUGGING:
-#   kubectl logs -n felhom-system deploy/umami -f
-#   kubectl logs -n felhom-system deploy/umami-db -f
-#   kubectl exec -it -n felhom-system deploy/umami -- wget -qO- http://localhost:3000/api/heartbeat
-#   kubectl exec -it -n felhom-system deploy/umami-db -- pg_isready -U umami
-#
-# BACKUP:
-#   # Dump the database:
-#   kubectl exec -n felhom-system deploy/umami-db -- pg_dump -U umami umami > umami-backup-$(date +%Y%m%d).sql
-#   # Restore:
-#   cat umami-backup-YYYYMMDD.sql | kubectl exec -i -n felhom-system deploy/umami-db -- psql -U umami umami
-
-# =============================================================================
-# PERSISTENT STORAGE
-# =============================================================================
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: umami-db-data
-  namespace: felhom-system
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 2Gi
-
-# =============================================================================
-# POSTGRESQL - Dedicated database for Umami
-# =============================================================================
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: umami-db
-  namespace: felhom-system
-  labels:
-    app: umami-db
-spec:
-  replicas: 1
-  strategy:
-    type: Recreate
-  selector:
-    matchLabels:
-      app: umami-db
-  template:
-    metadata:
-      labels:
-        app: umami-db
-    spec:
-      containers:
-        - name: postgres
-          image: postgres:16-alpine
-          ports:
-            - containerPort: 5432
-          env:
-            - name: POSTGRES_DB
-              value: "umami"
-            - name: POSTGRES_USER
-              value: "umami"
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: umami-config
-                  key: POSTGRES_PASSWORD
-            - name: PGDATA
-              value: "/var/lib/postgresql/data/pgdata"
-          volumeMounts:
-            - name: data
-              mountPath: /var/lib/postgresql/data
-          resources:
-            requests:
-              memory: "64Mi"
-              cpu: "25m"
-            limits:
-              memory: "256Mi"
-              cpu: "500m"
-          livenessProbe:
-            exec:
-              command:
-                - pg_isready
-                - -U
-                - umami
-            initialDelaySeconds: 15
-            periodSeconds: 30
-          readinessProbe:
-            exec:
-              command:
-                - pg_isready
-                - -U
-                - umami
-            initialDelaySeconds: 5
-            periodSeconds: 10
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-            claimName: umami-db-data
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: umami-db
-  namespace: felhom-system
-spec:
-  selector:
-    app: umami-db
-  ports:
-    - port: 5432
-      targetPort: 5432
-
-# =============================================================================
-# UMAMI - Web Analytics Application
-# =============================================================================
---
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: umami
-  namespace: felhom-system
-  labels:
-    app: umami
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: umami
-  template:
-    metadata:
-      labels:
-        app: umami
-    spec:
-      # Wait for DB to be available before starting Umami
-      initContainers:
-        - name: wait-for-db
-          image: postgres:16-alpine
-          command:
-            - sh
-            - -c
-            - |
-              echo "Waiting for PostgreSQL to be ready..."
-              until pg_isready -h umami-db -p 5432 -U umami; do
-                echo "  ...still waiting"
-                sleep 2
-              done
-              echo "PostgreSQL is ready!"
