Update codercom/code-server Docker tag to v4.123.0

The previous attempt (inline `# renovate:` comment in termix.yaml) silently
did nothing -- after merge + manual run, the dashboard's
`termix-system/termix.yaml (2)` was the resource count (Deployment +
Ingress), not detected updates. No PRs opened, no termix branches, no
queue entries anywhere.

Root cause: Renovate's `kubernetes` manager does NOT process inline
`# renovate:` comments. Those work for dockerfile/flux/helmfile/github-
actions/helm-values/etc., but kubernetes is missing from that list.

Correct fix: a `customManagers.regex` entry that extracts termix's image
directly with the right datasource/versioning/extractVersion set at
EXTRACTION time -- before any docker-version pre-check can reject the
prefixed tag. Plus a packageRule disabling the kubernetes manager for
termix so it doesn't silently skip the dep and clutter the dashboard.

Changes:
  - admin-system/renovate.yaml:
    * enabledManagers += "custom.regex"
    * customManagers: termix.yaml regex extraction -> github-releases
      datasource on Termix-SSH/Termix with `extractVersion=^release-(?<version>.+)$`
    * packageRules: disable kubernetes manager for ghcr.io/lukegus/termix
  - termix-system/termix.yaml: drop the useless inline comment, leave a
    NOTE explaining where the actual config lives.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

actualbudget-system/actualbudget.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: actualbudget
-          image: actualbudget/actual-server:26.2.0
+          image: actualbudget/actual-server:26.6.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

admin-system/renovate.yaml

@@ -6,7 +6,7 @@
 #        -slim suffix was retired after v37.440.x, so we pin the plain tag)
 #
 # PILOT SCOPE (intentionally narrow):
-#   Runs weekly (Sun 04:00 Europe/Budapest) as a CronJob and opens
+#   Runs weekly (Sat 02:00 Europe/Budapest) as a CronJob and opens
 #   dependency-update PRs against admin/homelab-manifests on Gitea.
 #   Only the `kubernetes` and `helm-values` managers are enabled, and a
 #   default-deny packageRule limits updates to exactly four pilot images:
@@ -44,92 +44,76 @@ data:
       "requireConfig": "optional",
       "dependencyDashboard": true,
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 0,
-      "prConcurrentLimit": 0,
-      "enabledManagers": ["kubernetes", "helm-values"],
+      "prHourlyLimit": 16,
+      "prConcurrentLimit": 16,
+      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
+      "customManagers": [
+        {
+          "description": "termix uses a release-X.Y.Z prefixed tag that the kubernetes manager's docker-versioning pre-check rejects (so no PRs are ever created). This customManager extracts the image directly, redirects the version lookup to GitHub Releases at Termix-SSH/Termix (which exposes timestamps the 3-day stability gate needs), and uses extractVersion to strip the `release-` prefix so loose semver can parse it.",
+          "customType": "regex",
+          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "github-releases",
+          "packageNameTemplate": "Termix-SSH/Termix",
+          "versioningTemplate": "loose",
+          "extractVersionTemplate": "^release-(?<version>.+)$"
+        }
+      ],
       "packageRules": [
         {
-          "description": "Default-deny everything",
+          "description": "All apps: 3-day stability gate before any PR opens",
           "matchPackageNames": ["*"],
-          "enabled": false
-        },
-        {
-          "description": "Tier 1: enable updates for low-risk leaf apps",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
-          "enabled": true
-        },
-        {
-          "description": "Tier 1: automerge minor/patch after 3-day stability window",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
-          "matchUpdateTypes": ["minor", "patch"],
-          "automerge": true,
-          "automergeType": "pr",
-          "platformAutomerge": true,
           "minimumReleaseAge": "3 days"
         },
         {
-          "description": "Tier 1: major bumps require dashboard approval (no automerge)",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
+          "description": "Auto-merge minor/patch after the stability window",
+          "matchUpdateTypes": ["minor", "patch"],
+          "automerge": true,
+          "automergeType": "pr",
+          "platformAutomerge": true
+        },
+        {
+          "description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)",
           "matchUpdateTypes": ["major"],
           "automerge": false,
           "dependencyDashboardApproval": true
+        },
+        {
+          "description": "k3s-bundled components: never touch, they ride k3s upgrades",
+          "matchPackageNames": [
+            "rancher/local-path-provisioner",
+            "rancher/mirrored-coredns/coredns",
+            "rancher/mirrored-metrics-server"
+          ],
+          "enabled": false
+        },
+        {
+          "description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).",
+          "matchPackageNames": [
+            "gitea/gitea",
+            "quay.io/argoproj/argocd",
+            "ghcr.io/goauthentik/server",
+            "ghcr.io/goauthentik/ldap",
+            "ghcr.io/goauthentik/proxy",
+            "ghcr.io/cloudnative-pg/cloudnative-pg"
+          ],
+          "automerge": false
+        },
+        {
+          "description": "wanderer: db + web update together in one PR",
+          "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
+          "groupName": "wanderer"
+        },
+        {
+          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "enabled": false
         }
       ],
       "labels": ["renovate"]
@@ -145,7 +129,9 @@ metadata:
     app.kubernetes.io/name: renovate
     app.kubernetes.io/version: "43.197.0"
 spec:
-  schedule: "0 4 * * 0"
+  # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
+  # if a Renovate-merged update breaks something.
+  schedule: "0 2 * * 6"
   timeZone: "Europe/Budapest"
   concurrencyPolicy: Forbid
   successfulJobsHistoryLimit: 3

