admin-system/renovate.yaml

@@ -44,92 +44,63 @@ data:
       "requireConfig": "optional",
       "dependencyDashboard": true,
       "dependencyDashboardTitle": "Renovate Dependency Dashboard",
-      "prHourlyLimit": 0,
+      "prHourlyLimit": 8,
-      "prConcurrentLimit": 0,
+      "prConcurrentLimit": 8,
       "enabledManagers": ["kubernetes", "helm-values"],
       "kubernetes": {
         "managerFilePatterns": ["/.+\\.ya?ml$/"]
       },
       "packageRules": [
         {
-          "description": "Default-deny everything",
+          "description": "All apps: 3-day stability gate before any PR opens",
           "matchPackageNames": ["*"],
-          "enabled": false
-        },
-        {
-          "description": "Tier 1: enable updates for low-risk leaf apps",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
-          "enabled": true
-        },
-        {
-          "description": "Tier 1: automerge minor/patch after 3-day stability window",
-          "matchPackageNames": [
-            "ghcr.io/thomiceli/opengist",
-            "louislam/uptime-kuma",
-            "f0rc3/gokapi",
-            "docker.io/calcom/cal.com",
-            "advplyr/audiobookshelf",
-            "arcadiatechnology/crafty-4",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
-          "matchUpdateTypes": ["minor", "patch"],
-          "automerge": true,
-          "automergeType": "pr",
-          "platformAutomerge": true,
           "minimumReleaseAge": "3 days"
         },
         {
-          "description": "Tier 1: major bumps require dashboard approval (no automerge)",
+          "description": "Auto-merge minor/patch after the stability window",
-          "matchPackageNames": [
+          "matchUpdateTypes": ["minor", "patch"],
-            "ghcr.io/thomiceli/opengist",
+          "automerge": true,
-            "louislam/uptime-kuma",
+          "automergeType": "pr",
-            "f0rc3/gokapi",
+          "platformAutomerge": true
-            "docker.io/calcom/cal.com",
+        },
-            "advplyr/audiobookshelf",
+        {
-            "arcadiatechnology/crafty-4",
+          "description": "Major bumps wait for dashboard approval (catches breaking/schema migrations)",
-            "codercom/code-server",
-            "ghcr.io/gethomepage/homepage",
-            "ghcr.io/headlamp-k8s/headlamp",
-            "prom/node-exporter",
-            "rommapp/romm",
-            "ghcr.io/stakater/reloader",
-            "privatebin/nginx-fpm-alpine",
-            "flomp/wanderer-db",
-            "flomp/wanderer-web",
-            "registry.k8s.io/kube-state-metrics/kube-state-metrics",
-            "ghcr.io/lukegus/termix"
-          ],
           "matchUpdateTypes": ["major"],
           "automerge": false,
           "dependencyDashboardApproval": true
+        },
+        {
+          "description": "k3s-bundled components: never touch, they ride k3s upgrades",
+          "matchPackageNames": [
+            "rancher/local-path-provisioner",
+            "rancher/mirrored-coredns/coredns",
+            "rancher/mirrored-metrics-server"
+          ],
+          "enabled": false
+        },
+        {
+          "description": "Critical core: PR opens with changelog but Viktor merges manually (deploy pipeline + SSO + DB operator). Some entries are no-ops if the image isn't pinned in this repo (ArgoCD bootstrap, authentik outpost images inherit chart defaults).",
+          "matchPackageNames": [
+            "gitea/gitea",
+            "quay.io/argoproj/argocd",
+            "ghcr.io/goauthentik/server",
+            "ghcr.io/goauthentik/ldap",
+            "ghcr.io/goauthentik/proxy",
+            "ghcr.io/cloudnative-pg/cloudnative-pg"
+          ],
+          "automerge": false
+        },
+        {
+          "description": "termix: use github-releases as datasource (ghcr.io OCI manifest for this image lacks the release timestamp Renovate needs for the stability gate; GitHub Releases at Termix-SSH/Termix expose proper timestamps so the 3-day gate works as intended). regex versioning parses the release-X.Y.Z prefix. Renovate still writes the new tag to the same ghcr.io/lukegus/termix image (the registry hosts every release).",
+          "matchPackageNames": ["ghcr.io/lukegus/termix"],
+          "datasource": "github-releases",
+          "packageName": "Termix-SSH/Termix",
+          "versioning": "regex:^release-(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)$"
+        },
+        {
+          "description": "wanderer: db + web update together in one PR",
+          "matchPackageNames": ["flomp/wanderer-db", "flomp/wanderer-web"],
+          "groupName": "wanderer"
         }
       ],
       "labels": ["renovate"]

argocd-apps/homelab.yaml

@@ -47,6 +47,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: servarr-system
   syncPolicy:
+    automated:
+      enabled: true
     # Start with manual sync until you're comfortable
     # automated:
     #   prune: true
@@ -82,6 +84,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: paperless-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -104,6 +108,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: actualbudget-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -126,6 +132,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: audiobookshelf-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -148,6 +156,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: bookstack-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -170,6 +180,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: immich-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -214,6 +226,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: nextcloud-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -236,6 +250,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: outline-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -258,6 +274,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: tandoor-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -280,6 +298,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: uptimekuma-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -302,6 +322,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: vaultwarden-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -369,6 +391,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: pihole-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
 
@@ -397,6 +421,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: mediaserver-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
 ---
@@ -418,6 +444,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: calibre-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -440,6 +468,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: adventurelog-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -592,6 +622,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: termix-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -614,6 +646,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: privatebin-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -636,6 +670,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: headlamp-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -658,6 +694,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: homepage-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -680,6 +718,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: code-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -702,6 +742,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: plantit-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -724,6 +766,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: fileshare-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -746,6 +790,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: arcade-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -768,6 +814,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: workout-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -790,6 +838,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: wanderer-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -812,6 +862,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: opengist-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -834,6 +886,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: zipline-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -856,6 +910,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: crafty-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -878,6 +934,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: booking-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -900,6 +958,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: web-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -922,6 +982,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: control-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -944,6 +1006,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: glance-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true
@@ -967,6 +1031,10 @@ spec:
     server: https://kubernetes.default.svc
     namespace: version-checker-system
   syncPolicy:
+    automated:
+      enabled: true
+      prune: true
+      selfHeal: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1033,6 +1101,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: orsi-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1075,6 +1145,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: kisfenyo-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1096,6 +1168,8 @@ spec:
     server: https://kubernetes.default.svc
     namespace: office-system
   syncPolicy:
+    automated:
+      enabled: true
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
@@ -1118,6 +1192,10 @@ spec:
     server: https://kubernetes.default.svc
     namespace: jarrs-system
   syncPolicy:
+    automated:
+      enabled: true
+      prune: true
+      selfHeal: true
     syncOptions:
     - CreateNamespace=true
     - PruneLast=true