renovate workflow and replace all by latest version

.gitea/workflows/renovate.yaml

@@ -0,0 +1,23 @@
+name: renovate
+
+on:
+  workflow_dispatch: # allows the workflow to be run manually when desired
+    branches:
+      - main
+  schedule: # runs this workflow at the scheduled time (uses UTC, adjust for your timezone)
+    - cron: "0 12 * * *"
+  push: # runs this workflow when pushes to the main branch are made
+    branches:
+      - main
+
+jobs:
+  renovate:
+    runs-on: ubuntu-latest
+    container: ghcr.io/renovatebot/renovate:latest
+    steps:
+      - uses: actions/checkout@v4
+      - run: renovate
+        env:
+          RENOVATE_CONFIG_FILE: ${{ gitea.workspace }}/config.js
+          LOG_LEVEL: "debug"
+          RENOVATE_TOKEN: ${{ secrets.RENOVATE_TOKEN }}

project/db/adminer/adminer.yml

@@ -4,14 +4,12 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     image: adminer:latest
-    container_name: adminer
+    container_name: adminer:5.4.1
     ports:
       - 8085:8080
     networks:
       - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.adminer.rule=Host(`adminer.${LOCAL_DOMAIN}`)"

project/db/lldap/lldap.yml

@@ -9,7 +9,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    container_name: lldap
+    container_name: lldap:0.6.2
     image: lldap/lldap:latest
     ports:
       # For LDAP, not recommended to expose, see Usage section.
@@ -34,8 +34,6 @@ services:
       # You can also set a different database:
       - LLDAP_DATABASE_URL=postgres://lldap:${LLDAP_DB_PASSWORD}@postgres/lldap
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.lldap.rule=Host(`ldap.${PUBLIC_DOMAIN}`)"

project/db/mariadb/mariadb.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: mariadb:latest
+    image: mariadb:12.1.2
     container_name: mariadb
     command: --character-set-server=utf8mb4 --collation-server=utf8mb4_unicode_ci
     networks:
@@ -14,6 +14,3 @@ services:
       - ${DB_PATH}/mariadb/data:/var/lib/mysql
       # init db
       - ${DB_PATH}/mariadb/init:/docker-entrypoint-initdb.d
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/db/pgadmin/pgadmin.yml

@@ -7,7 +7,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: pgadmin
-    image: dpage/pgadmin4:latest
+    image: dpage/pgadmin4:9.11.0
     ports:
       - 8082:80
     networks:
@@ -19,8 +19,6 @@ services:
       PGADMIN_DEFAULT_EMAIL: ${EMAIL}
       PGADMIN_DEFAULT_PASSWORD_FILE: /run/secrets/pgadmin_default_password
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.pgadmin.rule=Host(`pgadmin.${LOCAL_DOMAIN}`)"

project/db/postgres/postgres.yml

@@ -23,9 +23,6 @@ services:
     volumes:
       - ${DB_PATH}/postgres/data/postgres:/var/lib/postgresql/data
       - ${DB_PATH}/postgres/init/postgres:/docker-entrypoint-initdb.d
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
 
   postgres-with-pg-vector:
     extends:
@@ -48,6 +45,3 @@ services:
     volumes:
       - ${DB_PATH}/postgres/data/postgres-with-pg-vector:/var/lib/postgresql/data
       - ${DB_PATH}/postgres/init/postgres-with-pg-vector:/docker-entrypoint-initdb.d
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/db/redis/redis.yml

@@ -4,12 +4,9 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: redis
-    image: redis:latest
+    image: redis:8.4.0
     networks:
       - ip4net
       - ip6net
     volumes:
       - ${DB_PATH}/redis/data:/data
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/authelia/authelia.yml