arcade-system/romm.yaml

@@ -56,7 +56,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.2-alpine
+          image: redis:7.4-alpine
           ports:
             - containerPort: 6379
               name: redis
@@ -96,7 +96,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: init-config
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -117,7 +117,7 @@ spec:
               mountPath: /romm/config
       containers:
         - name: romm
-          image: rommapp/romm:4.6.1
+          image: rommapp/romm:4.8.1
           env:
             # Database
             - name: DB_HOST

argocd-apps/homelab.yaml

@@ -47,6 +47,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: servarr-system
   syncPolicy:
+    automated:
+      enabled: true
     # Start with manual sync until you're comfortable
     # automated:
     #   prune: true
@@ -82,6 +84,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: paperless-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -104,6 +108,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: actualbudget-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -126,6 +132,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: audiobookshelf-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -148,6 +156,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: bookstack-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -170,6 +180,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: immich-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -214,6 +226,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: nextcloud-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -236,6 +250,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: outline-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -258,6 +274,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: tandoor-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -280,6 +298,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: uptimekuma-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -302,6 +322,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: vaultwarden-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -369,6 +391,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: pihole-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
 
@@ -397,6 +421,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: mediaserver-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
 ---
@@ -418,6 +444,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: calibre-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -440,6 +468,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: adventurelog-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -592,6 +622,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: termix-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -614,6 +646,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: privatebin-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -636,6 +670,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: headlamp-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -658,6 +694,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: homepage-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -680,6 +718,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: code-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -702,6 +742,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: plantit-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -724,6 +766,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: fileshare-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -746,6 +790,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: arcade-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -768,6 +814,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: workout-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -790,6 +838,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: wanderer-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -812,6 +862,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: opengist-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -834,6 +886,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: zipline-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -856,6 +910,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: crafty-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -878,6 +934,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: booking-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -900,6 +958,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: web-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -922,6 +982,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: control-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -944,6 +1006,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: glance-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -967,6 +1031,10 @@ spec:
     server: https://kubernetes.default.svc
     namespace: version-checker-system
   syncPolicy:
+    automated:
+      enabled: true
+      prune: true
+      selfHeal: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1033,6 +1101,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: orsi-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1075,6 +1145,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: kisfenyo-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1096,6 +1168,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: office-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1118,6 +1192,10 @@ spec:
     server: https://kubernetes.default.svc
     namespace: jarrs-system
   syncPolicy:
+    automated:
+      enabled: true
+      prune: true
+      selfHeal: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true

audiobookshelf-system/audiobookshelf.yaml

@@ -54,7 +54,7 @@ spec:
     spec:
       containers:
         - name: audiobookshelf
-          image: advplyr/audiobookshelf:2.32.1
+          image: advplyr/audiobookshelf:2.35.1
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

booking-system/booking.yaml

@@ -168,7 +168,7 @@ spec:
       initContainers:
         # Wait for PostgreSQL
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -181,7 +181,7 @@ spec:
               echo "PostgreSQL is ready!"
         # Wait for Redis
         - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

bookstack-system/bookstack.yaml

@@ -175,7 +175,7 @@ spec:
     spec:
       containers:
         - name: bookstack
-          image: linuxserver/bookstack:25.12.3
+          image: linuxserver/bookstack:25.12.20251224
           imagePullPolicy: IfNotPresent
           env:
             # LinuxServer.io specific

