Update codercom/code-server Docker tag to v4.123.0

The previous attempt (inline `# renovate:` comment in termix.yaml) silently
did nothing -- after merge + manual run, the dashboard's
`termix-system/termix.yaml (2)` was the resource count (Deployment +
Ingress), not detected updates. No PRs opened, no termix branches, no
queue entries anywhere.

Root cause: Renovate's `kubernetes` manager does NOT process inline
`# renovate:` comments. Those work for dockerfile/flux/helmfile/github-
actions/helm-values/etc., but kubernetes is missing from that list.

Correct fix: a `customManagers.regex` entry that extracts termix's image
directly with the right datasource/versioning/extractVersion set at
EXTRACTION time -- before any docker-version pre-check can reject the
prefixed tag. Plus a packageRule disabling the kubernetes manager for
termix so it doesn't silently skip the dep and clutter the dashboard.

Changes:
  - admin-system/renovate.yaml:
    * enabledManagers += "custom.regex"
    * customManagers: termix.yaml regex extraction -> github-releases
      datasource on Termix-SSH/Termix with `extractVersion=^release-(?<version>.+)$`
    * packageRules: disable kubernetes manager for ghcr.io/lukegus/termix
  - termix-system/termix.yaml: drop the useless inline comment, leave a
    NOTE explaining where the actual config lives.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

actualbudget-system/actualbudget.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: actualbudget
-          image: actualbudget/actual-server:26.2.0
+          image: actualbudget/actual-server:26.6.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

admin-system/renovate.yaml

@@ -6,7 +6,7 @@
 #        -slim suffix was retired after v37.440.x, so we pin the plain tag)
 #
 # PILOT SCOPE (intentionally narrow):
-#   Runs weekly (Sun 04:00 Europe/Budapest) as a CronJob and opens
+#   Runs weekly (Sat 02:00 Europe/Budapest) as a CronJob and opens
 #   dependency-update PRs against admin/homelab-manifests on Gitea.
 #   Only the `kubernetes` and `helm-values` managers are enabled, and a
 #   default-deny packageRule limits updates to exactly four pilot images:
@@ -44,12 +44,26 @@ data:
       "requireConfig": "optional",
       "dependencyDashboard": true,
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 8,
+      "prHourlyLimit": 16,
-      "prConcurrentLimit": 8,
+      "prConcurrentLimit": 16,
-      "enabledManagers": ["kubernetes", "helm-values"],
+      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
+      "customManagers": [
+        {
+          "description": "termix uses a release-X.Y.Z prefixed tag that the kubernetes manager's docker-versioning pre-check rejects (so no PRs are ever created). This customManager extracts the image directly, redirects the version lookup to GitHub Releases at Termix-SSH/Termix (which exposes timestamps the 3-day stability gate needs), and uses extractVersion to strip the `release-` prefix so loose semver can parse it.",
+          "customType": "regex",
+          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "github-releases",
+          "packageNameTemplate": "Termix-SSH/Termix",
+          "versioningTemplate": "loose",
+          "extractVersionTemplate": "^release-(?<version>.+)$"
+        }
+      ],
       "packageRules": [
         {
           "description": "All apps: 3-day stability gate before any PR opens",
@@ -90,17 +104,16 @@ data:
           ],
           "automerge": false
         },
-        {
-          "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).",
-          "matchPackageNames": ["ghcr.io/lukegus/termix"],
-          "datasource": "github-releases",
-          "packageName": "Termix-SSH/Termix",
-          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
-        },
         {
           "description": "wanderer: db + web update together in one PR",
           "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
           "groupName": "wanderer"
+        },
+        {
+          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "enabled": false
         }
       ],
       "labels": ["renovate"]
@@ -116,7 +129,9 @@ metadata:
     app.kubernetes.io/name: renovate
     app.kubernetes.io/version: "43.197.0"
 spec:
-  schedule: "0 4 * * 0"
+  # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
+  # if a Renovate-merged update breaks something.
+  schedule: "0 2 * * 6"
   timeZone: "Europe/Budapest"
   concurrencyPolicy: Forbid
   successfulJobsHistoryLimit: 3

arcade-system/romm.yaml

@@ -56,7 +56,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.2-alpine
+          image: redis:7.4-alpine
           ports:
             - containerPort: 6379
               name: redis
@@ -96,7 +96,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init-config
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

audiobookshelf-system/audiobookshelf.yaml

@@ -54,7 +54,7 @@ spec:
     spec:
       containers:
         - name: audiobookshelf
-          image: advplyr/audiobookshelf:2.35.0
+          image: advplyr/audiobookshelf:2.35.1
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