@@ -13,14 +13,15 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: authelia
-    image: authelia/authelia:latest
+    image: authelia/authelia:4.39.15
     ports:
       - 9959:9959 # metrics prometheus
     networks:
       - ip6net
     expose:
       - 9091
-    secrets: [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
+    secrets:
+      [JWT_SECRET, SESSION_SECRET, STORAGE_PASSWORD, STORAGE_ENCRYPTION_KEY]
     environment:
       AUTHELIA_JWT_SECRET_FILE: /run/secrets/JWT_SECRET
       AUTHELIA_SESSION_SECRET_FILE: /run/secrets/SESSION_SECRET
@@ -32,15 +33,13 @@ services:
       - ${INFRA_PATH}/authelia/config:/config
       - "/var/log/authelia/:/config/log"
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
-      - 'traefik.enable=true'
+      - "traefik.enable=true"
-      - 'traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)'
+      - "traefik.http.routers.authelia.rule=Host(`auth.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.authelia.tls.certresolver=myresolver"
-      - 'traefik.http.routers.authelia.entryPoints=https'
+      - "traefik.http.routers.authelia.entryPoints=https"
-      - 'traefik.http.routers.authelia.tls=true'
+      - "traefik.http.routers.authelia.tls=true"
-      - 'traefik.http.routers.authelia.service=authelia-svc'
+      - "traefik.http.routers.authelia.service=authelia-svc"
-      - 'traefik.http.services.authelia-svc.loadbalancer.server.port=9091'
+      - "traefik.http.services.authelia-svc.loadbalancer.server.port=9091"
       # Middleware
       - "traefik.http.routers.authelia.middlewares=crowdsec-bouncer@file"

project/infrastructure/crowdsec/crowdsec.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: crowdsec
-    image: crowdsecurity/crowdsec:latest
+    image: crowdsecurity/crowdsec:1.7.4
     environment:
       COLLECTIONS: crowdsecurity/traefik crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules crowdsecurity/http-cve
       CROWDSEC_BOUNCER_API_KEY: ${CROWDSEC_API_KEY}
@@ -22,6 +22,3 @@ services:
       - /var/log/crowdsec:/var/log/crowdsec:ro
       - /var/log/syslog:/var/log/syslog:ro
       - /var/log/kern.log:/var/log/kern.log:ro
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/infrastructure/homepage/homepage.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/gethomepage/homepage:latest
+    image: ghcr.io/gethomepage/homepage:v1.8.0
     container_name: homepage
     ports:
       - 3030:3000
@@ -20,8 +20,6 @@ services:
       - ${EXTERNAL_STORAGE}:/disks/e
       - /var/run/docker.sock:/var/run/docker.sock:ro # optional, for docker integrations
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.homepage.rule=Host(`homepage.${LOCAL_DOMAIN}`)"

project/infrastructure/ntfy/ntfy.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: ntfy
-    image: binwiederhier/ntfy 
+    image: binwiederhier/ntfy:2.15.0
     ports:
       - "4023:80"
     networks:
@@ -16,12 +16,10 @@ services:
       - ${INFRA_PATH}/ntfy/config:/etc/ntfy
       - ${INFRA_PATH}/ntfy/data:/var/lib/ntfy
     labels:
-      # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=true'
       # Traefik
-      - 'traefik.enable=true'
+      - "traefik.enable=true"
-      - 'traefik.http.routers.ntfy.rule=Host(`ntfy.${PUBLIC_DOMAIN}`)'
+      - "traefik.http.routers.ntfy.rule=Host(`ntfy.${PUBLIC_DOMAIN}`)"
-      - 'traefik.http.routers.ntfy.entrypoints=https'
+      - "traefik.http.routers.ntfy.entrypoints=https"
-      - 'traefik.http.routers.ntfy.tls=true'
+      - "traefik.http.routers.ntfy.tls=true"
       # Middlewares
       - "traefik.http.routers.ntfy.middlewares=crowdsec-bouncer@file"

