version tracking: tune annotations + add customManagers for linuxserver servarr

Several images were showing as outdated in version-checker / unhandled by
Renovate. Each had a distinct cause; this PR fixes the auto-tractable ones.

1) admin-system/renovate.yaml: bump `app.kubernetes.io/version` labels
   `43.197.0 -> 43.209.3` (3 occurrences) to match the live image.
   Renovate's own self-update PR bumped the image tag but left the
   labels stale; the version-checker widget appears to read the label.
   Long-term, this label will drift again on each self-update -- worth
   a customManager later if it becomes a recurring annoyance.

2) admin-system/renovate.yaml: add a customManager + packageRule pair
   for linuxserver servarr apps. Tag pattern is `version-X.Y.Z.B`
   (4 segments + `version-` prefix) which the kubernetes manager's
   default docker versioning rejects at the pre-check, same failure
   class as termix. Regex versioning parses the prefixed 4-segment
   form; the same customManager handles prowlarr/radarr/sonarr (depName
   captured from the regex). kubernetes-manager extraction for these
   three depnames is disabled via packageRule so the dashboard isn't
   cluttered with the failing fallback.

3) nextcloud-system/nextcloud.yaml: add
   `match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'`
   so version-checker doesn't treat the bare `33.0.5` server tag as a
   newer version of our `33.0.5-apache` image. The widget was showing
   `33.0.5-apache -> 33.0.5` -- false positive; image is already current.

4) helm/plex/values.yaml: tighten the version-checker regex from
   `^\d+\.\d+\.\d+\.\d+-.*$` to `^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$` so
   per-arch tags (`-armhf`, `-arm64`, ...) are excluded. The widget
   was showing an `-armhf` tag as "newer" than our x86_64 install.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

admin-system/renovate.yaml

@@ -62,6 +62,17 @@ data:
           "packageNameTemplate": "Termix-SSH/Termix",
           "versioningTemplate": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$",
           "extractVersionTemplate": "^(?<version>release-\\d+\\.\\d+\\.\\d+)"
+        },
+        {
+          "description": "linuxserver servarr apps (prowlarr, radarr, sonarr) use tag pattern `version-X.Y.Z.B` (4 segments + `version-` prefix). The kubernetes manager's default docker versioning rejects them at the pre-check (same failure class as termix), so no PRs ever open. Use regex versioning to parse the prefixed 4-segment form; depName is captured from the regex so the same customManager handles all three apps.",
+          "customType": "regex",
+          "managerFilePatterns": ["/servarr-system/.+\\.ya?ml$/"],
+          "matchStrings": [
+            "image:\\s+linuxserver/(?<depName>prowlarr|radarr|sonarr):(?<currentValue>version-\\d+\\.\\d+\\.\\d+\\.\\d+)"
+          ],
+          "datasourceTemplate": "docker",
+          "packageNameTemplate": "linuxserver/{{depName}}",
+          "versioningTemplate": "regex:^version-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)$"
         }
       ],
       "packageRules": [
@@ -114,11 +125,30 @@ data:
           "matchPackageNames": ["getmeili/meilisearch"],
           "dependencyDashboardApproval": true
         },
+        {
+          "description": "Postgres-family images: a major bump (e.g. 16 -> 17) requires pg_upgrade or dump/restore — the new server binary refuses to open the old data directory (`database files are incompatible with server`). PR #76 (immich-app/postgres 16 -> 17) on 2026-06-06 crashlooped immich-postgres and immich-server. Renovate's docker versioning treats these custom tag formats inconsistently, so don't trust the major/minor classification: hold ALL updates for these images behind explicit dashboard approval. Includes vanilla postgres, postgis/postgis (where the tag prefix IS the pg major), and ghcr.io/immich-app/postgres (custom `N-vectorchordX.Y.Z` form).",
+          "matchPackageNames": [
+            "postgres",
+            "postgis/postgis",
+            "ghcr.io/immich-app/postgres"
+          ],
+          "dependencyDashboardApproval": true
+        },
         {
           "description": "termix: kubernetes manager would extract the image with versioning=docker and silently skip it (release-1.11.0 fails the docker pre-check). Disable that extraction; customManagers above does the real work via github-releases.",
           "matchManagers": ["kubernetes"],
           "matchPackageNames": ["ghcr.io/lukegus/termix"],
           "enabled": false
+        },
+        {
+          "description": "linuxserver servarr apps: same disable pattern as termix. The customManager above handles extraction with the right versioning; turn off the default kubernetes-manager extraction so it doesn't silently skip + clutter the dashboard.",
+          "matchManagers": ["kubernetes"],
+          "matchPackageNames": [
+            "linuxserver/prowlarr",
+            "linuxserver/radarr",
+            "linuxserver/sonarr"
+          ],
+          "enabled": false
         }
       ],
       "labels": ["renovate"]
@@ -132,7 +162,7 @@ metadata:
   labels:
     app.kubernetes.io/instance: renovate
     app.kubernetes.io/name: renovate
-    app.kubernetes.io/version: "43.197.0"
+    app.kubernetes.io/version: "43.209.3"
 spec:
   # Sat 02:00 Europe/Budapest — leaves the full weekend for troubleshooting
   # if a Renovate-merged update breaks something.
@@ -147,14 +177,14 @@ spec:
       labels:
         app.kubernetes.io/instance: renovate
         app.kubernetes.io/name: renovate
-        app.kubernetes.io/version: "43.197.0"
+        app.kubernetes.io/version: "43.209.3"
     spec:
       template:
         metadata:
           labels:
             app.kubernetes.io/instance: renovate
             app.kubernetes.io/name: renovate
-            app.kubernetes.io/version: "43.197.0"
+            app.kubernetes.io/version: "43.209.3"
           annotations:
             # Renovate uses plain X.Y.Z semver tags (no -slim suffix anymore)
             match-regex.version-checker.io/renovate: '^\d+\.\d+\.\d+$'