-          resources:
-            requests:
-              memory: "16Mi"
-              cpu: "5m"
-            limits:
-              memory: "32Mi"
-              cpu: "50m"
-      containers:
-        - name: umami
-          image: ghcr.io/umami-software/umami:postgresql-latest
-          ports:
-            - containerPort: 3000
-          env:
-            - name: POSTGRES_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: umami-config
-                  key: POSTGRES_PASSWORD
-            - name: DATABASE_URL
-              value: "postgresql://umami:$(POSTGRES_PASSWORD)@umami-db:5432/umami"
-            - name: APP_SECRET
-              valueFrom:
-                secretKeyRef:
-                  name: umami-config
-                  key: APP_SECRET
-            # Disable Umami's own telemetry
-            - name: DISABLE_TELEMETRY
-              value: "1"
-            - name: TZ
-              value: "Europe/Budapest"
-          resources:
-            requests:
-              memory: "128Mi"
-              cpu: "50m"
-            limits:
-              memory: "512Mi"
-              cpu: "500m"
-          livenessProbe:
-            httpGet:
-              path: /api/heartbeat
-              port: 3000
-            initialDelaySeconds: 30
-            periodSeconds: 30
-          readinessProbe:
-            httpGet:
-              path: /api/heartbeat
-              port: 3000
-            initialDelaySeconds: 15
-            periodSeconds: 10
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: umami
-  namespace: felhom-system
-spec:
-  selector:
-    app: umami
-  ports:
-    - port: 80
-      targetPort: 3000
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: umami
-  namespace: felhom-system
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-spec:
-  ingressClassName: nginx-internal
-  tls:
-    - hosts:
-        - stats.felhom.eu
-      secretName: umami-tls
-  rules:
-    - host: stats.felhom.eu
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: umami
-                port:
-                  number: 80
-
-# =============================================================================
-# TRACKING SCRIPT - Add to your HTML pages
-# =============================================================================
-#
-# After deploying and creating your website in Umami, add this to every page's
-# <head> section (replace WEBSITE_ID with the ID from Umami dashboard):
-#
-#   <script defer src="https://stats.felhom.eu/script.js" data-website-id="YOUR-WEBSITE-ID"></script>
-#
-# The script is <2KB, async/deferred, cookie-free, and GDPR compliant.
-# No cookie consent banner needed!
-#
-# TIP: Since your HTML files are managed via FileBrowser, you can add the
-# script tag to all pages at once. Add it right before </head> in:
-#   - index.html
-#   - alkalmazasok.html
-#   - technologiak.html
-#   - gyik.html
-#   - kapcsolat.html
-#   - biztonsagimentes.html (if exists)
-#   - Any other pages
@@ -1,286 +0,0 @@
-# FileBrowser + Webpage deployment for felhom.eu
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: felhom-website-content
-  namespace: felhom-system
-spec:
-  accessModes:
-    - ReadWriteMany
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 1Gi
---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: filebrowser-db
-  namespace: felhom-system
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 100Mi
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: filebrowser-config
-  namespace: felhom-system
-data:
-  .filebrowser.json: |
-    {
-      "port": 8080,
-      "baseURL": "",
-      "address": "0.0.0.0",
-      "log": "stdout",
-      "database": "/database/filebrowser.db",
-      "root": "/srv"
-    }
---
-# ===================
-# NGINX CONFIG FOR CLEAN URLs
-# ===================
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nginx-config
-  namespace: felhom-system
-data:
-  default.conf: |
-    server {
-        listen 80;
-        server_name _;
-        root /usr/share/nginx/html;
-        index index.html;
-
-        # Enable clean URLs - serve .html files without extension
-        location / {
-            try_files $uri $uri.html $uri/ =404;
-        }
-
-        # Cache static assets
-        location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
-            expires 7d;
-            add_header Cache-Control "public, immutable";
-        }
-
-        # Security headers
-        add_header X-Frame-Options "SAMEORIGIN" always;
-        add_header X-Content-Type-Options "nosniff" always;
-
-        # Error pages
-        error_page 404 /404.html;
-        error_page 500 502 503 504 /50x.html;
-    }
---
-# ===================
-# FILEBROWSER
-# ===================
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: filebrowser
-  namespace: felhom-system
-  labels:
-    app: filebrowser
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: filebrowser
-  template:
-    metadata:
-      labels:
-        app: filebrowser
-    spec:
-      containers:
-        - name: filebrowser
-          image: filebrowser/filebrowser:v2-alpine
-          ports:
-            - containerPort: 8080
-          volumeMounts:
-            - name: website-content
-              mountPath: /srv
-            - name: database
-              mountPath: /database
-            - name: config
-              mountPath: /.filebrowser.json
-              subPath: .filebrowser.json
-          resources:
-            requests:
-              memory: "64Mi"
-              cpu: "50m"
-            limits:
-              memory: "256Mi"
-              cpu: "500m"
-          livenessProbe:
-            httpGet:
-              path: /health
-              port: 8080
-            initialDelaySeconds: 10