project/infrastructure/speedtest/speedtest.yml

@@ -4,18 +4,16 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: speedtest
-    image: openspeedtest/latest
+    image: openspeedtest/latest:2.0.6
     ports:
       - "4001:3001" # webport mapping (host:container)
       - "3999:3001" # webport mapping (host:container)
     networks:
       - ip4net
     labels:
-      # Watchtower
-      - 'com.centurylinklabs.watchtower.enable=true'
       # Traefik
-      - 'traefik.enable=true'
+      - "traefik.enable=true"
-      - 'traefik.http.routers.speedtest.rule=Host(`speedtest.${LOCAL_DOMAIN}`)'
+      - "traefik.http.routers.speedtest.rule=Host(`speedtest.${LOCAL_DOMAIN}`)"
-      - 'traefik.http.routers.speedtest.entrypoints=https'
+      - "traefik.http.routers.speedtest.entrypoints=https"
-      - 'traefik.http.routers.speedtest.tls=true'
+      - "traefik.http.routers.speedtest.tls=true"
-      - 'traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=10000000000'
+      - "traefik.http.middlewares.limit.buffering.maxRequestBodyBytes=10000000000"

project/infrastructure/syncthing/syncthing.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: syncthing/syncthing
+    image: syncthing/syncthing:2.0.12
     container_name: syncthing
     volumes:
       - ${EXTERNAL_STORAGE}/notes/Obsidian-sync:/var/syncthing-data/Obsidian-sync
@@ -18,8 +18,6 @@ services:
       - ip4net
       - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.syncthing.rule=Host(`syncthing.${LOCAL_DOMAIN}`)"

project/infrastructure/traefik/traefik.yml

@@ -3,8 +3,8 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: "traefik:latest"
+    image: traefik:3.6.5
-    container_name: "traefik"
+    container_name: traefik
     ports:
       - "80:80"
       - "443:443"
@@ -28,8 +28,6 @@ services:
       - "${INFRA_PATH}/traefik/html/ban.html:/ban.html"
       - "${INFRA_PATH}/traefik/html/captcha.html:/captcha.html"
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.traefik.service=api@internal"
@@ -41,15 +39,13 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: traefik/whoami:latest
+    image: traefik/whoami:1.11
-    container_name: "traefik-whoami"
+    container_name: traefik-whoami
     networks:
       - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # traefik
       - "traefik.enable=true"
       - "traefik.http.routers.whoami.rule=Host(`whoami.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.whoami.entrypoints=https"
-      - 'traefik.http.routers.whoami.tls=true'
+      - "traefik.http.routers.whoami.tls=true"

project/infrastructure/uptime-kuma/uptime-kuma.yml

@@ -5,7 +5,7 @@ services:
     # extends:
     #   file: ${TEMPLATES_PATH}
     #   service: default
-    image: louislam/uptime-kuma
+    image: louislam/uptime-kuma:2.0.2
     container_name: uptime-kuma
     restart: unless-stopped
     security_opt:
@@ -21,8 +21,6 @@ services:
       - ip4net
       - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.uptime-kuma.rule=Host(`uptime-kuma.${LOCAL_DOMAIN}`)"

project/media/audiobookshelf/audiobookshelf.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/advplyr/audiobookshelf:latest
+    image: ghcr.io/advplyr/audiobookshelf:2.32.1
     container_name: audiobookshelf
     ports:
       - 13378:80
@@ -14,13 +14,11 @@ services:
       - ${MEDIA_PATH}/audiobookshelf/config:/config
       - ${MEDIA_PATH}/audiobookshelf/data/metadata:/metadata
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.audiobookshelf.rule=Host(`audiobookshelf.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.audiobookshelf.entrypoints=https"
       - "traefik.http.routers.audiobookshelf.tls.certresolver=myresolver"
-      - 'traefik.http.routers.audiobookshelf.tls=true'
+      - "traefik.http.routers.audiobookshelf.tls=true"
       # Middlewares
       - "traefik.http.routers.audiobookshelf.middlewares=crowdsec-bouncer@file"

project/media/calibre/calibre.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: lscr.io/linuxserver/calibre:latest
+    image: lscr.io/linuxserver/calibre:8.16.2
     container_name: calibre
     environment:
       - PASSWORD= #optional
@@ -18,20 +18,18 @@ services:
     networks:
       - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.calibre.rule=Host(`calibre.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.calibre.entrypoints=https"
-      - 'traefik.http.routers.calibre.tls=true'
+      - "traefik.http.routers.calibre.tls=true"
-      - 'traefik.http.services.calibre.loadbalancer.server.port=8080'
+      - "traefik.http.services.calibre.loadbalancer.server.port=8080"
 
