pihole: bump image to 2026.05.0 (dnsmasq CVE security release)

Pi-hole 2026.05.0 bundles FTL v6.6.2 which imports six upstream dnsmasq security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Per the upstream release notes the fixes are "minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities." Override the chart's default image.tag in helm/pihole/values.yaml (no chart version bump). The pihole ArgoCD app is intentionally MANUAL sync per Viktor's call -- after merge, sync the pihole app from the ArgoCD UI to roll the pod over. https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Merge pull request 'termix: manual bump 1.11.2 -> 2.3.2 (Renovate blocked by DH rate-limit)' (#80 ) from feat/termix-v2.3.2 into main
2026-06-06 12:55:58 +02:00 · 2026-06-06 09:16:02 +00:00 · 2026-06-06 11:16:00 +02:00 · 2026-06-06 09:00:33 +00:00 · 2026-06-06 11:00:32 +02:00 · 2026-06-06 09:00:24 +00:00
13 changed files with 27 additions and 11 deletions
@@ -114,6 +114,15 @@ data:
          "matchPackageNames": ["getmeili/meilisearch"],
          "dependencyDashboardApproval": true
        },
+        {
+          "description": "Postgres-family images: a major bump (e.g. 16 -> 17) requires pg_upgrade or dump/restore — the new server binary refuses to open the old data directory (`database files are incompatible with server`). PR #76 (immich-app/postgres 16 -> 17) on 2026-06-06 crashlooped immich-postgres and immich-server. Renovate's docker versioning treats these custom tag formats inconsistently, so don't trust the major/minor classification: hold ALL updates for these images behind explicit dashboard approval. Includes vanilla postgres, postgis/postgis (where the tag prefix IS the pg major), and ghcr.io/immich-app/postgres (custom `N-vectorchordX.Y.Z` form).",
+          "matchPackageNames": [
+            "postgres",
+            "postgis/postgis",
+            "ghcr.io/immich-app/postgres"
+          ],
+          "dependencyDashboardApproval": true
+        },
        {
          "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
          "matchManagers": ["kubernetes"],
@@ -56,7 +56,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7.4-alpine
+          image: redis:8.8-alpine
          ports:
            - containerPort: 6379
              name: redis
@@ -77,7 +77,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          args:
            - redis-server
@@ -57,7 +57,7 @@ replicaCount: 1
 # Image configuration (optional - use defaults)
 image:
  repository: ghcr.io/cloudnative-pg/cloudnative-pg
-  tag: 1.28.1
+  tag: 1.29.1

 # Service configuration
 service:
@@ -1,4 +1,11 @@
 ---
+# Image tag override: bumps pihole/pihole to 2026.05.0 without changing
+# the chart version. The 2026.05.0 release bundles FTL v6.6.2 which
+# imports 6 upstream dnsmasq CVE fixes (covering the dnsmasq 2.92/2.93
+# disclosures). No FTL-side config or API changes per the release notes.
+# https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
+image:
+  tag: "2026.05.0"
 DNS1: "1.1.1.1"   # Cloudflare
 DNS2: "8.8.8.8"   # Google
 DNS3: "9.9.9.9"   #Quad9
@@ -336,7 +336,7 @@ spec:
              value: http://immich-machine-learning:3003
            - name: REDIS_HOSTNAME
              value: immich-valkey
-          image: ghcr.io/immich-app/immich-server:v2.5.5
+          image: ghcr.io/immich-app/immich-server:v2.7.5
          imagePullPolicy: IfNotPresent
          livenessProbe:
            failureThreshold: 3
@@ -185,7 +185,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          args:
            - redis-server
@@ -529,7 +529,7 @@ spec:
        runAsGroup: 472
      containers:
        - name: grafana
-          image: grafana/grafana:12.4.4
+          image: grafana/grafana:13.0.2
          ports:
            - containerPort: 3000
              name: http
@@ -395,7 +395,7 @@ spec:
    spec:
      containers:
        - name: nextcloud
-          image: docker.io/library/nextcloud:33.0.4-apache
+          image: docker.io/library/nextcloud:33.0.5-apache
          imagePullPolicy: IfNotPresent
          env:
            - name: SMTP_HOST
@@ -198,7 +198,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          command:
            - redis-server
@@ -71,7 +71,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
          imagePullPolicy: IfNotPresent
          ports:
            - name: redis
@@ -121,7 +121,7 @@ spec:
    spec:
      containers:
        - name: redis
-          image: redis:7.4.9
+          image: redis:8.8.0
          ports:
            - containerPort: 6379
              name: redis
@@ -45,7 +45,7 @@ spec:
          # Renovate handles it via a customManagers regex defined in
          # admin-system/renovate.yaml (the kubernetes manager doesn't
          # process inline `# renovate:` comments).
-          image: ghcr.io/lukegus/termix:release-1.11.2
+          image: ghcr.io/lukegus/termix:release-2.3.2
          imagePullPolicy: IfNotPresent
          ports:
            - name: http
Author	SHA1	Message	Date
admin	9e020af94d	pihole: bump image to 2026.05.0 (dnsmasq CVE security release) Pi-hole 2026.05.0 bundles FTL v6.6.2 which imports six upstream dnsmasq security fixes, covering all publicly disclosed CVEs against the dnsmasq 2.92/2.93 line. Per the upstream release notes the fixes are "minimal, self-contained changes to the embedded dnsmasq sources. No FTL-side configuration or API changes; users should see no observable behavior change beyond the closed vulnerabilities." Override the chart's default image.tag in helm/pihole/values.yaml (no chart version bump). The pihole ArgoCD app is intentionally MANUAL sync per Viktor's call -- after merge, sync the pihole app from the ArgoCD UI to roll the pod over. https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 12:55:58 +02:00
admin	ec9ae43bee	Merge pull request 'termix: manual bump 1.11.2 -> 2.3.2 (Renovate blocked by DH rate-limit)' (#80 ) from feat/termix-v2.3.2 into main	2026-06-06 09:16:02 +00:00
admin	e822b76982	termix: manual bump 1.11.2 -> 2.3.2 (Renovate blocked by DH rate-limit) Renovate's `Pending Approval` checkbox for the termix v2 major was ticked on Dashboard #6, but the manual Renovate runs that should have processed it both aborted on Docker Hub's authenticated rate-limit: HTTP 429: You have reached your pull rate limit as 'kisfenyo' The free DH plan caps authenticated pulls at 100/6h; with ~270 deps in this repo and the multiple runs we've done today, we've exhausted it. Renovate's behavior on a host 429 is to abort the entire repository run (`result: external-host-error`), so no further work — including ticked dashboard approvals — gets done until the quota window resets. Rather than wait ~3-4 hours, this PR does the bump by hand. Upstream ghcr.io/lukegus/termix:release-2.3.2 is verified present (Termix-SSH GitHub Release of 2026-06-04). Termix is stateless (host/cred config stored in PocketBase but compatible across release-1 and release-2), so the rollout should be a straightforward image swap. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 11:16:00 +02:00
admin	876b044d0a	Merge pull request 'fix: roll back immich-postgres v17 -> v16 (PG major incompat) + gate postgres-family' (#79 ) from fix/immich-postgres-rollback into main	2026-06-06 09:00:33 +00:00
admin	e459b0d262	immich/renovate: roll back immich-postgres v17 -> v16 (PG major datadir incompat) + gate postgres-family images Renovate PR #76 (merged 2026-06-06 10:48) bumped ghcr.io/immich-app/postgres from `16-vectorchord0.3.0` to `17-vectorchord0.3.0`. PostgreSQL major upgrades require pg_upgrade or pg_dump/restore — the new server binary refuses to open a data directory initialized by the previous major: FATAL: database files are incompatible with server DETAIL: The data directory was initialized by PostgreSQL version 16, which is not compatible with this version 17.6 Both immich-postgres and immich-server (depends on Postgres) went into CrashLoopBackOff. PVC still holds the v16 datadir. This PR: 1. Reverts ghcr.io/immich-app/postgres back to `16-vectorchord0.3.0` so immich recovers immediately. 