servarr + plex: bump image tags

- sonarr version-4.0.16.2944 -> version-4.0.17.2952 (patch within 4.0.x) - radarr×2 version-6.0.4.10291 -> version-6.1.1.10360 (minor within 6.x) - prowlarr version-2.3.0.5236 -> version-2.3.5.5327 (patch within 2.3.x) - plex 1.43.0.10467-... -> 1.43.2.10687-... (patch within 1.43.x) All four were stuck because of tag-format issues that I addressed in PR #82 (servarr customManager) / PR #83. Renovate isn't auto-creating the PRs yet (DH rate-limit), so doing them manually so version-checker clears. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request 'fix: re-pin moving tags (filebrowser/umami/recipes) so Renovate can track them' (#83 ) from fix/moving-tag-repins into main
2026-06-06 14:16:24 +02:00 · 2026-06-06 11:35:13 +00:00 · 2026-06-06 13:35:12 +02:00 · 2026-06-06 11:25:51 +00:00 · 2026-06-06 13:25:49 +02:00 · 2026-06-06 10:56:00 +00:00
8 changed files with 63 additions and 13 deletions
@@ -62,6 +62,27 @@ data:
          "packageNameTemplate": "Termix-SSH/Termix",
          "versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
          "extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
+        },
+        {
+          "description": "linuxserver servarr apps (prowlarr, radarr, sonarr) use tag pattern `version-X.Y.Z.B` (4 segments + `version-` prefix). The kubernetes manager's default docker versioning rejects them at the pre-check (same failure class as termix), so no PRs ever open. Use regex versioning to parse the prefixed 4-segment form; depName is captured from the regex so the same customManager handles all three apps.",
+          "customType": "regex",
+          "managerFilePatterns": ["/servarr-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+linuxserver/(?<depName>prowlarr|radarr|sonarr):(?<currentValue>version-\\d+\\.\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "docker",
+          "packageNameTemplate": "linuxserver/{{depName}}",
+          "versioningTemplate": "regex:^version-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)$"
+        },
+        {
+          "description": "umami: the docker image tag is `postgresql-vX.Y.Z` (the PostgreSQL-flavored variant). Default docker versioning rejects the prefix. Same fix as termix/servarr: regex versioning parses the prefixed value; ghcr.io tag list is filtered to the postgresql-v* track only.",
+          "customType": "regex",
+          "managerFilePatterns": ["/felhom-system/umami\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+(?<depName>ghcr\\.io/umami-software/umami):(?<currentValue>postgresql-v\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "docker",
+          "versioningTemplate": "regex:^postgresql-v(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
        }
      ],
      "packageRules": [
@@ -128,6 +149,22 @@ data:
          "matchManagers": ["kubernetes"],
          "matchPackageNames": ["ghcr.io/lukegus/termix"],
          "enabled": false
+        },
+        {
+          "description": "linuxserver servarr apps: same disable pattern as termix. The customManager above handles extraction with the right versioning; turn off the default kubernetes-manager extraction so it doesn't silently skip + clutter the dashboard.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": [
+            "linuxserver/prowlarr",
+            "linuxserver/radarr",
+            "linuxserver/sonarr"
+          ],
+          "enabled": false
+        },
+        {
+          "description": "umami: same disable pattern. customManager handles extraction; kubernetes-manager would silently skip `postgresql-vX.Y.Z`.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": ["ghcr.io/umami-software/umami"],
+          "enabled": false
        }
      ],
      "labels": ["renovate"]
@@ -141,7 +178,7 @@ metadata:
  labels:
    app.kubernetes.io/instance: renovate
    app.kubernetes.io/name: renovate
-    app.kubernetes.io/version: "43.197.0"
+    app.kubernetes.io/version: "43.209.3"
 spec:
  # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
  # if a Renovate-merged update breaks something.
@@ -156,14 +193,14 @@ spec:
      labels:
        app.kubernetes.io/instance: renovate
        app.kubernetes.io/name: renovate
-        app.kubernetes.io/version: "43.197.0"
+        app.kubernetes.io/version: "43.209.3"
    spec:
      template:
        metadata:
          labels:
            app.kubernetes.io/instance: renovate
            app.kubernetes.io/name: renovate
-            app.kubernetes.io/version: "43.197.0"
+            app.kubernetes.io/version: "43.209.3"
          annotations:
            # Renovate uses plain X.Y.Z semver tags (no -slim suffix anymore)
            match-regex.version-checker.io/renovate: '^\d+\.\d+\.\d+$'
@@ -187,7 +187,7 @@ spec:
              cpu: "50m"
      containers:
        - name: umami
-          image: ghcr.io/umami-software/umami:postgresql-latest
+          image: ghcr.io/umami-software/umami:postgresql-v1.38.0
          ports:
            - containerPort: 3000
          env:
@@ -100,7 +100,7 @@ spec:
    spec:
      containers:
        - name: filebrowser
-          image: filebrowser/filebrowser:v2-alpine
+          image: filebrowser/filebrowser:v2.63.13
          ports:
            - containerPort: 8080
          volumeMounts:
@@ -1,4 +1,11 @@
 ---
+# Image tag override: bumps pihole/pihole to 2026.05.0 without changing
+# the chart version. The 2026.05.0 release bundles FTL v6.6.2 which
+# imports 6 upstream dnsmasq CVE fixes (covering the dnsmasq 2.92/2.93
+# disclosures). No FTL-side config or API changes per the release notes.
+# https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
+image:
+  tag: "2026.05.0"
 DNS1: "1.1.1.1"   # Cloudflare
 DNS2: "8.8.8.8"   # Google
 DNS3: "9.9.9.9"   #Quad9
@@ -4,7 +4,7 @@ image:
  registry: index.docker.io
  repository: plexinc/pms-docker
  # renovate: datasource=custom.plex depName=plex versioning=loose
-  tag: "1.43.0.10467-2b1ba6e69"
+  tag: "1.43.2.10687-563d026ea"
  sha: ""
  pullPolicy: IfNotPresent

@@ -235,7 +235,10 @@ statefulSet:
  annotations: {}
  # -- Optional extra annotations to add to the pods in the statefulset
  podAnnotations: 
-    match-regex.version-checker.io/plex-plex-media-server-pms: ^\d+\.\d+\.\d+\.\d+-.*$
+    # Match only `<X.Y.Z.B>-<short-hash>` (the amd64/native tag form) and exclude
+    # per-arch tags (e.g. `-armhf`, `-arm64`) so version-checker doesn't show an
+    # ARM tag as "newer" than our x86_64 install.
+    match-regex.version-checker.io/plex-plex-media-server-pms: '^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$'

 service:
  type: LoadBalancer
@@ -392,6 +392,9 @@ spec:
        nextcloud-config-hash: 06b49913be13b1f9a81745166dd75ada59e7ddd39e8f6a2c5538affe2a6d1093
        php-config-hash: 5a497358af870e06b42325eee83d7c0e5466b7f6819cb49b598559d96def7428
        hooks-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
+        # Only match the `X.Y.Z-apache` variant tags so version-checker doesn't
+        # treat the bare `X.Y.Z` server tag as a "newer" version of our apache image.
+        match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'
    spec:
      containers:
        - name: nextcloud
@@ -30,7 +30,7 @@ spec:
    spec:
      containers:
        - name: prowlarr
-          image: linuxserver/prowlarr:version-2.3.0.5236
+          image: linuxserver/prowlarr:version-2.3.5.5327
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -91,7 +91,7 @@ spec:
    spec:
      containers:
        - name: radarr
-          image: linuxserver/radarr:version-6.0.4.10291
+          image: linuxserver/radarr:version-6.1.1.10360
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -164,7 +164,7 @@ spec:
    spec:
      containers:
        - name: sonarr
-          image: linuxserver/sonarr:version-4.0.16.2944
+          image: linuxserver/sonarr:version-4.0.17.2952
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -705,7 +705,7 @@ spec:
    spec:
      containers:
        - name: radarr
-          image: linuxserver/radarr:version-6.0.4.10291
+          image: linuxserver/radarr:version-6.1.1.10360
          imagePullPolicy: IfNotPresent
          env:
            - name: PUID
@@ -30,7 +30,7 @@ spec:
    spec:
      initContainers:
        - name: create-superuser
-          image: vabene1111/recipes:2.6
+          image: vabene1111/recipes:2.6.9
          workingDir: /opt/recipes
          command:
            - /bin/sh
@@ -106,7 +106,7 @@ spec:
                  key: email
      containers:
        - name: tandoor
-          image: vabene1111/recipes:2.6
+          image: vabene1111/recipes:2.6.9
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
Author	SHA1	Message	Date