   calibre-web:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: lscr.io/linuxserver/calibre-web:latest
+    image: lscr.io/linuxserver/calibre-web:0.6.25
     container_name: calibre-web
     environment:
       - DOCKER_MODS=linuxserver/mods:universal-calibre #optional
@@ -44,10 +42,8 @@ services:
     networks:
       - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.calibre-web.rule=Host(`calibre-web.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.calibre-web.entrypoints=https"
-      - 'traefik.http.routers.calibre-web.tls=true'
+      - "traefik.http.routers.calibre-web.tls=true"

project/media/immich/immich.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: immich_server
-    image: ghcr.io/immich-app/immich-server:release
+    image: ghcr.io/immich-app/immich-server:v2.4.1
     environment:
       DB_PASSWORD: ${IMMICH_DB_PASSWORD}
       DB_HOSTNAME: postgres-with-pg-vector
@@ -21,14 +21,12 @@ services:
     networks:
       - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.immich-server.rule=Host(`immich.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.immich-server.entrypoints=https"
       - "traefik.http.routers.immich-server.tls.certresolver=myresolver"
-      - 'traefik.http.routers.immich-server.tls=true'
+      - "traefik.http.routers.immich-server.tls=true"
       # Middlewares
       - "traefik.http.routers.immich-server.middlewares=crowdsec-bouncer@file"
 
@@ -37,14 +35,11 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: immich_machine_learning
-    image: ghcr.io/immich-app/immich-machine-learning:release
+    image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
     ports:
       - 3003:3003
     volumes:
       - ${MEDIA_PATH}/immich/data/model-cache:/cache
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
 
   # https://github.com/Salvoxia/immich-folder-album-creator
   # one time run:
@@ -54,7 +49,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: immich_folder_album_creator
-    image: salvoxia/immich-folder-album-creator:latest
+    image: salvoxia/immich-folder-album-creator:0.24.0
     environment:
       API_URL: https://immich.crescentec.xyz/api
       API_KEY: qTaebdVMtph9yD0pSJRJDQJkDEpexiXNMJ5V5HBEnA
@@ -65,6 +60,3 @@ services:
       #UNATTENDED: 1
     volumes:
       - /usr/src/app/external:/usr/src/app/external
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/media/kiwix/kiwix.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/kiwix/kiwix-serve
+    image: ghcr.io/kiwix/kiwix-serve:3.8.1
     container_name: kiwix
     ports:
       - 2009:8080
@@ -12,13 +12,11 @@ services:
     volumes:
       - ${EXTERNAL_STORAGE}/wikipedia/:/data
     command:
-      - '*.zim'
+      - "*.zim"
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.kiwix.rule=Host(`wikipedia.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.kiwix.entrypoints=https"
-      - 'traefik.http.routers.kiwix.tls=true'
+      - "traefik.http.routers.kiwix.tls=true"
-      - 'traefik.http.services.kiwix.loadbalancer.server.port=8080'
+      - "traefik.http.services.kiwix.loadbalancer.server.port=8080"

project/media/lidarr/lidarr.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: lscr.io/linuxserver/lidarr 
+    image: lscr.io/linuxserver/lidarr:3.1.0
     container_name: lidarr
     ports:
       - 2010:8686
@@ -17,10 +17,8 @@ services:
       - ${MEDIA_PATH}/data:/data
       - ${EXTERNAL_STORAGE}/media/music:/music
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.lidarr.rule=Host(`lidarr.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.lidarr.entrypoints=https"
-      - 'traefik.http.routers.lidarr.tls=true'
+      - "traefik.http.routers.lidarr.tls=true"

