Merge pull request '🔧 Renovate: Pin dependencies' (#329) from renovate/pin-dependencies into main

Reviewed-on: #329

.gitea/workflows/pr-docker-deploy.yml

@@ -11,7 +11,7 @@ on:
 
 env:
   HC_VAULT_VERSION: "1.21.4"
-  TEA_VERSION: "0.10.1"
+  TEA_VERSION: "0.14.0"
 
 jobs:
   check-and-create-pr:

README.md

@@ -4,17 +4,22 @@
 
 | Service | Image | Description |
 | --- | --- | --- |
-| adguard | adguard/adguardhome:v0.107.74 |  |
+| adguard | adguard/adguardhome:v0.107.77 |  |
 | beszel-agent | henrygd/beszel-agent:0.18.7 |  |
 | castsponsorskip | ghcr.io/gabe565/castsponsorskip:0.8.3 |  |
 | docker-socket-proxy | ghcr.io/tecnativa/docker-socket-proxy:latest |  |
 | dockflare | alplat/dockflare:stable |  |
 | ha-fusion | ghcr.io/matt8707/ha-fusion:2024.10.1 |  |
 | homeassistant | ghcr.io/home-assistant/home-assistant:stable |  |
+| patchmon-server | ghcr.io/patchmon/patchmon-server:latest |  |
+| patchmon-pg-db | postgres:17-alpine |  |
+| patchmon-redis | redis:7-alpine |  |
+| patchmon-guacd | guacamole/guacd:1.6.0 |  |
 | portainer-agent | portainer/agent:latest |  |
-| renovate | renovate/renovate:42.84.2-full |  |
+| renovate | renovate/renovate:43.170.22-full |  |
 | renovate-valkey | docker.io/valkey/valkey:9-alpine |  |
 | signoz-logspout | pavanputhra/logspout-signoz:2025.07.19-887dfeb |  |
+| snapcast-server | docker.io/sweisgerber/snapcast:latest |  |
 | upsnap | ghcr.io/seriousm4x/upsnap:5 |  |
 | webhook | thecatlady/webhook:2.8.2 |  |
 