code-system/code.yaml

@@ -50,7 +50,7 @@ spec:
         fsGroup: 1000
       containers:
         - name: code-server
-          image: codercom/code-server:4.108.2
+          image: codercom/code-server:4.123.0
           args:
             - --bind-addr=0.0.0.0:8080
             - --auth=none

crafty-system/crafty.yaml

@@ -223,7 +223,7 @@ spec:
         fsGroup: 0
       containers:
         - name: craftycontroller
-          image: arcadiatechnology/crafty-4:4.9.0
+          image: arcadiatechnology/crafty-4:4.10.4
           imagePullPolicy: IfNotPresent
           securityContext:
             runAsNonRoot: true

felhom-system/healthchecks.yaml

@@ -48,7 +48,7 @@ spec:
         fsGroup: 999
       containers:
         - name: healthchecks
-          image: healthchecks/healthchecks:v4.0
+          image: healthchecks/healthchecks:v4.2
           ports:
             - containerPort: 8000
           env:

gitea-system/gitea.yaml

@@ -32,7 +32,7 @@ spec:
     spec:
       initContainers:
         - name: init-directories
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -218,6 +218,7 @@ metadata:
       if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
       if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
       if ($geoip2_country_code = "DE") { set $geo_allowed 1; }
+      if ($geoip2_country_code = "US") { set $geo_allowed 1; }
       if ($geo_allowed = 0) {
         return 403 "Access restricted to Hungary";
       }

glance-system/glance-kisfenyo.yaml

@@ -2746,7 +2746,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -2787,7 +2787,7 @@ spec:
               mountPath: /app/assets
       containers:
         - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

glance-system/glance-orsi.yaml

@@ -1372,7 +1372,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.50.1
+          image: mikefarah/yq:4.53.2
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000
@@ -1413,7 +1413,7 @@ spec:
               mountPath: /app/assets
       containers:
         - name: glance
-          image: glanceapp/glance:v0.8.4
+          image: glanceapp/glance:v0.8.5
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

helm/plex/values.yaml

@@ -123,7 +123,7 @@ initContainer:
     registry: index.docker.io
     repository: alpine
     # -- If unset use latest
-    tag: "3.22"
+    tag: "3.23"
     sha: ""
     pullPolicy: IfNotPresent
 
@@ -181,7 +181,7 @@ rclone:
     registry: index.docker.io
     repository: rclone/rclone
     # -- If unset use latest
-    tag: 1.70.3
+    tag: 1.74.2
     sha: ""
     pullPolicy: IfNotPresent
 

immich-system/immich.yaml

@@ -416,7 +416,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
+          image: docker.io/valkey/valkey:9.1-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
           imagePullPolicy: IfNotPresent
           livenessProbe:
             exec:

jarrs-system/jarr-dev.yaml

@@ -282,7 +282,7 @@ spec:
     spec:
       initContainers:
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -294,7 +294,7 @@ spec:
               done
               echo "PostgreSQL is ready!"
         - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -532,7 +532,7 @@ spec:
                   number: 3000
   tls:
     - hosts:
-        - dev-local.jarrs.eu
+        - dev.jarrs.eu
       secretName: dev-jarr-tls
 ---
 # =============================================================================
@@ -584,7 +584,7 @@ spec:
       initContainers:
         # 1. Wait for PostgreSQL to accept connections
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -597,7 +597,7 @@ spec:
               echo "PostgreSQL is ready!"
         # 2. Wait for Redis to accept connections
         - name: wait-for-redis
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c
@@ -612,7 +612,7 @@ spec:
         #    Prevents the worker from picking up stale queued jobs
         #    before schema migrations have been applied.
         - name: wait-for-api
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

mon-system/monitoring.yaml

@@ -348,7 +348,7 @@ spec:
     spec:
       containers:
         - name: prometheus
-          image: prom/prometheus:v3.9.1
+          image: prom/prometheus:v3.12.0
           args:
             - --config.file=/etc/prometheus/prometheus.yml
             - --storage.tsdb.path=/prometheus
@@ -529,7 +529,7 @@ spec:
         runAsGroup: 472
       containers:
         - name: grafana
-          image: grafana/grafana:12.3.2
+          image: grafana/grafana:12.4.4
           ports:
             - containerPort: 3000
               name: http
@@ -730,7 +730,7 @@ spec:
       hostPID: true
       containers:
         - name: node-exporter
-          image: prom/node-exporter:v1.10.2
+          image: prom/node-exporter:v1.11.1
           args:
             - "--path.procfs=/host/proc"
             - "--path.sysfs=/host/sys"