project/media/navidrome/navidrome.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: deluan/navidrome 
+    image: deluan/navidrome:0.59.0
     container_name: navidrome
     ports:
       - 2011:4533
@@ -16,13 +16,11 @@ services:
       ND_REVERSEPROXYWHITELIST: 0.0.0.0/0
       ND_ENABLEUSEREDITING: false
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.navidrome.rule=Host(`navidrome.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.navidrome.entrypoints=https"
-      - 'traefik.http.routers.navidrome.tls=true'
+      - "traefik.http.routers.navidrome.tls=true"
       # Middlewares
       - "traefik.http.routers.navidrome.middlewares=crowdsec-bouncer@file, authelia@file"
       # Subsonic endpoint use basic authentication middleware from authelia

project/media/prowlarr/prowlarr.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: lscr.io/linuxserver/prowlarr:develop
+    image: lscr.io/linuxserver/prowlarr:2.3.0
     container_name: prowlarr
     ports:
       - 2004:9696
@@ -12,10 +12,9 @@ services:
     volumes:
       - ${MEDIA_PATH}/prowlarr/config:/config
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.prowlarr.rule=Host(`prowlarr.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.prowlarr.entrypoints=https"
-      - 'traefik.http.routers.prowlarr.tls=true'
+      - "traefik.http.routers.prowlarr.tls=true"
+

project/media/qbittorrent/qbittorrent.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: lscr.io/linuxserver/qbittorrent:latest
+    image: lscr.io/linuxserver/qbittorrent:5.1.4
     container_name: qbittorrent
     ports:
       - 2002:2002
@@ -22,10 +22,8 @@ services:
       - ${EXTERNAL_STORAGE}/media/audiobooks:/data/downloaded/audiobooks
       - ${EXTERNAL_STORAGE}/media/music:/data/downloaded/music
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.qbittorrent.rule=Host(`qbittorrent.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.qbittorrent.entrypoints=https"
-      - 'traefik.http.routers.qbittorrent.tls=true'
+      - "traefik.http.routers.qbittorrent.tls=true"

project/media/readarr/readarr.yml

@@ -15,10 +15,8 @@ services:
       - ${EXTERNAL_STORAGE}/media/audiobooks:/data/media/audiobooks
       - ${EXTERNAL_STORAGE}/media/books:/data/media/books
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.readarr.rule=Host(`readarr.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.readarr.entrypoints=https"
-      - 'traefik.http.routers.readarr.tls=true'
+      - "traefik.http.routers.readarr.tls=true"

project/media/slskd/slskd.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: slskd/slskd 
+    image: slskd/slskd:0.24.1
     container_name: slskd
     user: ${PUID}:${PGID}
     ports:
@@ -19,11 +19,9 @@ services:
       - ${MEDIA_PATH}/data/slskd_downloads:/app/downloads
       - ${EXTERNAL_STORAGE}/media/music:/app/library
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.slskd.rule=Host(`slskd.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.slskd.entrypoints=https"
-      - 'traefik.http.routers.slskd.tls=true'
+      - "traefik.http.routers.slskd.tls=true"
-      - 'traefik.http.services.slskd.loadbalancer.server.port=5030'
+      - "traefik.http.services.slskd.loadbalancer.server.port=5030"

project/media/soularr/soularr.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: mrusse08/soularr 
+    image: mrusse08/soularr:latest
     container_name: soularr
     user: ${PUID}:${PGID}
     networks:

project/monitoring/dozzle/dozzle.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: dozzle
-    image: amir20/dozzle:latest
+    image: amir20/dozzle:8.14.12
     ports:
       - 8083:8080
     networks:
@@ -12,10 +12,9 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.dozzle.rule=Host(`dozzle.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.dozzle.entrypoints=https"
       - "traefik.http.routers.dozzle.tls=true"
+

project/monitoring/grafana/grafana.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: grafana
-    image: grafana/grafana-oss:latest
+    image: grafana/grafana-oss:12.3.1
     ports:
       - 8090:3000
     networks:
@@ -12,10 +12,9 @@ services:
     volumes:
       - ${MONITORING_PATH}/grafana/data:/var/lib/grafana
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.grafana.rule=Host(`grafana.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.grafana.entrypoints=https"
       - "traefik.http.routers.grafana.tls=true"
+