-            periodSeconds: 30
-          readinessProbe:
-            httpGet:
-              path: /health
-              port: 8080
-            initialDelaySeconds: 5
-            periodSeconds: 10
-      volumes:
-        - name: website-content
-          persistentVolumeClaim:
-            claimName: felhom-website-content
-        - name: database
-          persistentVolumeClaim:
-            claimName: filebrowser-db
-        - name: config
-          configMap:
-            name: filebrowser-config
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: filebrowser
-  namespace: felhom-system
-spec:
-  selector:
-    app: filebrowser
-  ports:
-    - port: 80
-      targetPort: 8080
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: filebrowser
-  namespace: felhom-system
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
-spec:
-  ingressClassName: nginx-internal
-  tls:
-    - hosts:
-        - files.felhom.eu
-      secretName: filebrowser-tls
-  rules:
-    - host: files.felhom.eu
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: filebrowser
-                port:
-                  number: 80
---
-# ===================
-# WEBPAGE (nginx)
-# ===================
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: felhom-webpage
-  namespace: felhom-system
-  labels:
-    app: felhom-webpage
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: felhom-webpage
-  template:
-    metadata:
-      labels:
-        app: felhom-webpage
-    spec:
-      containers:
-        - name: nginx
-          image: nginx:alpine
-          ports:
-            - containerPort: 80
-          volumeMounts:
-            - name: website-content
-              mountPath: /usr/share/nginx/html
-            - name: nginx-config
-              mountPath: /etc/nginx/conf.d/default.conf
-              subPath: default.conf
-          resources:
-            requests:
-              memory: "32Mi"
-              cpu: "10m"
-            limits:
-              memory: "128Mi"
-              cpu: "200m"
-          livenessProbe:
-            httpGet:
-              path: /
-              port: 80
-            initialDelaySeconds: 5
-            periodSeconds: 30
-          readinessProbe:
-            httpGet:
-              path: /
-              port: 80
-            initialDelaySeconds: 3
-            periodSeconds: 10
-      volumes:
-        - name: website-content
-          persistentVolumeClaim:
-            claimName: felhom-website-content
-        - name: nginx-config
-          configMap:
-            name: nginx-config
---
-apiVersion: v1
-kind: Service
-metadata:
-  name: felhom-webpage
-  namespace: felhom-system
-spec:
-  selector:
-    app: felhom-webpage
-  ports:
-    - port: 80
-      targetPort: 80
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: felhom-webpage
-  namespace: felhom-system
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-spec:
-  ingressClassName: nginx-internal
-  tls:
-    - hosts:
-        - felhom.eu
-        - www.felhom.eu
-      secretName: felhom-webpage-tls
-  rules:
-    - host: felhom.eu
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: felhom-webpage
-                port:
-                  number: 80
-    - host: www.felhom.eu
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: felhom-webpage
-                port:
-                  number: 80
@@ -32,7 +32,7 @@ spec:
    spec:
      initContainers:
        - name: init-directories
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -44,7 +44,7 @@ spec:
              mountPath: /data
      containers:
        - name: gitea
-          image: gitea/gitea:1.25.4
+          image: gitea/gitea:1.26.2
          imagePullPolicy: IfNotPresent
          env:
            - name: USER_UID
@@ -1384,7 +1384,7 @@ spec:
        # Calendar iCal URLs (JSON object: {"name": "url", ...})
        - name: CALENDAR_ICAL_URLS
          value: '{"Órák": "https://calendar.google.com/calendar/ical/b2884faf3db792ac082a6206057552c79080716efd5f966e169a41fc500e1c1c%40group.calendar.google.com/private-0998d8053909ba4449c2f0a6409ce3de/basic.ics", "Családi": "https://calendar.google.com/calendar/ical/nitq3l0if4gn54k438obat5ia0%40group.calendar.google.com/private-59afcf70fee1a798ec369b86d9883b46/basic.ics"}'
-        image: python:3.12-bookworm
+        image: python:3.14-bookworm
        imagePullPolicy: IfNotPresent
        name: glance-helper
        ports:
@@ -2746,7 +2746,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
@@ -2787,7 +2787,7 @@ spec:
              mountPath: /app/assets
      containers:
        - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -1372,7 +1372,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
          securityContext:
            runAsUser: 1000
            runAsGroup: 1000
@@ -1413,7 +1413,7 @@ spec:
              mountPath: /app/assets
      containers:
        - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -258,7 +258,7 @@ spec:
      automountServiceAccountToken: true
      containers:
        - name: headlamp
-          image: ghcr.io/headlamp-k8s/headlamp:v0.40.0
+          image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
          imagePullPolicy: IfNotPresent
          args:
            - "-in-cluster"
@@ -42,5 +42,5 @@ rbac:
 # Image configuration
 image:
  repository: registry.k8s.io/external-dns/external-dns
-  tag: v0.19.0
+  tag: v0.21.0
  pullPolicy: IfNotPresent
@@ -1,4 +1,11 @@
 ---
+# Image tag override: bumps pihole/pihole to 2026.05.0 without changing
+# the chart version. The 2026.05.0 release bundles FTL v6.6.2 which
+# imports 6 upstream dnsmasq CVE fixes (covering the dnsmasq 2.92/2.93
+# disclosures). No FTL-side config or API changes per the release notes.
