version tracking: tune annotations + add customManagers for linuxserver servarr

Several images were showing as outdated in version-checker / unhandled by Renovate. Each had a distinct cause; this PR fixes the auto-tractable ones. 1) admin-system/renovate.yaml: bump `app.kubernetes.io/version` labels `43.197.0 -> 43.209.3` (3 occurrences) to match the live image. Renovate's own self-update PR bumped the image tag but left the labels stale; the version-checker widget appears to read the label. Long-term, this label will drift again on each self-update -- worth a customManager later if it becomes a recurring annoyance. 2) admin-system/renovate.yaml: add a customManager + packageRule pair for linuxserver servarr apps. Tag pattern is `version-X.Y.Z.B` (4 segments + `version-` prefix) which the kubernetes manager's default docker versioning rejects at the pre-check, same failure class as termix. Regex versioning parses the prefixed 4-segment form; the same customManager handles prowlarr/radarr/sonarr (depName captured from the regex). kubernetes-manager extraction for these three depnames is disabled via packageRule so the dashboard isn't cluttered with the failing fallback. 3) nextcloud-system/nextcloud.yaml: add `match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'` so version-checker doesn't treat the bare `33.0.5` server tag as a newer version of our `33.0.5-apache` image. The widget was showing `33.0.5-apache -> 33.0.5` -- false positive; image is already current. 4) helm/plex/values.yaml: tighten the version-checker regex from `^\d+\.\d+\.\d+\.\d+-.*$` to `^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$` so per-arch tags (`-armhf`, `-arm64`, ...) are excluded. The widget was showing an `-armhf` tag as "newer" than our x86_64 install. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request 'pihole: bump image to 2026.05.0 (dnsmasq CVE security release)' (#81 ) from feat/pihole-2026.05.0 into main
2026-06-06 13:25:49 +02:00 · 2026-06-06 10:56:00 +00:00 · 2026-06-06 12:55:58 +02:00 · 2026-06-06 09:16:02 +00:00
4 changed files with 38 additions and 4 deletions
@@ -62,6 +62,17 @@ data:
          "packageNameTemplate": "Termix-SSH/Termix",
          "versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
          "extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
+        },
+        {
+          "description": "linuxserver servarr apps (prowlarr, radarr, sonarr) use tag pattern `version-X.Y.Z.B` (4 segments + `version-` prefix). The kubernetes manager's default docker versioning rejects them at the pre-check (same failure class as termix), so no PRs ever open. Use regex versioning to parse the prefixed 4-segment form; depName is captured from the regex so the same customManager handles all three apps.",
+          "customType": "regex",
+          "managerFilePatterns": ["/servarr-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+linuxserver/(?<depName>prowlarr|radarr|sonarr):(?<currentValue>version-\\d+\\.\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "docker",
+          "packageNameTemplate": "linuxserver/{{depName}}",
+          "versioningTemplate": "regex:^version-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)$"
        }
      ],
      "packageRules": [
@@ -128,6 +139,16 @@ data:
          "matchManagers": ["kubernetes"],
          "matchPackageNames": ["ghcr.io/lukegus/termix"],
          "enabled": false
+        },
+        {
+          "description": "linuxserver servarr apps: same disable pattern as termix. The customManager above handles extraction with the right versioning; turn off the default kubernetes-manager extraction so it doesn't silently skip + clutter the dashboard.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": [
+            "linuxserver/prowlarr",
+            "linuxserver/radarr",
+            "linuxserver/sonarr"
+          ],
+          "enabled": false
        }
      ],
      "labels": ["renovate"]
@@ -141,7 +162,7 @@ metadata:
  labels:
    app.kubernetes.io/instance: renovate
    app.kubernetes.io/name: renovate
-    app.kubernetes.io/version: "43.197.0"
+    app.kubernetes.io/version: "43.209.3"
 spec:
  # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
  # if a Renovate-merged update breaks something.
@@ -156,14 +177,14 @@ spec:
      labels:
        app.kubernetes.io/instance: renovate
        app.kubernetes.io/name: renovate
-        app.kubernetes.io/version: "43.197.0"
+        app.kubernetes.io/version: "43.209.3"
    spec:
      template:
        metadata:
          labels:
            app.kubernetes.io/instance: renovate
            app.kubernetes.io/name: renovate
-            app.kubernetes.io/version: "43.197.0"
+            app.kubernetes.io/version: "43.209.3"
          annotations:
            # Renovate uses plain X.Y.Z semver tags (no -slim suffix anymore)
            match-regex.version-checker.io/renovate: '^\d+\.\d+\.\d+$'
@@ -1,4 +1,11 @@
 ---
+# Image tag override: bumps pihole/pihole to 2026.05.0 without changing
+# the chart version. The 2026.05.0 release bundles FTL v6.6.2 which
+# imports 6 upstream dnsmasq CVE fixes (covering the dnsmasq 2.92/2.93
+# disclosures). No FTL-side config or API changes per the release notes.