project/monitoring/loki/loki.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: loki
-    image: grafana/loki
+    image: grafana/loki:3.5.9
     ports:
       - 8094:3100
     networks:
@@ -12,8 +12,6 @@ services:
     volumes:
       - ${MONITORING_PATH}/loki/config/loki-config.yml:/etc/loki/local-config.yaml
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.loki.rule=Host(`loki.${LOCAL_DOMAIN}`)"
@@ -25,13 +23,10 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: promtail
-    image: grafana/promtail
+    image: grafana/promtail:3.5.9
     networks:
       - ip4net
     volumes:
       - ${MONITORING_PATH}/loki/config/promtail-config.yml:/etc/promtail/config.yml
       - /var/log:/var/log
       - /var/run/docker.sock:/var/run/docker.sock:ro
-    labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"

project/monitoring/prometheus/prometheus.yml

@@ -4,7 +4,7 @@ services:
       file: ${TEMPLATES_PATH}
       service: default
     container_name: prometheus
-    image: prom/prometheus:latest
+    image: prom/prometheus:3.8.1
     ports:
       - 9090:9090
     networks:
@@ -12,10 +12,9 @@ services:
     volumes:
       - ${MONITORING_PATH}/prometheus/config:/etc/prometheus
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.prometheus.rule=Host(`prometheus.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.prometheus.entrypoints=https"
       - "traefik.http.routers.prometheus.tls=true"
+

project/service/freshrss/freshrss.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: freshrss/freshrss:latest
+    image: freshrss/freshrss:1.28.0
     container_name: freshrss
     ports:
       - 4014:80
@@ -13,11 +13,9 @@ services:
       - ${SERVICE_PATH}/freshrss/data:/var/www/FreshRSS/data
       - ${SERVICE_PATH}/freshrss/extensions:/var/www/FreshRSS/extensions
     environment:
-      CRON_MIN: '3,33'
+      CRON_MIN: "3,33"
       TRUSTED_PROXY: 172.16.0.1/12 192.168.0.1/16
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.freshrss.rule=Host(`rss.${PUBLIC_DOMAIN}`)"

project/service/ghost/ghost.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghost:latest
+    image: ghost:6.10.3-alpine
     container_name: ghost
     ports:
       - 4016:2368
@@ -31,3 +31,4 @@ services:
       MYSQL_ROOT_PASSWORD: example
     volumes:
       - ${SERVICE_PATH}/ghost/data/db:/var/lib/mysql
+

project/service/gitea/gitea.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: gitea/gitea:latest
+    image: gitea/gitea:1.25
     container_name: gitea
     environment:
       - APP_NAME="Gitea"
@@ -37,8 +37,6 @@ services:
     expose:
       - 4002
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.gitea.rule=Host(`gitea.${PUBLIC_DOMAIN}`)"
@@ -49,3 +47,21 @@ services:
       - "traefik.http.services.gitea-service.loadbalancer.server.port=4002"
       # Middlewares
       - "traefik.http.routers.gitea.middlewares=crowdsec-bouncer@file"
+
+  gitea-runner:
+    extends:
+      file: ${TEMPLATES_PATH}
+      service: default
+    image: gitea/act_runner:0.2.13
+    container_name: gitea_runner
+    depends_on:
+      - gitea
+    volumes:
+      - /var/run/docker.sock:/var/run/docker.sock
+      - ${SERVICE_PATH}/gitea/config/runner-config.yaml:/config.yaml
+      - ${SERVICE_PATH}/gitea/data/runner-data:/data
+    environment:
+      - CONFIG_FILE=/config.yaml
+      - GITEA_INSTANCE_URL=gitea
+      - GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_TOKEN}
+      - GITEA_RUNNER_NAME=gitea-runner