nextcloud-system/nextcloud.yaml

@@ -395,7 +395,7 @@ spec:
     spec:
       containers:
         - name: nextcloud
-          image: docker.io/library/nextcloud:32.0.2-apache
+          image: docker.io/library/nextcloud:32.0.10-apache
           imagePullPolicy: IfNotPresent
           env:
             - name: SMTP_HOST
@@ -552,7 +552,7 @@ spec:
             failureThreshold: 3
       initContainers:
         - name: postgresql-isready
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
           resources: {}
           securityContext: {}
           env:
@@ -637,7 +637,7 @@ spec:
       hostIPC: false
       containers:
         - name: postgresql
-          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false

office-system/bentopdf.yaml

@@ -0,0 +1,135 @@
+# BentoPDF - Privacy-focused PDF toolkit (all processing client-side, files never leave the server)
+# https://www.bentopdf.com  -  image: ghcr.io/alam00000/bentopdf
+# Domain: pdf.dooplex.hu
+# Version: 2.8.5
+# Database: None | Storage: None (stateless)
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: bentopdf
+  namespace: office-system
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+    app.kubernetes.io/version: "2.8.5"
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: bentopdf
+      app.kubernetes.io/instance: bentopdf
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: bentopdf
+        app.kubernetes.io/instance: bentopdf
+        app.kubernetes.io/version: "2.8.5"
+      annotations:
+        match-regex.version-checker.io/bentopdf: '^v\d+\.\d+\.\d+$'
+    spec:
+      containers:
+        - name: bentopdf
+          image: ghcr.io/alam00000/bentopdf:v2.8.5
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: TZ
+              value: "Europe/Budapest"
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+            failureThreshold: 3
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 500m
+              memory: 384Mi
+      restartPolicy: Always
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: bentopdf
+  namespace: office-system
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 8080
+      targetPort: http
+      protocol: TCP
+  selector:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: bentopdf
+  namespace: office-system
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    external-dns.alpha.kubernetes.io/hostname: pdf.dooplex.hu,pdf.home
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      set $geo_allowed 0;
+      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
+      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
+      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
+      if ($geo_allowed = 0) {
+        return 403 "Access restricted to Hungary";
+      }
+  labels:
+    app.kubernetes.io/name: bentopdf
+    app.kubernetes.io/instance: bentopdf
+spec:
+  ingressClassName: nginx-internal
+  tls:
+    - hosts:
+        - pdf.dooplex.hu
+      secretName: bentopdf-tls
+  rules:
+    - host: pdf.dooplex.hu
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bentopdf
+                port:
+                  number: 8080
+    - host: pdf.home
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: bentopdf
+                port:
+                  number: 8080

office-system/onlyoffice.yaml

@@ -27,7 +27,7 @@ spec:
     spec:
       containers:
         - name: onlyoffice
-          image: onlyoffice/documentserver:9.0.2
+          image: onlyoffice/documentserver:9.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

orsi-system/filebrowser.yaml

@@ -89,7 +89,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - sh
             - -c
@@ -109,7 +109,7 @@ spec:
             runAsGroup: 1001
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - filebrowser
             - --database=/config/filebrowser.db

outline-system/outline.yaml

@@ -31,7 +31,7 @@ spec:
     spec:
       containers:
         - name: outline
-          image: outlinewiki/outline:1.4.0
+          image: outlinewiki/outline:1.8.0
           imagePullPolicy: IfNotPresent
           env:
             - name: NODE_ENV

plantit-system/plantit.yaml

@@ -121,7 +121,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.2.1
+          image: redis:7.4.9
           ports:
             - containerPort: 6379
               name: redis

privatebin-system/privatebin.yaml

@@ -169,7 +169,7 @@ spec:
         fsGroup: 82
       containers:
         - name: privatebin
-          image: privatebin/nginx-fpm-alpine:2.0.3
+          image: privatebin/nginx-fpm-alpine:2.0.4
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

servarr-system/servarr.yaml

@@ -244,7 +244,7 @@ spec:
     spec:
       containers:
         - name: qbittorrent
-          image: linuxserver/qbittorrent:5.1.4
+          image: linuxserver/qbittorrent:5.2.1
           imagePullPolicy: IfNotPresent
           env:
             - name: PUID

termix-system/termix.yaml

@@ -41,6 +41,10 @@ spec:
     spec:
       containers:
         - name: termix
+          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
+          # Renovate handles it via a customManagers regex defined in
+          # admin-system/renovate.yaml (the kubernetes manager doesn't
+          # process inline `# renovate:` comments).
           image: ghcr.io/lukegus/termix:release-1.11.0
           imagePullPolicy: IfNotPresent
           ports:

uptimekuma-system/uptimekuma.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: uptimekuma
-          image: louislam/uptime-kuma:2.3.2
+          image: louislam/uptime-kuma:2.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

wanderer-system/wanderer.yaml

@@ -57,7 +57,7 @@ spec:
     spec:
       containers:
         - name: meilisearch
-          image: getmeili/meilisearch:v1.11.3
+          image: getmeili/meilisearch:v1.45.2
           env:
             - name: MEILI_MASTER_KEY
               valueFrom:
@@ -122,7 +122,7 @@ spec:
     spec:
       containers:
         - name: pocketbase
-          image: flomp/wanderer-db:v0.18.4
+          image: flomp/wanderer-db:v0.19.2
           env:
             - name: ORIGIN
               value: "https://wanderer.dooplex.hu"
@@ -192,7 +192,7 @@ spec:
     spec:
       containers:
         - name: wanderer-web
-          image: flomp/wanderer-web:v0.18.4
+          image: flomp/wanderer-web:v0.19.2
           env:
             - name: NODE_TLS_REJECT_UNAUTHORIZED
               value: "0"

web-system/web.yaml

@@ -130,7 +130,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - sh
             - -c
@@ -151,7 +151,7 @@ spec:
             runAsGroup: 1000
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.54.0
+          image: filebrowser/filebrowser:v2.63.5
           command:
             - filebrowser
             - --database=/config/filebrowser.db
@@ -315,7 +315,7 @@ spec:
       initContainers:
         # Create public directory if it doesn't exist
         - name: init-public-dir
-          image: busybox:1.36
+          image: busybox:1.38
           command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"]
           volumeMounts:
             - name: data
@@ -324,7 +324,7 @@ spec:
             runAsUser: 0
       containers:
         - name: nginx
-          image: nginx:1.27-alpine
+          image: nginx:1.31-alpine
           ports:
             - containerPort: 8080
               name: http

workout-system/sparkyfitness.yaml

@@ -34,6 +34,14 @@
 # table ownership, and installs uuid-ossp/pgcrypto/pg_stat_statements on its
 # own — no init SQL or shared_preload_libraries tinkering needed.
 # ----------------------------------------------------------------------------
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: workout-system
+  labels:
+    app.kubernetes.io/name: sparkyfitness
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -145,7 +153,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: wait-for-db
-          image: busybox:1.36
+          image: busybox:1.38
           command:
             - sh
             - -c