+# https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
+image:
+  tag: "2026.05.0"
 DNS1: "1.1.1.1"   # Cloudflare
 DNS2: "8.8.8.8"   # Google
 DNS3: "9.9.9.9"   #Quad9
@@ -3,8 +3,8 @@ image:
  # -- The public dockerhub registry
  registry: index.docker.io
  repository: plexinc/pms-docker
-  # renovate: datasource=custom.plex depName=plex versioning=loose
-  tag: "1.43.0.10467-2b1ba6e69"
+  # renovate: datasource=docker depName=plexinc/pms-docker versioning=regex:^(?<major>\d+)\.(?<minor>\d+)\.(?<patch>\d+)\.(?<build>\d+)-[a-f0-9]+$
+  tag: "1.43.2.10687-563d026ea"
  sha: ""
  pullPolicy: IfNotPresent

@@ -123,7 +123,7 @@ initContainer:
    registry: index.docker.io
    repository: alpine
    # -- If unset use latest
-    tag: "3.22"
+    tag: "3.23"
    sha: ""
    pullPolicy: IfNotPresent

@@ -181,7 +181,7 @@ rclone:
    registry: index.docker.io
    repository: rclone/rclone
    # -- If unset use latest
-    tag: 1.70.3
+    tag: 1.74.3
    sha: ""
    pullPolicy: IfNotPresent

@@ -235,7 +235,10 @@ statefulSet:
  annotations: {}
  # -- Optional extra annotations to add to the pods in the statefulset
  podAnnotations: 
-    match-regex.version-checker.io/plex-plex-media-server-pms: ^\d+\.\d+\.\d+\.\d+-.*$
+    # Match only `<X.Y.Z.B>-<short-hash>` (the amd64/native tag form) and exclude
+    # per-arch tags (e.g. `-armhf`, `-arm64`) so version-checker doesn't show an
+    # ARM tag as "newer" than our x86_64 install.
+    match-regex.version-checker.io/plex-plex-media-server-pms: '^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$'

 service:
  type: LoadBalancer
@@ -372,7 +372,7 @@ spec:
      enableServiceLinks: true
      containers:
        - name: homepage
-          image: ghcr.io/gethomepage/homepage:v1.10.1
+          image: ghcr.io/gethomepage/homepage:v1.13.1
          imagePullPolicy: IfNotPresent
          env:
            # Required for external access
@@ -535,7 +535,7 @@ spec:
      enableServiceLinks: true
      containers:
        - name: homepage
-          image: ghcr.io/gethomepage/homepage:v1.10.1
+          image: ghcr.io/gethomepage/homepage:v1.13.1
          imagePullPolicy: IfNotPresent
          env:
            # Required for external access
@@ -241,7 +241,7 @@ spec:
              value: immich-valkey
            - name: TRANSFORMERS_CACHE
              value: /cache
-          image: ghcr.io/immich-app/immich-machine-learning:v2.5.5
+          image: ghcr.io/immich-app/immich-machine-learning:v2.7.5
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
@@ -336,7 +336,7 @@ spec:
              value: http://immich-machine-learning:3003
            - name: REDIS_HOSTNAME
              value: immich-valkey
-          image: ghcr.io/immich-app/immich-server:v2.5.5
+          image: ghcr.io/immich-app/immich-server:v2.7.5
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
@@ -416,7 +416,7 @@ spec:
              value: http://immich-machine-learning:3003
            - name: REDIS_HOSTNAME
              value: immich-valkey
-          image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
+          image: docker.io/valkey/valkey:9.1-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
          imagePullPolicy: IfNotPresent
          livenessProbe:
            exec:
@@ -185,7 +185,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          args:
            - redis-server
@@ -282,7 +282,7 @@ spec:
    spec:
      initContainers:
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -294,7 +294,7 @@ spec:
              done
              echo "PostgreSQL is ready!"
        - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -584,7 +584,7 @@ spec:
      initContainers:
        # 1. Wait for PostgreSQL to accept connections
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -597,7 +597,7 @@ spec:
              echo "PostgreSQL is ready!"
        # 2. Wait for Redis to accept connections
        - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -612,7 +612,7 @@ spec:
        #    Prevents the worker from picking up stale queued jobs
        #    before schema migrations have been applied.
        - name: wait-for-api
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -136,7 +136,7 @@ spec:
        fsGroup: 1000
      containers:
        - name: filebrowser
-          image: gtstef/filebrowser:1.1.2-stable
+          image: gtstef/filebrowser:1.3.3-stable
          env:
            - name: TZ
              value: "Europe/Budapest"
@@ -348,7 +348,7 @@ spec:
    spec:
      containers:
        - name: prometheus
-          image: prom/prometheus:v3.9.1
+          image: prom/prometheus:v3.12.0
          args:
            - --config.file=/etc/prometheus/prometheus.yml
            - --storage.tsdb.path=/prometheus
@@ -529,7 +529,7 @@ spec:
        runAsGroup: 472
      containers:
        - name: grafana
-          image: grafana/grafana:12.3.2
+          image: grafana/grafana:13.0.2
          ports:
            - containerPort: 3000
              name: http
@@ -392,10 +392,13 @@ spec:
        nextcloud-config-hash: 06b49913be13b1f9a81745166dd75ada59e7ddd39e8f6a2c5538affe2a6d1093
        php-config-hash: 5a497358af870e06b42325eee83d7c0e5466b7f6819cb49b598559d96def7428
        hooks-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
+        # Only match the `X.Y.Z-apache` variant tags so version-checker doesn't
+        # treat the bare `X.Y.Z` server tag as a "newer" version of our apache image.
+        match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'
    spec:
      containers:
        - name: nextcloud
-          image: docker.io/library/nextcloud:32.0.2-apache
+          image: docker.io/library/nextcloud:33.0.5-apache
          imagePullPolicy: IfNotPresent
          env:
            - name: SMTP_HOST
@@ -552,7 +555,7 @@ spec:
            failureThreshold: 3
      initContainers:
        - name: postgresql-isready
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
          resources: {}
          securityContext: {}
          env:
@@ -637,7 +640,7 @@ spec:
      hostIPC: false
      containers:
        - name: postgresql
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
          imagePullPolicy: "IfNotPresent"
          securityContext:
            allowPrivilegeEscalation: false
@@ -0,0 +1,135 @@
+# BentoPDF - Privacy-focused PDF toolkit (all processing client-side, files never leave the server)
+# https://www.bentopdf.com  -  image: ghcr.io/alam00000/bentopdf
+# Domain: pdf.dooplex.hu
+# Version: 2.8.5
+# Database: None | Storage: None (stateless)
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bentopdf
+  namespace: office-system
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+    app.kubernetes.io/version: "2.8.5"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: bentopdf
+      app.kubernetes.io/instance: bentopdf
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: bentopdf
+        app.kubernetes.io/instance: bentopdf
+        app.kubernetes.io/version: "2.8.5"
+      annotations:
+        match-regex.version-checker.io/bentopdf: '^v\d+\.\d+\.\d+$'
+    spec:
+      containers:
+        - name: bentopdf
+          image: ghcr.io/alam00000/bentopdf:v2.8.5
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: "Europe/Budapest"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 384Mi
+      restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bentopdf
+  namespace: office-system
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bentopdf
+  namespace: office-system
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    external-dns.alpha.kubernetes.io/hostname: pdf.dooplex.hu,pdf.home
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      set $geo_allowed 0;
+      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
+      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
+      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
+      if ($geo_allowed = 0) {
+        return 403 "Access restricted to Hungary";
+      }
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+spec:
+  ingressClassName: nginx-internal
+  tls:
+    - hosts:
+        - pdf.dooplex.hu
+      secretName: bentopdf-tls
+  rules:
+    - host: pdf.dooplex.hu
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bentopdf
+                port:
+                  number: 8080
+    - host: pdf.home
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bentopdf
+                port:
+                  number: 8080
@@ -27,7 +27,7 @@ spec:
    spec:
      containers:
        - name: onlyoffice
-          image: onlyoffice/documentserver:9.0.2
