Update gtstef/filebrowser Docker tag to v1.3.3

admin-system/renovate.yaml

@@ -46,24 +46,10 @@ data:
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
       "prHourlyLimit": 16,
       "prConcurrentLimit": 16,
-      "enabledManagers": ["kubernetes", "helm-values", "custom.regex"],
+      "enabledManagers": ["kubernetes", "helm-values"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
-      "customManagers": [
-        {
-          "description": "termix: docker image tag is `release-X.Y.Z` but the upstream GitHub release tag_name is `release-X.Y.Z-tag` (different from the release name). regex versioning parses currentValue (no -tag); extractVersion strips the -tag suffix from candidate tag_names so they normalize to the same shape Renovate writes back to the manifest.",
-          "customType": "regex",
-          "managerFilePatterns": ["/termix-system/.+\\.ya?ml$/"],
-          "matchStrings": [
-            "image:\\s+(?<depName>ghcr\\.io/lukegus/termix):(?<currentValue>release-\\d+\\.\\d+\\.\\d+)"
-          ],
-          "datasourceTemplate": "github-releases",
-          "packageNameTemplate": "Termix-SSH/Termix",
-          "versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
-          "extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
-        }
-      ],
       "packageRules": [
         {
           "description": "All apps: 3-day stability gate before any PR opens",
@@ -108,26 +94,6 @@ data:
           "description": "wanderer: db + web update together in one PR",
           "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
           "groupName": "wanderer"
-        },
-        {
-          "description": "meilisearch: every version bump can require an index format migration via dump/restore (see https://www.meilisearch.com/docs/learn/update_and_migration/updating). PR #32 (v1.11.3 -> v1.45.2) on 2026-06-06 broke wanderer with `Your database version (1.11.3) is incompatible with your current engine version (1.45.2)`. Hold ALL meilisearch updates behind dashboard approval so the migration is planned before the PR even opens.",
-          "matchPackageNames": ["getmeili/meilisearch"],
-          "dependencyDashboardApproval": true
-        },
-        {
-          "description": "Postgres-family images: a major bump (e.g. 16 -> 17) requires pg_upgrade or dump/restore — the new server binary refuses to open the old data directory (`database files are incompatible with server`). PR #76 (immich-app/postgres 16 -> 17) on 2026-06-06 crashlooped immich-postgres and immich-server. Renovate's docker versioning treats these custom tag formats inconsistently, so don't trust the major/minor classification: hold ALL updates for these images behind explicit dashboard approval. Includes vanilla postgres, postgis/postgis (where the tag prefix IS the pg major), and ghcr.io/immich-app/postgres (custom `N-vectorchordX.Y.Z` form).",
-          "matchPackageNames": [
-            "postgres",
-            "postgis/postgis",
-            "ghcr.io/immich-app/postgres"
-          ],
-          "dependencyDashboardApproval": true
-        },
-        {
-          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
-          "matchManagers": ["kubernetes"],
-          "matchPackageNames": ["ghcr.io/lukegus/termix"],
-          "enabled": false
         }
       ],
       "labels": ["renovate"]
@@ -172,7 +138,7 @@ spec:
           restartPolicy: OnFailure
           containers:
             - name: renovate
-              image: renovate/renovate:43.209.3
+              image: renovate/renovate:43.197.0
               imagePullPolicy: IfNotPresent
               envFrom:
                 - secretRef:

admin-system/tailscale.yaml

@@ -90,7 +90,7 @@ spec:
       dnsPolicy: ClusterFirstWithHostNet
       containers:
         - name: tailscale
-          image: tailscale/tailscale:v1.98.4
+          image: tailscale/tailscale:v1.94.1
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

arcade-system/romm.yaml

@@ -56,7 +56,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8.8-alpine
+          image: redis:7.2-alpine
           ports:
             - containerPort: 6379
               name: redis

booking-system/booking.yaml

@@ -77,7 +77,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8-alpine
+          image: redis:7-alpine
           imagePullPolicy: IfNotPresent
           args:
             - redis-server