project/service/home-assistant/home-assistant.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/home-assistant/home-assistant:stable
+    image: ghcr.io/home-assistant/home-assistant:2025.12.4
     container_name: home-assistant
     networks:
       - ip4net
@@ -14,10 +14,9 @@ services:
       - /etc/localtime:/etc/localtime:ro
       - /run/dbus:/run/dbus:ro
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.home-assistant.rule=Host(`ha.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.home-assistant.entrypoints=https"
       - "traefik.http.routers.home-assistant.tls=true"
+

project/service/it-tools/it-tools.yml

@@ -3,17 +3,16 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: corentinth/it-tools:latest
+    image: corentinth/it-tools:2024.10.22-7ca5933
     container_name: it-tools
     ports:
-      - '4007:80'
+      - "4007:80"
     networks:
       - ip4net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.it-tools.rule=Host(`it-tools.${LOCAL_DOMAIN}`)"
       - "traefik.http.routers.it-tools.entrypoints=https"
       - "traefik.http.routers.it-tools.tls=true"
+

project/service/jupyter-notebook/jupyter-notebook.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: quay.io/jupyter/base-notebook:latest
+    image: quay.io/jupyter/base-notebook:ubuntu-24.04
     container_name: jupyter
     volumes:
       - ${SERVICE_PATH}/jupyter-notebook/data:/home/jovyan/work
@@ -13,8 +13,6 @@ services:
       - ip4net
     command: start-notebook.py --NotebookApp.token='aToken1234'
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.jupyter.rule=Host(`jupyter.${LOCAL_DOMAIN}`)"

project/service/linkwarden/linkwarden.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/linkwarden/linkwarden:latest  
+    image: ghcr.io/linkwarden/linkwarden:v2.13.5
     container_name: linkwarden
     ports:
       - 4020:3000
@@ -24,8 +24,6 @@ services:
       - AUTHELIA_CLIENT_ID=linkwarden
       - AUTHELIA_CLIENT_SECRET=${LINKWARDEN_OIDC_CLIENT_SECRET}
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.linkwarden.rule=Host(`linkwarden.${PUBLIC_DOMAIN}`)"
@@ -36,7 +34,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: getmeili/meilisearch:latest
+    image: getmeili/meilisearch:1.31.0
     container_name: linkwarden_meili
     networks:
       - ip4net

project/service/mealie/mealie.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/mealie-recipes/mealie:latest
+    image: ghcr.io/mealie-recipes/mealie:v3.8.0
     container_name: mealie
     ports:
       - "4006:9000"
@@ -29,8 +29,6 @@ services:
       OIDC_CLIENT_SECRET: ${MEALIE_OIDC_CLIENT_SECRET}
       OIDC_AUTO_REDIRECT: false
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.mealie.rule=Host(`mealie.${PUBLIC_DOMAIN}`)"

project/service/n8n/n8n.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: docker.n8n.io/n8nio/n8n
+    image: docker.n8n.io/n8nio/n8n:2.1.4
     container_name: n8n
     ports:
       - 4022:5678
@@ -20,8 +20,6 @@ services:
       - ${SERVICE_PATH}/n8n/data:/home/node/.n8n
     entrypoint: /home/node/.n8n/script/entrypoint.sh
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.n8n.rule=Host(`n8n.${LOCAL_DOMAIN}`)"

project/service/ollama/ollama.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ollama/ollama 
+    image: ollama/ollama:0.13.5
     container_name: ollama
     ports:
       - 4019:11434
@@ -12,8 +12,6 @@ services:
     volumes:
       - ${SERVICE_PATH}/ollama/data:/root/.ollama
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.ollama.rule=Host(`ollama.${PUBLIC_DOMAIN}`)"