+          image: onlyoffice/documentserver:9.4.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -89,7 +89,7 @@ spec:
      initContainers:
        # Configure proxy auth in database before starting
        - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - sh
            - -c
@@ -109,7 +109,7 @@ spec:
            runAsGroup: 1001
      containers:
        - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - filebrowser
            - --database=/config/filebrowser.db
@@ -10,7 +10,7 @@ metadata:
  labels:
    app.kubernetes.io/instance: outline
    app.kubernetes.io/name: outline
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.8.1
  name: outline
  namespace: outline-system
 spec:
@@ -31,7 +31,7 @@ spec:
    spec:
      containers:
        - name: outline
-          image: outlinewiki/outline:1.4.0
+          image: outlinewiki/outline:1.8.1
          imagePullPolicy: IfNotPresent
          env:
            - name: NODE_ENV
@@ -198,7 +198,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          command:
            - redis-server
@@ -331,7 +331,7 @@ metadata:
  labels:
    app.kubernetes.io/instance: outline
    app.kubernetes.io/name: outline
-    app.kubernetes.io/version: 1.1.0
+    app.kubernetes.io/version: 1.8.1
  name: outline
  namespace: outline-system
 spec:
@@ -71,7 +71,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          ports:
            - name: redis
@@ -158,7 +158,7 @@ spec:
      enableServiceLinks: false
      containers:
        - name: paperless
-          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6
+          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
          imagePullPolicy: IfNotPresent
          env:
            # Database - using shared PostgreSQL in database-system namespace
@@ -43,7 +43,7 @@ spec:
    spec:
      containers:
        - name: mysql
-          image: mysql:8.0
+          image: mysql:8.4
          env:
            - name: MYSQL_ROOT_PASSWORD
              valueFrom:
@@ -121,7 +121,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7.2.1
+          image: redis:8.8.0
          ports:
            - containerPort: 6379
              name: redis
@@ -30,7 +30,7 @@ spec:
    spec:
      containers:
        - name: prowlarr
-          image: linuxserver/prowlarr:version-2.3.0.5236
+          image: linuxserver/prowlarr:version-2.3.5.5327
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -91,7 +91,7 @@ spec:
    spec:
      containers:
        - name: radarr
-          image: linuxserver/radarr:version-6.0.4.10291
+          image: linuxserver/radarr:version-6.1.1.10360
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -164,7 +164,7 @@ spec:
    spec:
      containers:
        - name: sonarr
-          image: linuxserver/sonarr:version-4.0.16.2944
+          image: linuxserver/sonarr:version-4.0.17.2952
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -244,7 +244,7 @@ spec:
    spec:
      containers:
        - name: qbittorrent
-          image: linuxserver/qbittorrent:5.1.4
+          image: linuxserver/qbittorrent:5.2.1
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -705,7 +705,7 @@ spec:
    spec:
      containers:
        - name: radarr
-          image: linuxserver/radarr:version-6.0.4.10291
+          image: linuxserver/radarr:version-6.1.1.10360
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -904,7 +904,14 @@ spec:
    spec:
      containers:
        - name: seerr
-          image: docker.io/fallenbagel/jellyseerr:preview-OIDC
+          # 2026-06-06: migrating from fallenbagel/jellyseerr:preview-OIDC
+          # (a custom OIDC-capable build) to seerr-team/seerr v3.x — the
+          # successor project (combined Overseerr+Jellyseerr team rebrand
+          # from v3.0.0). Mainline now has native OIDC support so we don't
+          # need the custom build. Migration is auto on first start; backed
+          # up the config PVC to ~/seerr-backups on dooplex before this PR.
+          # https://docs.seerr.dev/migration-guide
+          image: ghcr.io/seerr-team/seerr:v3.3.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -30,7 +30,7 @@ spec:
    spec:
      initContainers:
        - name: create-superuser
-          image: vabene1111/recipes:2.5
+          image: vabene1111/recipes:2.6.9
          workingDir: /opt/recipes
          command:
            - /bin/sh
@@ -106,7 +106,7 @@ spec:
                  key: email
      containers:
        - name: tandoor
-          image: vabene1111/recipes:2.5
+          image: vabene1111/recipes:2.6.9
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -41,7 +41,11 @@ spec:
    spec:
      containers:
        - name: termix
-          image: ghcr.io/lukegus/termix:release-1.11.0
+          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
+          # Renovate handles it via a customManagers regex defined in
+          # admin-system/renovate.yaml (the kubernetes manager doesn't
+          # process inline `# renovate:` comments).