2. Adds a packageRule with `dependencyDashboardApproval: true` covering `postgres`, `postgis/postgis`, and `ghcr.io/immich-app/postgres`. Any update to these images is now held on the Dashboard's "Pending Approval" section -- Renovate won't even open a PR until the user explicitly ticks the box. Forces the migration plan to be made BEFORE the change reaches main. This is the same recovery pattern we just used for meilisearch (PR #77) -- a class of stateful images where the on-disk format isn't forward-compatible across version bumps. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-06-06 11:00:32 +02:00
admin	99bbc31325	Merge pull request 'Update docker.io/library/nextcloud Docker tag to v33.0.5' (#78 ) from renovate/docker.io-library-nextcloud-33.x into main	2026-06-06 09:00:24 +00:00
Renovate Bot	fee5fafeb0	Update docker.io/library/nextcloud Docker tag to v33.0.5 renovate/stability-days Updates have not met minimum release age requirement Details	2026-06-06 09:00:21 +00:00
admin	25c1baf1c3	Merge pull request 'Update grafana/grafana Docker tag to v13' (#58 ) from renovate/grafana-grafana-13.x into main Reviewed-on: #58	2026-06-06 08:56:24 +00:00
admin	184c469c51	Merge pull request 'Update redis Docker tag to v8' (#64 ) from renovate/redis-8.x into main Reviewed-on: #64	2026-06-06 08:56:16 +00:00
admin	6291423776	Merge pull request 'Update ghcr.io/cloudnative-pg/cloudnative-pg Docker tag to v1.29.1' (#70 ) from renovate/ghcr.io-cloudnative-pg-cloudnative-pg-1.x into main Reviewed-on: #70	2026-06-06 08:56:08 +00:00
admin	d063513869	Merge pull request 'Update ghcr.io/immich-app/immich-server Docker tag to v2.7.5' (#74 ) from renovate/ghcr.io-immich-app-immich-server-2.x into main Reviewed-on: #74	2026-06-06 08:48:14 +00:00
admin	0cd8a3272d	Merge pull request 'Update ghcr.io/immich-app/postgres Docker tag to v17' (#76 ) from renovate/ghcr.io-immich-app-postgres-17.x into main Reviewed-on: #76	2026-06-06 08:48:07 +00:00
admin	9de82b7295	Merge pull request 'fix: roll back wanderer meilisearch v1.45.2 -> v1.11.3 (index incompat) + dashboardApproval' (#77 ) from fix/meilisearch-rollback into main	2026-06-06 08:45:24 +00:00
Renovate Bot	231d8fd492	Update ghcr.io/immich-app/postgres Docker tag to v17 renovate/stability-days Updates have not met minimum release age requirement Details	2026-06-06 08:33:50 +00:00
Renovate Bot	c0acfc338c	Update ghcr.io/immich-app/immich-server Docker tag to v2.7.5 renovate/stability-days Updates have not met minimum release age requirement Details	2026-06-06 08:33:40 +00:00
Renovate Bot	e0550cbe54	Update ghcr.io/cloudnative-pg/cloudnative-pg Docker tag to v1.29.1 renovate/stability-days Updates have not met minimum release age requirement Details	2026-06-06 08:33:11 +00:00
Renovate Bot	56d39399d6	Update redis Docker tag to v8 renovate/stability-days Updates have met minimum release age requirement Details	2026-06-06 07:53:16 +00:00
Renovate Bot	a2e68c1745	Update grafana/grafana Docker tag to v13 renovate/stability-days Updates have met minimum release age requirement Details	2026-06-06 07:52:33 +00:00