+# https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
+image:
+  tag: "2026.05.0"
 DNS1: "1.1.1.1"   # Cloudflare
 DNS2: "8.8.8.8"   # Google
 DNS3: "9.9.9.9"   #Quad9
@@ -235,7 +235,10 @@ statefulSet:
  annotations: {}
  # -- Optional extra annotations to add to the pods in the statefulset
  podAnnotations: 
-    match-regex.version-checker.io/plex-plex-media-server-pms: ^\d+\.\d+\.\d+\.\d+-.*$
+    # Match only `<X.Y.Z.B>-<short-hash>` (the amd64/native tag form) and exclude
+    # per-arch tags (e.g. `-armhf`, `-arm64`) so version-checker doesn't show an
+    # ARM tag as "newer" than our x86_64 install.
+    match-regex.version-checker.io/plex-plex-media-server-pms: '^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$'

 service:
  type: LoadBalancer
@@ -392,6 +392,9 @@ spec:
        nextcloud-config-hash: 06b49913be13b1f9a81745166dd75ada59e7ddd39e8f6a2c5538affe2a6d1093
        php-config-hash: 5a497358af870e06b42325eee83d7c0e5466b7f6819cb49b598559d96def7428
        hooks-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
+        # Only match the `X.Y.Z-apache` variant tags so version-checker doesn't
+        # treat the bare `X.Y.Z` server tag as a "newer" version of our apache image.
+        match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'
    spec:
      containers:
        - name: nextcloud
Author	SHA1	Message	Date
admin	1d08156d81	version tracking: tune annotations + add customManagers for linuxserver servarr Several images were showing as outdated in version-checker / unhandled by Renovate. Each had a distinct cause; this PR fixes the auto-tractable ones. 1) admin-system/renovate.yaml: bump `app.kubernetes.io/version` labels `43.197.0 -> 43.209.3` (3 occurrences) to match the live image. Renovate's own self-update PR bumped the image tag but left the labels stale; the version-checker widget appears to read the label. Long-term, this label will drift again on each self-update -- worth a customManager later if it becomes a recurring annoyance. 2) admin-system/renovate.yaml: add a customManager + packageRule pair for linuxserver servarr apps. Tag pattern is `version-X.Y.Z.B` (4 segments + `version-` prefix) which the kubernetes manager's default docker versioning rejects at the pre-check, same failure class as termix. Regex versioning parses the prefixed 4-segment form; the same customManager handles prowlarr/radarr/sonarr (depName captured from the regex). kubernetes-manager extraction for these three depnames is disabled via packageRule so the dashboard isn't cluttered with the failing fallback. 3) nextcloud-system/nextcloud.yaml: add `match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'` so version-checker doesn't treat the bare `33.0.5` server tag as a newer version of our `33.0.5-apache` image. The widget was showing `33.0.5-apache -> 33.0.5` -- false positive; image is already current. 4) helm/plex/values.yaml: tighten the version-checker regex from `^\d+\.\d+\.\d+\.\d+-.*$` to `^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$` so per-arch tags (`-armhf`, `-arm64`, ...) are excluded. The widget was showing an `-armhf` tag as "newer" than our x86_64 install. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 13:25:49 +02:00
admin	a8c657d554	Merge pull request 'pihole: bump image to 2026.05.0 (dnsmasq CVE security release)' (#81 ) from feat/pihole-2026.05.0 into main	2026-06-06 10:56:00 +00:00
admin	9e020af94d	pihole: bump image to 2026.05.0 (dnsmasq CVE security release) Pi-hole 2026.05.0 bundles FTL v6.6.2 which imports six upstream dnsmasq security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Per the upstream release notes the fixes are "minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities." Override the chart's default image.tag in helm/pihole/values.yaml (no chart version bump). The pihole ArgoCD app is intentionally MANUAL sync per Viktor's call -- after merge, sync the pihole app from the ArgoCD UI to roll the pod over. https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 12:55:58 +02:00
admin	ec9ae43bee	Merge pull request 'termix: manual bump 1.11.2 -> 2.3.2 (Renovate blocked by DH rate-limit)' (#80 ) from feat/termix-v2.3.2 into main	2026-06-06 09:16:02 +00:00