arcade-system/romm.yaml

@@ -56,7 +56,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.4-alpine
+          image: redis:8.8-alpine
           ports:
             - containerPort: 6379
               name: redis

booking-system/booking.yaml

@@ -77,7 +77,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
           imagePullPolicy: IfNotPresent
           args:
             - redis-server

database-system/cnpg/values.yaml

@@ -57,7 +57,7 @@ replicaCount: 1
 # Image configuration (optional - use defaults)
 image:
   repository: ghcr.io/cloudnative-pg/cloudnative-pg
-  tag: 1.28.1
+  tag: 1.29.1
 
 # Service configuration
 service:

helm/pihole/values.yaml

@@ -1,4 +1,11 @@
 ---
+# Image tag override: bumps pihole/pihole to 2026.05.0 without changing
+# the chart version. The 2026.05.0 release bundles FTL v6.6.2 which
+# imports 6 upstream dnsmasq CVE fixes (covering the dnsmasq 2.92/2.93
+# disclosures). No FTL-side config or API changes per the release notes.
+# https://github.com/pi-hole/docker-pi-hole/releases/tag/2026.05.0
+image:
+  tag: "2026.05.0"
 DNS1: "1.1.1.1"   # Cloudflare
 DNS2: "8.8.8.8"   # Google
 DNS3: "9.9.9.9"   #Quad9

helm/plex/values.yaml

@@ -235,7 +235,10 @@ statefulSet:
   annotations: {}
   # -- Optional extra annotations to add to the pods in the statefulset
   podAnnotations: 
-    match-regex.version-checker.io/plex-plex-media-server-pms: ^\d+\.\d+\.\d+\.\d+-.*$
+    # Match only `<X.Y.Z.B>-<short-hash>` (the amd64/native tag form) and exclude
+    # per-arch tags (e.g. `-armhf`, `-arm64`) so version-checker doesn't show an
+    # ARM tag as "newer" than our x86_64 install.
+    match-regex.version-checker.io/plex-plex-media-server-pms: '^\d+\.\d+\.\d+\.\d+-[a-f0-9]+$'
 
 service:
   type: LoadBalancer

immich-system/immich.yaml

@@ -336,7 +336,7 @@ spec:
               value: http://immich-machine-learning:3003
             - name: REDIS_HOSTNAME
               value: immich-valkey
-          image: ghcr.io/immich-app/immich-server:v2.5.5
+          image: ghcr.io/immich-app/immich-server:v2.7.5
           imagePullPolicy: IfNotPresent
           livenessProbe:
             failureThreshold: 3

jarrs-system/jarr-dev.yaml

@@ -185,7 +185,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
           imagePullPolicy: IfNotPresent
           args:
             - redis-server

mon-system/monitoring.yaml

@@ -529,7 +529,7 @@ spec:
         runAsGroup: 472
       containers:
         - name: grafana
-          image: grafana/grafana:12.4.4
+          image: grafana/grafana:13.0.2
           ports:
             - containerPort: 3000
               name: http

nextcloud-system/nextcloud.yaml

@@ -392,10 +392,13 @@ spec:
         nextcloud-config-hash: 06b49913be13b1f9a81745166dd75ada59e7ddd39e8f6a2c5538affe2a6d1093
         php-config-hash: 5a497358af870e06b42325eee83d7c0e5466b7f6819cb49b598559d96def7428
         hooks-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
+        # Only match the `X.Y.Z-apache` variant tags so version-checker doesn't
+        # treat the bare `X.Y.Z` server tag as a "newer" version of our apache image.
+        match-regex.version-checker.io/nextcloud: '^\d+\.\d+\.\d+-apache$'
     spec:
       containers:
         - name: nextcloud
-          image: docker.io/library/nextcloud:33.0.4-apache
+          image: docker.io/library/nextcloud:33.0.5-apache
           imagePullPolicy: IfNotPresent
           env:
             - name: SMTP_HOST

outline-system/outline.yaml

@@ -198,7 +198,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
           imagePullPolicy: IfNotPresent
           command:
             - redis-server

paperless-system/paperless.yaml

@@ -71,7 +71,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7-alpine
+          image: redis:8-alpine
           imagePullPolicy: IfNotPresent
           ports:
             - name: redis

plantit-system/plantit.yaml

@@ -121,7 +121,7 @@ spec:
     spec:
       containers:
         - name: redis
-          image: redis:7.4.9
+          image: redis:8.8.0
           ports:
             - containerPort: 6379
               name: redis

termix-system/termix.yaml

@@ -45,7 +45,7 @@ spec:
           # Renovate handles it via a customManagers regex defined in
           # admin-system/renovate.yaml (the kubernetes manager doesn't
           # process inline `# renovate:` comments).
-          image: ghcr.io/lukegus/termix:release-1.11.2
+          image: ghcr.io/lukegus/termix:release-2.3.2
           imagePullPolicy: IfNotPresent
           ports:
             - name: http