bookstack-system/bookstack.yaml

@@ -175,7 +175,7 @@ spec:
     spec:
       containers:
         - name: bookstack
-          image: linuxserver/bookstack:26.05.20260601
+          image: linuxserver/bookstack:25.12.20251224
           imagePullPolicy: IfNotPresent
           env:
             # LinuxServer.io specific

code-system/code.yaml

@@ -50,7 +50,7 @@ spec:
         fsGroup: 1000
       containers:
         - name: code-server
-          image: codercom/code-server:4.123.0
+          image: codercom/code-server:4.121.0
           args:
             - --bind-addr=0.0.0.0:8080
             - --auth=none

control-system/reloader.yaml

@@ -169,7 +169,7 @@ spec:
           type: RuntimeDefault
       containers:
       - name: reloader
-        image: ghcr.io/stakater/reloader:v1.4.17
+        image: ghcr.io/stakater/reloader:v1.4.12
         imagePullPolicy: IfNotPresent
         env:
         - name: GOMAXPROCS

database-system/cnpg/values.yaml

@@ -57,7 +57,7 @@ replicaCount: 1
 # Image configuration (optional - use defaults)
 image:
   repository: ghcr.io/cloudnative-pg/cloudnative-pg
-  tag: 1.29.1
+  tag: 1.28.1
 
 # Service configuration
 service:

felhom-system/healthchecks.yaml

@@ -48,7 +48,7 @@ spec:
         fsGroup: 999
       containers:
         - name: healthchecks
-          image: healthchecks/healthchecks:v4.2
+          image: healthchecks/healthchecks:v4.0
           ports:
             - containerPort: 8000
           env:

gitea-system/gitea.yaml

@@ -44,7 +44,7 @@ spec:
               mountPath: /data
       containers:
         - name: gitea
-          image: gitea/gitea:1.26.2
+          image: gitea/gitea:1.25.4
           imagePullPolicy: IfNotPresent
           env:
             - name: USER_UID

glance-system/glance-helper.yaml

@@ -1384,7 +1384,7 @@ spec:
         # Calendar iCal URLs (JSON object: {"name": "url", ...})
         - name: CALENDAR_ICAL_URLS
           value: '{"Órák": "https://calendar.google.com/calendar/ical/b2884faf3db792ac082a6206057552c79080716efd5f966e169a41fc500e1c1c%40group.calendar.google.com/private-0998d8053909ba4449c2f0a6409ce3de/basic.ics", "Családi": "https://calendar.google.com/calendar/ical/nitq3l0if4gn54k438obat5ia0%40group.calendar.google.com/private-59afcf70fee1a798ec369b86d9883b46/basic.ics"}'
-        image: python:3.14-bookworm
+        image: python:3.12-bookworm
         imagePullPolicy: IfNotPresent
         name: glance-helper
         ports:

glance-system/glance-kisfenyo.yaml

@@ -2746,7 +2746,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.53.2
+          image: mikefarah/yq:4.50.1
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000

glance-system/glance-orsi.yaml

@@ -1372,7 +1372,7 @@ spec:
         fsGroup: 1000
       initContainers:
         - name: build-bookmarks-index
-          image: mikefarah/yq:4.53.2
+          image: mikefarah/yq:4.50.1
           securityContext:
             runAsUser: 1000
             runAsGroup: 1000

headlamp-system/headlamp.yaml

@@ -258,7 +258,7 @@ spec:
       automountServiceAccountToken: true
       containers:
         - name: headlamp
-          image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
+          image: ghcr.io/headlamp-k8s/headlamp:v0.40.0
           imagePullPolicy: IfNotPresent
           args:
             - "-in-cluster"

helm/external-dns/values.yaml

@@ -42,5 +42,5 @@ rbac:
 # Image configuration
 image:
   repository: registry.k8s.io/external-dns/external-dns
-  tag: v0.21.0
+  tag: v0.19.0
   pullPolicy: IfNotPresent

helm/plex/values.yaml

@@ -123,7 +123,7 @@ initContainer:
     registry: index.docker.io
     repository: alpine
     # -- If unset use latest
-    tag: "3.23"
+    tag: "3.22"
     sha: ""
     pullPolicy: IfNotPresent
 