project/service/paperless-ngx/paperless-ngx.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: ghcr.io/paperless-ngx/paperless-ngx:latest
+    image: ghcr.io/paperless-ngx/paperless-ngx:2.20.3
     container_name: paperless-ngx
     ports:
       - "4009:8000"
@@ -37,8 +37,6 @@ services:
       # PAPERLESS_APPS: "allauth.socialaccount.providers.openid_connect"
       # PAPERLESS_SOCIALACCOUNT_PROVIDERS: '{"openid_connect":{"SCOPE":["openid","profile","email"],"OAUTH_PKCE_ENABLED":true,"APPS":[{"provider_id":"authelia","name":"Authelia","client_id":"paperless","secret":"jzO0JYA35oOojGqxFJUaDXdgdXhuACyq4b3lvOx233wtoSyv19prQfCKah1mwyDv","settings":{"server_url":"https://auth.crescentec.xyz","token_auth_method":"client_secret_basic"}}]}}'
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.paperless.rule=Host(`paperless.${PUBLIC_DOMAIN}`)"

project/service/pdf/pdf.yml

@@ -3,15 +3,13 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: bentopdf/bentopdf-simple
+    image: bentopdf/bentopdf-simple:1.15.1
     container_name: pdf
     ports:
-      - '4003:8080'
+      - "4003:8080"
     networks:
       - ip6net
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.pdf.rule=Host(`pdf.${PUBLIC_DOMAIN}`)"

project/service/radicale/radicale.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: tomsquest/docker-radicale
+    image: tomsquest/docker-radicale:3.5.10.0
     container_name: radicale
     ports:
       - 4017:5232
@@ -26,8 +26,6 @@ services:
       - ${SERVICE_PATH}/radicale/config:/config/
       - ${EXTERNAL_STORAGE}/calendars-contacts:/data
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.radicale.rule=Host(`radicale.${PUBLIC_DOMAIN}`)"

project/service/vaultwarden/vaultwarden.yml

@@ -3,7 +3,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: vaultwarden/server
+    image: vaultwarden/server:1.35.0
     container_name: vaultwarden
     ports:
       - 4018:80
@@ -22,8 +22,6 @@ services:
     volumes:
       - ${EXTERNAL_STORAGE}/passwords:/data/
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.vaultwarden.rule=Host(`vaultwarden.${PUBLIC_DOMAIN}`)"

project/service/vikunja/vikunja.yml

@@ -6,7 +6,7 @@ services:
     extends:
       file: ${TEMPLATES_PATH}
       service: default
-    image: vikunja/vikunja:latest
+    image: vikunja/vikunja:0.24.6
     container_name: vikunja
     secrets: [vikunja_jwt_secret]
     environment:
@@ -23,13 +23,12 @@ services:
       - ${SERVICE_PATH}/vikunja/data:/app/vikunja/files
       - ${SERVICE_PATH}/vikunja/config:/etc/vikunja
     labels:
-      # Watchtower
-      - "com.centurylinklabs.watchtower.enable=true"
       # Traefik
       - "traefik.enable=true"
       - "traefik.http.routers.vikunja.rule=Host(`vikunja.${PUBLIC_DOMAIN}`)"
       - "traefik.http.routers.vikunja.entrypoints=https"
       - "traefik.http.routers.vikunja.tls.certresolver=myresolver"
-      - 'traefik.http.routers.vikunja.tls=true'
+      - "traefik.http.routers.vikunja.tls=true"
       # Middlewares
       - "traefik.http.routers.vikunja.middlewares=crowdsec-bouncer@file"
+

renovate.json

@@ -0,0 +1,42 @@
+{
+    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
+    "extends": [
+        "config:recommended"
+    ],
+    "dependencyDashboard": true,
+    "dependencyDashboardTitle": "Renovate Dashboard",
+    "assignees": [
+        "chriswin"
+    ],
+    "labels": [
+        "renovate"
+    ],
+    "configMigration": true,
+    "prHourlyLimit": 0,
+    "docker-compose": {
+        "hostRules": [
+            {
+                "matchHost": "docker.io",
+                "concurrentRequestLimit": 2
+            }
+        ],
+        "packageRules": [
+            {
+                "matchPackageNames": "tensorchord/pgvecto-rs",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "mysql",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "mrusse08/soularr",
+                "enabled": false
+            },
+            {
+                "matchPackageNames": "mysql",
+                "enabled": false
+            }
+        ]
+    }
+}