booking-system/booking.yaml

@@ -168,7 +168,7 @@ spec:
       initContainers:
         # Wait for PostgreSQL
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -181,7 +181,7 @@ spec:
               echo "PostgreSQL is ready!"
         # Wait for Redis
         - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

bookstack-system/bookstack.yaml

@@ -175,7 +175,7 @@ spec:
     spec:
       containers:
         - name: bookstack
-          image: linuxserver/bookstack:25.12.3
+          image: linuxserver/bookstack:25.12.20251224
           imagePullPolicy: IfNotPresent
           env:
             # LinuxServer.io specific

code-system/code.yaml

@@ -50,7 +50,7 @@ spec:
         fsGroup: 1000
       containers:
         - name: code-server
-          image: codercom/code-server:4.121.0
+          image: codercom/code-server:4.123.0
           args:
             - --bind-addr=0.0.0.0:8080
             - --auth=none

felhom-system/healthchecks.yaml

@@ -48,7 +48,7 @@ spec:
         fsGroup: 999
       containers:
         - name: healthchecks
-          image: healthchecks/healthchecks:v4.0
+          image: healthchecks/healthchecks:v4.2
           ports:
             - containerPort: 8000
           env:

gitea-system/gitea.yaml

@@ -32,7 +32,7 @@ spec:
     spec:
       initContainers:
         - name: init-directories
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

glance-system/glance-kisfenyo.yaml

@@ -2746,7 +2746,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -2787,7 +2787,7 @@ spec:
               mountPath: /app/assets
       containers:
         - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

glance-system/glance-orsi.yaml

@@ -1372,7 +1372,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -1413,7 +1413,7 @@ spec:
               mountPath: /app/assets
       containers:
         - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

helm/plex/values.yaml

@@ -123,7 +123,7 @@ initContainer:
     registry: index.docker.io
     repository: alpine
     # -- If unset use latest
-    tag: "3.22"
+    tag: "3.23"
     sha: ""
     pullPolicy: IfNotPresent
 
@@ -181,7 +181,7 @@ rclone:
     registry: index.docker.io
     repository: rclone/rclone
     # -- If unset use latest
-    tag: 1.70.3
+    tag: 1.74.2
     sha: ""
     pullPolicy: IfNotPresent
 

immich-system/immich.yaml

@@ -416,7 +416,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
+          image: docker.io/valkey/valkey:9.1-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
           imagePullPolicy: IfNotPresent
           livenessProbe:
             exec:

jarrs-system/jarr-dev.yaml

@@ -282,7 +282,7 @@ spec:
     spec:
       initContainers:
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -294,7 +294,7 @@ spec:
               done
               echo "PostgreSQL is ready!"
         - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -584,7 +584,7 @@ spec:
       initContainers:
         # 1. Wait for PostgreSQL to accept connections
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -597,7 +597,7 @@ spec:
               echo "PostgreSQL is ready!"
         # 2. Wait for Redis to accept connections
         - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -612,7 +612,7 @@ spec:
         #    Prevents the worker from picking up stale queued jobs
         #    before schema migrations have been applied.
         - name: wait-for-api
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

mon-system/monitoring.yaml

@@ -348,7 +348,7 @@ spec:
     spec:
       containers:
         - name: prometheus
-          image: prom/prometheus:v3.9.1
+          image: prom/prometheus:v3.12.0
           args:
             - --config.file=/etc/prometheus/prometheus.yml
             - --storage.tsdb.path=/prometheus
@@ -529,7 +529,7 @@ spec:
         runAsGroup: 472
       containers:
         - name: grafana
-          image: grafana/grafana:12.3.2
+          image: grafana/grafana:12.4.4
           ports:
             - containerPort: 3000
               name: http

nextcloud-system/nextcloud.yaml

@@ -395,7 +395,7 @@ spec:
     spec:
       containers:
         - name: nextcloud
-          image: docker.io/library/nextcloud:32.0.2-apache
+          image: docker.io/library/nextcloud:32.0.10-apache
           imagePullPolicy: IfNotPresent
           env:
             - name: SMTP_HOST
@@ -552,7 +552,7 @@ spec:
             failureThreshold: 3
       initContainers:
         - name: postgresql-isready
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
           resources: {}
           securityContext: {}
           env:
@@ -637,7 +637,7 @@ spec:
       hostIPC: false
       containers:
         - name: postgresql
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false