@@ -181,7 +181,7 @@ rclone:
     registry: index.docker.io
     repository: rclone/rclone
     # -- If unset use latest
-    tag: 1.74.3
+    tag: 1.70.3
     sha: ""
     pullPolicy: IfNotPresent
 

homepage-system/homepage-orsi.yaml

@@ -372,7 +372,7 @@ spec:
       enableServiceLinks: true
       containers:
         - name: homepage
-          image: ghcr.io/gethomepage/homepage:v1.13.1
+          image: ghcr.io/gethomepage/homepage:v1.10.1
           imagePullPolicy: IfNotPresent
           env:
             # Required for external access

homepage-system/homepage.yaml

@@ -535,7 +535,7 @@ spec:
       enableServiceLinks: true
       containers:
         - name: homepage
-          image: ghcr.io/gethomepage/homepage:v1.13.1
+          image: ghcr.io/gethomepage/homepage:v1.10.1
           imagePullPolicy: IfNotPresent
           env:
             # Required for external access

immich-system/immich.yaml

@@ -241,7 +241,7 @@ spec:
               value: immich-valkey
             - name: TRANSFORMERS_CACHE
               value: /cache
-          image: ghcr.io/immich-app/immich-machine-learning:v2.7.5
+          image: ghcr.io/immich-app/immich-machine-learning:v2.5.5
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 3
@@ -336,7 +336,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: ghcr.io/immich-app/immich-server:v2.7.5
+          image: ghcr.io/immich-app/immich-server:v2.5.5
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 3
@@ -416,7 +416,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: docker.io/valkey/valkey:9.1-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
+          image: docker.io/valkey/valkey:9.0-alpine@sha256:d1cc70645bbcef743615463a2fa4616e841407545e18f560aed0c49671a90147
           imagePullPolicy: IfNotPresent
           livenessProbe:
             exec:

jarrs-system/jarr-dev.yaml

@@ -185,7 +185,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8-alpine
+          image: redis:7-alpine
           imagePullPolicy: IfNotPresent
           args:
             - redis-server

mon-system/monitoring.yaml

@@ -348,7 +348,7 @@ spec:
     spec:
       containers:
         - name: prometheus
-          image: prom/prometheus:v3.12.0
+          image: prom/prometheus:v3.9.1
           args:
             - --config.file=/etc/prometheus/prometheus.yml
             - --storage.tsdb.path=/prometheus
@@ -529,7 +529,7 @@ spec:
         runAsGroup: 472
       containers:
         - name: grafana
-          image: grafana/grafana:13.0.2
+          image: grafana/grafana:12.3.2
           ports:
             - containerPort: 3000
               name: http

nextcloud-system/nextcloud.yaml

@@ -395,7 +395,7 @@ spec:
     spec:
       containers:
         - name: nextcloud
-          image: docker.io/library/nextcloud:33.0.4-apache
+          image: docker.io/library/nextcloud:32.0.10-apache
           imagePullPolicy: IfNotPresent
           env:
             - name: SMTP_HOST
@@ -552,7 +552,7 @@ spec:
             failureThreshold: 3
       initContainers:
         - name: postgresql-isready
-          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
           resources: {}
           securityContext: {}
           env:
@@ -637,7 +637,7 @@ spec:
       hostIPC: false
       containers:
         - name: postgresql
-          image: docker.io/bitnamilegacy/postgresql:17.6.0-debian-12-r3
+          image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
           imagePullPolicy: "IfNotPresent"
           securityContext:
             allowPrivilegeEscalation: false

office-system/onlyoffice.yaml

@@ -27,7 +27,7 @@ spec:
     spec:
       containers:
         - name: onlyoffice
-          image: onlyoffice/documentserver:9.4.0
+          image: onlyoffice/documentserver:9.0.2
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

orsi-system/filebrowser.yaml

@@ -89,7 +89,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.63.13
+          image: filebrowser/filebrowser:v2.54.0
           command:
             - sh
             - -c
@@ -109,7 +109,7 @@ spec:
             runAsGroup: 1001
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.63.13
+          image: filebrowser/filebrowser:v2.54.0
           command:
             - filebrowser
             - --database=/config/filebrowser.db