workout-system/workout.yaml

@@ -1,556 +0,0 @@
-# ============================================================================
-# *** PARKED 2026-05-27 *** — wger has been REPLACED by SparkyFitness.
-# SparkyFitness now owns workout.dooplex.hu / workout.home (see sparkyfitness.yaml).
-# All wger Deployments are scaled to 0 and both wger Ingresses were removed
-# (ArgoCD prune deletes them, freeing the hostnames). The wger Services,
-# ConfigMap, PVCs (wger-media / wger-static) and the wger DB in the shared CNPG
-# cluster are KEPT, untouched, for rollback.
-# To revive wger: restore the two Ingress resources from git history and scale
-# the wger / wger-redis / wger-celery-* Deployments back to 1.
-# ============================================================================
-# wger - Workout Manager
-# https://github.com/wger-project/wger
-# Version: 2.5 (official image, no custom fork)
-# Domain: workout.dooplex.hu
-# Auth: Authentik Forward Auth (domain mode) + native wger AUTH_PROXY middleware
-#
-# ============================================================================
-# MIGRATION NOTES (from 2.3 + custom OIDC fork):
-# - Image switched from ghcr.io/kisfenyo/wger-oidc:latest -> wger/server:2.5
-# - All OIDC_* / ENABLE_OIDC env vars removed
-# - Native AUTH_PROXY_* env vars added (wger 2.4+ feature, PR #1859)
-# - Ingress split into two resources:
-#     * wger        -> path /       -> protected by Authentik forward-auth
-#     * wger-api    -> path /api/   -> unprotected (JWT auth for mobile app)
-# - nginx sidecar: strips client-supplied X-Authentik-* on /api/ (defense in depth)
-# - Authentik: create a new Proxy Provider (Forward auth, single application)
-#     External Host: https://workout.dooplex.hu
-#     Attach to existing outpost. The old OIDC provider can be deleted.
-#
-# POST-UPGRADE COMMANDS (run once after rollout stabilises):
-#   kubectl exec -n workout-system deploy/wger -c wger -- \
-#     python manage.py recalculate_statistics --all --active-only
-#   kubectl exec -n workout-system deploy/wger -c wger -- \
-#     python manage.py evaluate_trophies --all
-# ============================================================================
----
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: workout-system
-  labels:
-    app.kubernetes.io/name: wger
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wger-redis
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-redis
-spec:
-  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: wger
-      app.kubernetes.io/name: wger-redis
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: wger
-        app.kubernetes.io/name: wger-redis
-    spec:
-      containers:
-        - name: redis
-          image: redis:7.2-alpine
-          ports:
-            - containerPort: 6379
-              name: redis
-          resources:
-            requests:
-              cpu: 50m
-              memory: 64Mi
-            limits:
-              cpu: 200m
-              memory: 128Mi
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wger
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger
-  annotations:
-    # Track upstream wger releases
-    extensions.v1alpha1.version-checker.io/wger: "true"
-    extensions.v1alpha1.version-checker.io/wger.match-regex: "^\\d+\\.\\d+$"
-spec:
-  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: wger
-      app.kubernetes.io/name: wger
-  strategy:
-    type: Recreate
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: wger
-        app.kubernetes.io/name: wger
-    spec:
-      # Prevent k8s from injecting WGER_PORT / WGER_SERVICE_* env vars
-      # from the wger Service — they collide with wger's own $WGER_PORT
-      # config and break the startup script (URI instead of port number).
-      enableServiceLinks: false
-      securityContext:
-        fsGroup: 1000
-      containers:
-        - name: nginx
-          image: nginx:alpine
-          ports:
-            - containerPort: 80
-              name: http
-          volumeMounts:
-            - name: static
-              mountPath: /home/wger/static
-              readOnly: true
-            - name: media
-              mountPath: /home/wger/media
-              readOnly: true
-            - name: nginx-config
-              mountPath: /etc/nginx/conf.d/default.conf
-              subPath: nginx.conf
-        - name: wger
-          image: wger/server:2.5
-          imagePullPolicy: IfNotPresent
-          env:
-            # Django settings
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: wger-app
-                  key: secret-key
-            - name: SIGNING_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: wger-app
-                  key: signing-key
-            - name: DJANGO_DEBUG
-              value: "False"
-            - name: WGER_INSTANCE
-              value: "https://workout.dooplex.hu"
-            - name: TIME_ZONE
-              value: "Europe/Budapest"
-            - name: DJANGO_CACHE_TIMEOUT
-              value: "120"
-            - name: CSRF_TRUSTED_ORIGINS
-              value: "https://workout.dooplex.hu"
-            # Database (shared CNPG)
-            - name: DJANGO_DB_ENGINE
-              value: "django.db.backends.postgresql"
-            - name: DJANGO_DB_HOST
-              value: "postgresql-rw.database-system.svc.cluster.local"
-            - name: DJANGO_DB_PORT
-              value: "5432"
-            - name: DJANGO_DB_DATABASE
-              value: "wger"
-            - name: DJANGO_DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: wger-db
-                  key: username
-            - name: DJANGO_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: wger-db
-                  key: password
-            # Cache
-            - name: DJANGO_CACHE_BACKEND