+          image: ghcr.io/lukegus/termix:release-2.3.2
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
@@ -30,7 +30,7 @@ spec:
    spec:
      containers:
        - name: uptimekuma
-          image: louislam/uptime-kuma:2.3.2
+          image: louislam/uptime-kuma:2.4.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -28,7 +28,7 @@ spec:
    spec:
      containers:
        - name: vaultwarden
-          image: vaultwarden/server:1.35.2
+          image: vaultwarden/server:1.36.0
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
@@ -122,7 +122,7 @@ spec:
    spec:
      containers:
        - name: pocketbase
-          image: flomp/wanderer-db:v0.19.1
+          image: flomp/wanderer-db:v0.19.2
          env:
            - name: ORIGIN
              value: "https://wanderer.dooplex.hu"
@@ -192,7 +192,7 @@ spec:
    spec:
      containers:
        - name: wanderer-web
-          image: flomp/wanderer-web:v0.19.1
+          image: flomp/wanderer-web:v0.19.2
          env:
            - name: NODE_TLS_REJECT_UNAUTHORIZED
              value: "0"
@@ -130,7 +130,7 @@ spec:
      initContainers:
        # Configure proxy auth in database before starting
        - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - sh
            - -c
@@ -151,7 +151,7 @@ spec:
            runAsGroup: 1000
      containers:
        - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.13
          command:
            - filebrowser
            - --database=/config/filebrowser.db
@@ -315,7 +315,7 @@ spec:
      initContainers:
        # Create public directory if it doesn't exist
        - name: init-public-dir
-          image: busybox:1.36
+          image: busybox:1.38
          command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"]
          volumeMounts:
            - name: data
@@ -324,7 +324,7 @@ spec:
            runAsUser: 0
      containers:
        - name: nginx
-          image: nginx:1.27-alpine
+          image: nginx:1.31-alpine
          ports:
            - containerPort: 8080
              name: http
@@ -144,8 +144,10 @@ spec:
        app.kubernetes.io/instance: sparkyfitness
        app.kubernetes.io/name: server
      annotations:
-        # Tag format is vMAJOR.MINOR.PATCH.BUILD (e.g. v0.16.6.3)
-        match-regex.version-checker.io/server: '^v\d+\.\d+\.\d+\.\d+$'
+        # Tag format used to be vMAJOR.MINOR.PATCH.BUILD (e.g. v0.16.6.3),
+        # changed to vMAJOR.MINOR.PATCH on 2026-06-01 (v0.16.7+). Accept
+        # both so historical comparisons + new releases both match.
+        match-regex.version-checker.io/server: '^v\d+\.\d+\.\d+(\.\d+)?$'
    spec:
      enableServiceLinks: false
      securityContext:
@@ -153,7 +155,7 @@ spec:
        fsGroup: 1000
      initContainers:
        - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
          command:
            - sh
            - -c
@@ -166,7 +168,7 @@ spec:
              echo "PostgreSQL is ready!"
      containers:
        - name: server
-          image: codewithcj/sparkyfitness_server:v0.16.6.3
+          image: codewithcj/sparkyfitness_server:v0.16.8
          env:
            # ---- Database (owner / superuser role, used for migrations) ----
            - name: SPARKY_FITNESS_DB_HOST
@@ -330,12 +332,12 @@ spec:
        app.kubernetes.io/instance: sparkyfitness
        app.kubernetes.io/name: frontend
      annotations:
-        match-regex.version-checker.io/frontend: '^v\d+\.\d+\.\d+\.\d+$'
+        match-regex.version-checker.io/frontend: '^v\d+\.\d+\.\d+(\.\d+)?$'
    spec:
      enableServiceLinks: false
      containers:
        - name: frontend
-          image: codewithcj/sparkyfitness:v0.16.6.3
+          image: codewithcj/sparkyfitness:v0.16.8
          env:
            - name: SPARKY_FITNESS_SERVER_HOST
              value: "sparkyfitness-server"