admin	0f2ff3fa52	servarr + plex: bump image tags - sonarr version-4.0.16.2944 -> version-4.0.17.2952 (patch within 4.0.x) - radarr×2 version-6.0.4.10291 -> version-6.1.1.10360 (minor within 6.x) - prowlarr version-2.3.0.5236 -> version-2.3.5.5327 (patch within 2.3.x) - plex 1.43.0.10467-... -> 1.43.2.10687-... (patch within 1.43.x) All four were stuck because of tag-format issues that I addressed in PR #82 (servarr customManager) / PR #83. Renovate isn't auto-creating the PRs yet (DH rate-limit), so doing them manually so version-checker clears. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 14:16:24 +02:00
admin	6f49a21b3d	Merge pull request 'fix: re-pin moving tags (filebrowser/umami/recipes) so Renovate can track them' (#83 ) from fix/moving-tag-repins into main	2026-06-06 11:35:13 +00:00
admin	d92d2c31a6	re-pin moving tags so Renovate can track them Renovate can't propose updates for moving tags (the tag string never changes; the registry just points it at a different image). These three were pinned to moving variants: felhom-system/webpage.yaml : filebrowser/filebrowser:v2-alpine felhom-system/umami.yaml : ghcr.io/umami-software/umami:postgresql-latest tandoor-system/tandoor.yaml: vabene1111/recipes:2.6 Pin each to the current actual version per Viktor's call: - filebrowser -> v2.63.13 (matches the other 4 filebrowser pinnings in the repo; dropped the `-alpine` variant so Renovate can group them via the existing default datasource path) - umami -> postgresql-v1.38.0 (current upstream postgresql variant latest; tracked via new customManager below) - recipes -> 2.6.9 (current actual semver of the 2.6 series) For umami, the `postgresql-vX.Y.Z` tag pattern is rejected by Renovate's default docker versioning pre-check (same failure class as termix + linuxserver servarr). Added a customManager regex + packageRule disable pair so Renovate can track future `postgresql-vX.Y.Z` updates via regex versioning. filebrowser and recipes use standard semver `X.Y.Z` after the re-pin and need no special handling. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 13:35:12 +02:00
admin	6ca0a7b051	Merge pull request 'fix: version tracking tuning — annotations + linuxserver customManager' (#82 ) from fix/version-tracking-tuning into main	2026-06-06 11:25:51 +00:00
admin	1d08156d81	version tracking: tune annotations + add customManagers for linuxserver servarr Several images were showing as outdated in version-checker / unhandled by Renovate. Each had a distinct cause; this PR fixes the auto-tractable ones. 1) admin-system/renovate.yaml: bump `app.kubernetes.io/version` labels `43.197.0 -> 43.209.3` (3 occurrences) to match the live image. Renovate's own self-update PR bumped the image tag but left the labels stale; the version-checker widget appears to read the label. Long-term, this label will drift again on each self-update -- worth a customManager later if it becomes a recurring annoyance. 2) admin-system/renovate.yaml: add a customManager + packageRule pair for linuxserver servarr apps. Tag pattern is `version-X.Y.Z.B` (4 segments + `version-` prefix) which the kubernetes manager's default docker versioning rejects at the pre-check, same failure class as termix. Regex versioning parses the prefixed 4-segment form; the same customManager handles prowlarr/radarr/sonarr (depName captured from the regex). kubernetes-manager extraction for these three depnames is disabled via packageRule so the dashboard isn't cluttered with the failing fallback. 3) nextcloud-system/nextcloud.yaml: add `match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'` so version-checker doesn't treat the bare `33.0.5` server tag as a newer version of our `33.0.5-apache` image. The widget was showing `33.0.5-apache -> 33.0.5` -- false positive; image is already current. 4) helm/plex/values.yaml: tighten the version-checker regex from `^\d+\.\d+\.\d+\.\d+-.*$` to `^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$` so per-arch tags (`-armhf`, `-arm64`, ...) are excluded. The widget was showing an `-armhf` tag as "newer" than our x86_64 install. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 13:25:49 +02:00
admin	a8c657d554	Merge pull request 'pihole: bump image to 2026.05.0 (dnsmasq CVE security release)' (#81 ) from feat/pihole-2026.05.0 into main	2026-06-06 10:56:00 +00:00
admin	9e020af94d	pihole: bump image to 2026.05.0 (dnsmasq CVE security release) Pi-hole 2026.05.0 bundles FTL v6.6.2 which imports six upstream dnsmasq security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Per the upstream release notes the fixes are "minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities." Override the chart's default image.tag in helm/pihole/values.yaml (no chart version bump). The pihole ArgoCD app is intentionally MANUAL sync per Viktor's call -- after merge, sync the pihole app from the ArgoCD UI to roll the pod over. https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 12:55:58 +02:00
admin	ec9ae43bee	Merge pull request 'termix: manual bump 1.11.2 -> 2.3.2 (Renovate blocked by DH rate-limit)' (#80 ) from feat/termix-v2.3.2 into main	2026-06-06 09:16:02 +00:00