-              value: "django_redis.cache.RedisCache"
-            - name: DJANGO_CACHE_LOCATION
-              value: "redis://wger-redis:6379/1"
-            - name: DJANGO_CACHE_CLIENT_CLASS
-              value: "django_redis.client.DefaultClient"
-            # Celery
-            - name: CELERY_BROKER
-              value: "redis://wger-redis:6379/2"
-            - name: CELERY_BACKEND
-              value: "redis://wger-redis:6379/2"
-            # ----------------------------------------------------------------
-            # Native Authentication Proxy (wger 2.4+) - replaces OIDC fork
-            # ----------------------------------------------------------------
-            - name: AUTH_PROXY_ENABLED
-              value: "True"
-            # Django META key format: HTTP_ + uppercase header with - replaced by _
-            # So X-Authentik-Username => HTTP_X_AUTHENTIK_USERNAME
-            - name: AUTH_PROXY_HEADER
-              value: "HTTP_X_AUTHENTIK_USERNAME"
-            - name: AUTH_PROXY_CREATE_UNKNOWN_USER
-              value: "True"
-            - name: AUTH_PROXY_EMAIL_HEADER
-              value: "HTTP_X_AUTHENTIK_EMAIL"
-            - name: AUTH_PROXY_NAME_HEADER
-              value: "HTTP_X_AUTHENTIK_NAME"
-            # Only trust the auth header when coming from the nginx sidecar
-            # (same pod, proxies from 127.0.0.1 to Django on :8000).
-            # This prevents header-spoofing attacks from anywhere else.
-            - name: AUTH_PROXY_TRUSTED_IPS
-              value: "127.0.0.1/32"
-            # Email (disabled - no email sending)
-            - name: ENABLE_EMAIL
-              value: "False"
-            # Media settings
-            - name: DJANGO_MEDIA_ROOT
-              value: "/home/wger/media"
-            - name: DJANGO_STATIC_ROOT
-              value: "/home/wger/static"
-            # Features
-            - name: ALLOW_REGISTRATION
-              value: "False"
-            - name: ALLOW_GUEST_USERS
-              value: "False"
-            - name: ALLOW_UPLOAD_VIDEOS
-              value: "True"
-            - name: USE_RECAPTCHA
-              value: "False"
-            - name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP
-              value: "True"
-          ports:
-            - containerPort: 8000
-              name: http
-          resources:
-            requests:
-              cpu: 100m
-              memory: 256Mi
-            limits:
-              cpu: 1000m
-              memory: 1Gi
-          volumeMounts:
-            - name: media
-              mountPath: /home/wger/media
-            - name: static
-              mountPath: /home/wger/static
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-            initialDelaySeconds: 120
-            periodSeconds: 30
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-            initialDelaySeconds: 60
-            periodSeconds: 10
-      volumes:
-        - name: nginx-config
-          configMap:
-            name: wger-nginx-config
-        - name: media
-          persistentVolumeClaim:
-            claimName: wger-media
-        - name: static
-          persistentVolumeClaim:
-            claimName: wger-static
----
-# Celery worker for background tasks
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wger-celery-worker
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-celery-worker
-spec:
-  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: wger
-      app.kubernetes.io/name: wger-celery-worker
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: wger
-        app.kubernetes.io/name: wger-celery-worker
-    spec:
-      enableServiceLinks: false
-      securityContext:
-        fsGroup: 1000
-      containers:
-        - name: celery-worker
-          image: wger/server:2.5
-          imagePullPolicy: IfNotPresent
-          command: ["/start-worker"]
-          env:
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: wger-app
-                  key: secret-key
-            - name: SIGNING_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: wger-app
-                  key: signing-key
-            - name: TIME_ZONE
-              value: "Europe/Budapest"
-            - name: DJANGO_DB_ENGINE
-              value: "django.db.backends.postgresql"
-            - name: DJANGO_DB_HOST
-              value: "postgresql-rw.database-system.svc.cluster.local"
-            - name: DJANGO_DB_PORT
-              value: "5432"
-            - name: DJANGO_DB_DATABASE
-              value: "wger"
-            - name: DJANGO_DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: wger-db
-                  key: username
-            - name: DJANGO_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: wger-db
-                  key: password
-            - name: DJANGO_CACHE_TIMEOUT
-              value: "120"
-            - name: DJANGO_CACHE_CLIENT_CLASS
-              value: "django_redis.client.DefaultClient"
-            - name: CELERY_BROKER
-              value: "redis://wger-redis:6379/2"
-            - name: CELERY_BACKEND
-              value: "redis://wger-redis:6379/2"
-            - name: DJANGO_CACHE_BACKEND
-              value: "django_redis.cache.RedisCache"
-            - name: DJANGO_CACHE_LOCATION
-              value: "redis://wger-redis:6379/1"
-          resources:
-            requests:
-              cpu: 50m
-              memory: 128Mi
-            limits:
-              cpu: 500m
-              memory: 512Mi
----
-# Celery beat for scheduled tasks
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: wger-celery-beat
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-celery-beat
-spec:
-  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
-  selector:
-    matchLabels:
-      app.kubernetes.io/instance: wger
-      app.kubernetes.io/name: wger-celery-beat