office-system/bentopdf.yaml

@@ -0,0 +1,135 @@
+# BentoPDF - Privacy-focused PDF toolkit (all processing client-side, files never leave the server)
+# https://www.bentopdf.com  -  image: ghcr.io/alam00000/bentopdf
+# Domain: pdf.dooplex.hu
+# Version: 2.8.5
+# Database: None | Storage: None (stateless)
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bentopdf
+  namespace: office-system
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+    app.kubernetes.io/version: "2.8.5"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: bentopdf
+      app.kubernetes.io/instance: bentopdf
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: bentopdf
+        app.kubernetes.io/instance: bentopdf
+        app.kubernetes.io/version: "2.8.5"
+      annotations:
+        match-regex.version-checker.io/bentopdf: '^v\d+\.\d+\.\d+$'
+    spec:
+      containers:
+        - name: bentopdf
+          image: ghcr.io/alam00000/bentopdf:v2.8.5
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: "Europe/Budapest"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 384Mi
+      restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bentopdf
+  namespace: office-system
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bentopdf
+  namespace: office-system
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    external-dns.alpha.kubernetes.io/hostname: pdf.dooplex.hu,pdf.home
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      set $geo_allowed 0;
+      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
+      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
+      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
+      if ($geo_allowed = 0) {
+        return 403 "Access restricted to Hungary";
+      }
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+spec:
+  ingressClassName: nginx-internal
+  tls:
+    - hosts:
+        - pdf.dooplex.hu
+      secretName: bentopdf-tls
+  rules:
+    - host: pdf.dooplex.hu
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bentopdf
+                port:
+                  number: 8080
+    - host: pdf.home
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bentopdf
+                port:
+                  number: 8080

office-system/onlyoffice.yaml

@@ -27,7 +27,7 @@ spec:
     spec:
       containers:
         - name: onlyoffice
-          image: onlyoffice/documentserver:9.0.2
+          image: onlyoffice/documentserver:9.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

orsi-system/filebrowser.yaml

@@ -89,7 +89,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - sh
             - -c
@@ -109,7 +109,7 @@ spec:
             runAsGroup: 1001
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - filebrowser
             - --database=/config/filebrowser.db

outline-system/outline.yaml

@@ -31,7 +31,7 @@ spec:
     spec:
       containers:
         - name: outline
-          image: outlinewiki/outline:1.4.0
+          image: outlinewiki/outline:1.8.0
           imagePullPolicy: IfNotPresent
           env:
             - name: NODE_ENV

plantit-system/plantit.yaml

@@ -121,7 +121,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.2.1
+          image: redis:7.4.9
           ports:
             - containerPort: 6379
               name: redis

servarr-system/servarr.yaml

@@ -244,7 +244,7 @@ spec:
     spec:
       containers:
         - name: qbittorrent
-          image: linuxserver/qbittorrent:5.1.4
+          image: linuxserver/qbittorrent:5.2.1
           imagePullPolicy: IfNotPresent
           env:
             - name: PUID

termix-system/termix.yaml

@@ -41,6 +41,10 @@ spec:
     spec:
       containers:
         - name: termix
+          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
+          # Renovate handles it via a customManagers regex defined in
+          # admin-system/renovate.yaml (the kubernetes manager doesn't
+          # process inline `# renovate:` comments).
           image: ghcr.io/lukegus/termix:release-1.11.0
           imagePullPolicy: IfNotPresent
           ports:

uptimekuma-system/uptimekuma.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: uptimekuma
-          image: louislam/uptime-kuma:2.3.2
+          image: louislam/uptime-kuma:2.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

wanderer-system/wanderer.yaml

@@ -57,7 +57,7 @@ spec:
     spec:
       containers:
         - name: meilisearch
-          image: getmeili/meilisearch:v1.11.3
+          image: getmeili/meilisearch:v1.45.2
           env:
             - name: MEILI_MASTER_KEY
               valueFrom:
@@ -122,7 +122,7 @@ spec:
     spec:
       containers:
         - name: pocketbase
-          image: flomp/wanderer-db:v0.19.1
+          image: flomp/wanderer-db:v0.19.2
           env:
             - name: ORIGIN
               value: "https://wanderer.dooplex.hu"
@@ -192,7 +192,7 @@ spec:
     spec:
       containers:
         - name: wanderer-web
-          image: flomp/wanderer-web:v0.19.1
+          image: flomp/wanderer-web:v0.19.2
           env:
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"

web-system/web.yaml

@@ -130,7 +130,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - sh
             - -c
@@ -151,7 +151,7 @@ spec:
             runAsGroup: 1000
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - filebrowser
             - --database=/config/filebrowser.db
@@ -315,7 +315,7 @@ spec:
       initContainers:
         # Create public directory if it doesn't exist
         - name: init-public-dir
-          image: busybox:1.36
+          image: busybox:1.38
           command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"]
           volumeMounts:
             - name: data
@@ -324,7 +324,7 @@ spec:
             runAsUser: 0
       containers:
         - name: nginx
-          image: nginx:1.27-alpine
+          image: nginx:1.31-alpine
           ports:
             - containerPort: 8080
               name: http

workout-system/sparkyfitness.yaml

@@ -153,7 +153,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c