outline-system/outline.yaml

@@ -31,7 +31,7 @@ spec:
     spec:
       containers:
         - name: outline
-          image: outlinewiki/outline:1.8.0
+          image: outlinewiki/outline:1.4.0
           imagePullPolicy: IfNotPresent
           env:
             - name: NODE_ENV
@@ -198,7 +198,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8-alpine
+          image: redis:7-alpine
           imagePullPolicy: IfNotPresent
           command:
             - redis-server

paperless-system/paperless.yaml

@@ -71,7 +71,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8-alpine
+          image: redis:7-alpine
           imagePullPolicy: IfNotPresent
           ports:
             - name: redis
@@ -158,7 +158,7 @@ spec:
       enableServiceLinks: false
       containers:
         - name: paperless
-          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.15
+          image: ghcr.io/paperless-ngx/paperless-ngx:2.20.6
           imagePullPolicy: IfNotPresent
           env:
             # Database - using shared PostgreSQL in database-system namespace

plantit-system/plantit.yaml

@@ -43,7 +43,7 @@ spec:
     spec:
       containers:
         - name: mysql
-          image: mysql:8.4
+          image: mysql:8.0
           env:
             - name: MYSQL_ROOT_PASSWORD
               valueFrom:
@@ -121,7 +121,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:8.8.0
+          image: redis:7.2.1
           ports:
             - containerPort: 6379
               name: redis

servarr-system/servarr.yaml

@@ -244,7 +244,7 @@ spec:
     spec:
       containers:
         - name: qbittorrent
-          image: linuxserver/qbittorrent:5.2.1
+          image: linuxserver/qbittorrent:5.1.4
           imagePullPolicy: IfNotPresent
           env:
             - name: PUID

tandoor-system/tandoor.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       initContainers:
         - name: create-superuser
-          image: vabene1111/recipes:2.6
+          image: vabene1111/recipes:2.5
           workingDir: /opt/recipes
           command:
             - /bin/sh
@@ -106,7 +106,7 @@ spec:
                   key: email
       containers:
         - name: tandoor
-          image: vabene1111/recipes:2.6
+          image: vabene1111/recipes:2.5
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

termix-system/termix.yaml

@@ -41,11 +41,8 @@ spec:
     spec:
       containers:
         - name: termix
-          # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z).
-          # Renovate handles it via a customManagers regex defined in
-          # admin-system/renovate.yaml (the kubernetes manager doesn't
-          # process inline `# renovate:` comments).
-          image: ghcr.io/lukegus/termix:release-1.11.2
+          # renovate: datasource=github-releases depName=Termix-SSH/Termix versioning=loose extractVersion=^release-(?<version>.+)$
+          image: ghcr.io/lukegus/termix:release-1.11.0
           imagePullPolicy: IfNotPresent
           ports:
             - name: http

uptimekuma-system/uptimekuma.yaml

@@ -30,7 +30,7 @@ spec:
     spec:
       containers:
         - name: uptimekuma
-          image: louislam/uptime-kuma:2.4.0
+          image: louislam/uptime-kuma:2.3.2
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

vaultwarden-system/vaultwarden.yaml

@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
         - name: vaultwarden
-          image: vaultwarden/server:1.36.0
+          image: vaultwarden/server:1.35.2
           imagePullPolicy: IfNotPresent
           env:
             - name: TZ

web-system/web.yaml

@@ -130,7 +130,7 @@ spec:
       initContainers:
         # Configure proxy auth in database before starting
         - name: configure-auth
-          image: filebrowser/filebrowser:v2.63.13
+          image: filebrowser/filebrowser:v2.54.0
           command:
             - sh
             - -c
@@ -151,7 +151,7 @@ spec:
             runAsGroup: 1000
       containers:
         - name: filebrowser
-          image: filebrowser/filebrowser:v2.63.13
+          image: filebrowser/filebrowser:v2.54.0
           command:
             - filebrowser
             - --database=/config/filebrowser.db
@@ -324,7 +324,7 @@ spec:
             runAsUser: 0
       containers:
         - name: nginx
-          image: nginx:1.31-alpine
+          image: nginx:1.27-alpine
           ports:
             - containerPort: 8080
               name: http