-  template:
-    metadata:
-      labels:
-        app.kubernetes.io/instance: wger
-        app.kubernetes.io/name: wger-celery-beat
-    spec:
-      enableServiceLinks: false
-      securityContext:
-        fsGroup: 1000
-      containers:
-        - name: celery-beat
-          image: wger/server:2.5
-          imagePullPolicy: IfNotPresent
-          command: ["/start-beat"]
-          env:
-            - name: SECRET_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: wger-app
-                  key: secret-key
-            - name: SIGNING_KEY
-              valueFrom:
-                secretKeyRef:
-                  name: wger-app
-                  key: signing-key
-            - name: TIME_ZONE
-              value: "Europe/Budapest"
-            - name: DJANGO_CACHE_TIMEOUT
-              value: "120"
-            - name: DJANGO_CACHE_CLIENT_CLASS
-              value: "django_redis.client.DefaultClient"
-            - name: DJANGO_DB_ENGINE
-              value: "django.db.backends.postgresql"
-            - name: DJANGO_DB_HOST
-              value: "postgresql-rw.database-system.svc.cluster.local"
-            - name: DJANGO_DB_PORT
-              value: "5432"
-            - name: DJANGO_DB_DATABASE
-              value: "wger"
-            - name: DJANGO_DB_USER
-              valueFrom:
-                secretKeyRef:
-                  name: wger-db
-                  key: username
-            - name: DJANGO_DB_PASSWORD
-              valueFrom:
-                secretKeyRef:
-                  name: wger-db
-                  key: password
-            - name: CELERY_BROKER
-              value: "redis://wger-redis:6379/2"
-            - name: CELERY_BACKEND
-              value: "redis://wger-redis:6379/2"
-          resources:
-            requests:
-              cpu: 50m
-              memory: 64Mi
-            limits:
-              cpu: 200m
-              memory: 256Mi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: wger-redis
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-redis
-spec:
-  type: ClusterIP
-  ports:
-    - name: redis
-      port: 6379
-      targetPort: redis
-  selector:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-redis
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: wger
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger
-spec:
-  type: ClusterIP
-  ports:
-    - name: http
-      port: 80
-      targetPort: 80
-  selector:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger
----
-# ============================================================================
-# wger Ingresses (wger + wger-api) REMOVED 2026-05-27 — see PARKED note at top.
-# SparkyFitness's ingress (sparkyfitness.yaml) now serves workout.dooplex.hu /
-# workout.home. ArgoCD prune deletes the old Ingress objects from the cluster,
-# releasing the hostnames + the wger-tls certificate's hosts.
-# To revive wger: restore these two Ingress resources from git history.
-# ============================================================================
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wger-media
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-media
-    recurring-job-group.longhorn.io/needbackup: enabled
-    recurring-job.longhorn.io/source: enabled
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: wger-static
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-static
-spec:
-  accessModes:
-    - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 2Gi
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: wger-nginx-config
-  namespace: workout-system
-data:
-  nginx.conf: |
-    server {
-      listen 80;
-      server_name _;
-      client_max_body_size 4G;
-
-      # Official Wger Logic
-      root /var/www/html/; # This is just a dummy root, aliases do the work
-
-      location /static/ {
-        alias /home/wger/static/;
-        expires 30d;
-        access_log off;
-      }
-
-      location /media/ {
-        alias /home/wger/media/;
-        expires 30d;
-        access_log off;
-      }
-
-      # API path: strip any client-supplied auth headers before proxying.
-      # Mobile app + API clients authenticate via JWT (/api/v2/token), not
-      # proxy auth. This is a defense-in-depth measure so that even if traffic
-      # somehow reaches this sidecar without going through the forward-auth
-      # ingress, it cannot forge an AUTH_PROXY login via a spoofed header.
-      # Nginx treats "" as "do not forward this header."
-      location /api/ {
-        proxy_pass http://localhost:8000;
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-        proxy_set_header X-Authentik-Username "";
-        proxy_set_header X-Authentik-Email "";
-        proxy_set_header X-Authentik-Name "";
-        proxy_set_header X-Authentik-Groups "";
-        proxy_set_header X-Authentik-Uid "";
-      }
-
-      # Everything else: pass through the auth headers set by the
-      # forward-auth ingress so wger's AUTH_PROXY middleware can log the
-      # user in. $http_x_authentik_username expands to empty if the header
-      # isn't present (e.g. Tailscale admin access bypassing the ingress).
-      location / {
-        proxy_pass http://localhost:8000;
-        proxy_set_header Host $http_host;
-        proxy_set_header X-Real-IP $remote_addr;
-        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
-        proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
-        proxy_set_header X-Authentik-Username $http_x_authentik_username;
-        proxy_set_header X-Authentik-Email $http_x_authentik_email;
-        proxy_set_header X-Authentik-Name $http_x_authentik_name;
-        proxy_set_header X-Authentik-Groups $http_x_authentik_groups;
-        proxy_set_header X-Authentik-Uid $http_x_authentik_uid;
-      }
-    }
----