docker-compose.yml

@@ -10,7 +10,7 @@ services:
     container_name: adguard
     environment:
       TZ: ${TZ}
-    image: adguard/adguardhome:v0.107.74@sha256:f29c58a91f79387cbbbb042e140814f58e830d457d44af03d662c8df43db9dea
+    image: adguard/adguardhome:v0.107.77@sha256:e6f2b8bcda06064ab055b44933a4f0e983c35558b9cdb8d2e7ab1efcee36d890
     network_mode: host
     privileged: true
     restart: unless-stopped
@@ -101,18 +101,17 @@ services:
       TUNNEL_NAME: dockflared-tunnel
       TZ: ${TZ}
     healthcheck:
-      test:
-        [
+      test: [
           "CMD-SHELL",
           "wget -qO- --server-response http://localhost:5000/ping 2>&1 | awk
-            '/^  HTTP/{code=$2} /^[^{]/{next} {print; fflush()} END{exit
-            (code>=400 || code==0)}' >/dev/null",
+          '/^  HTTP/{code=$2} /^[^{]/{next} {print; fflush()} END{exit
+          (code>=400 || code==0)}' >/dev/null",
         ]
       interval: 1m30s
       timeout: 30s
       retries: 5
       start_period: 30s
-    image: alplat/dockflare:stable@sha256:2c8d1c70b22b9de45111dff6466a73165592cca5b21d91562b59bb094b3768aa # Or :unstable for the latest features
+    image: alplat/dockflare:stable@sha256:ff2807c696b0752767716825e7b3d9f7d4f353e7ea8a323dc2b7cc174ad27ef7 # Or :unstable for the latest features
     # labels:
     #   ## EXAMPLE CF TUNNEL LABELS ###
     #   Enable DockFlare management for this container
@@ -161,7 +160,7 @@ services:
       - /dev/ttyS0:/dev/ttyS0
     environment:
       DISABLE_JEMALLOC: true
-    image: ghcr.io/home-assistant/home-assistant:stable@sha256:c1e5f0147f4cb51ccb05bb30b62a1269cc1bd48a6274792d3b38a77ab274dfd2
+    image: ghcr.io/home-assistant/home-assistant:stable@sha256:f0baa7922ecec7790c40c41baf08ab218b6ab8db5f96dc03b03a0ae33d987c3d
     labels:
       com.centurylinklabs.watchtower.monitor-only: true
     network_mode: host
@@ -171,9 +170,103 @@ services:
       - ${RIKKU_DOCKER_DIR}/homeassistant:/config
       - /etc/localtime:/etc/localtime:ro
       - /run/dbus:/run/dbus:ro
+  patchmon-server:
+    container_name: patchmon-server
+    depends_on:
+      patchmon-pg-db:
+        condition: service_healthy
+      patchmon-redis:
+        condition: service_healthy
+      patchmon-guacd:
+        condition: service_healthy
+    environment:
+      CORS_ORIGIN: "*"
+      JWT_SECRET: ${PATCHMON_JWT_SECRET}
+      POSTGRES_HOST: patchmon-pg-db
+      DATABASE_URL: postgresql://patchmon:${PATCHMON_PG_PASSWORD}@patchmon-pg-db:5432/patchmon
+      ENABLE_LOGGING: true
+      GUACD_ADDRESS: patchmon-guacd:4822
+      LOG_LEVEL: info
+      REDIS_HOST: patchmon-redis
+      SESSION_SECRET: ${PATCHMON_SESSION_SECRET}
+      AI_ENCRYPTION_KEY: ${PATCHMON_AI_ENCRYPTION_KEY}
+      REDIS_PORT: 6379
+      REDIS_PASSWORD: ${PATCHMON_REDIS_PASSWORD}
+      REDIS_DB: 0
+      TRUST_PROXY: true
+      TZ: ${TZ}
+    image: ghcr.io/patchmon/patchmon-server:latest@sha256:eaa1bcce290c7003cff01a96cfc893a64cb144e582e9b797875e6381f56b297a
+    ports:
+      - 3000:3000
+    restart: unless-stopped
+  patchmon-pg-db:
+    container_name: patchmon-pg-db
+    image: postgres:17-alpine@sha256:979c4379dd698aba0b890599a6104e082035f98ef31d9b9291ec22f2b13059ca
+    restart: unless-stopped
+    environment:
+      POSTGRES_PASSWORD: ${PATCHMON_PG_PASSWORD}
+      POSTGRES_USER: patchmon
+      POSTGRES_DB: patchmon
+    expose:
+      - 5432
+    volumes:
+      - patchmon-pg-data:/var/lib/postgresql/data
+    healthcheck:
+      test: ["CMD-SHELL", "pg_isready -U patchmon -d patchmon"]
+      interval: 3s
+      timeout: 5s
+      retries: 7
+  patchmon-redis:
+    container_name: patchmon-redis
+    image: redis:7-alpine@sha256:6ab0b6e7381779332f97b8ca76193e45b0756f38d4c0dcda72dbb3c32061ab99
+    restart: unless-stopped
+    environment:
+      TZ: ${TZ}
+      REDIS_PORT: 6379
+      REDIS_PASSWORD: ${PATCHMON_REDIS_PASSWORD}
+      REDIS_DB: 0
+    expose:
+      - 6379
+    command: redis-server --requirepass ${PATCHMON_REDIS_PASSWORD}
+    volumes:
+      - patchmon-redis-data:/data
+    healthcheck:
+      test:
+        [
+          "CMD",
+          "redis-cli",
+          "--no-auth-warning",
+          "-a",
+          "${PATCHMON_REDIS_PASSWORD}",
+          "ping",
+        ]
+      interval: 3s
+      timeout: 5s
+      retries: 7
+  patchmon-guacd:
+    container_name: patchmon-guacd
+    image: guacamole/guacd:1.6.0@sha256:8974eaa9ba32f713daf311e7cc8cd7e4cdfba1edea39eed75524e78ef4b08f4f
+    expose:
+      - 4822
+    restart: unless-stopped
+    read_only: true
+    tmpfs:
+      - /tmp:size=64m
+    security_opt:
+      - no-new-privileges:true
+    cap_drop:
+      - ALL
+    mem_limit: 512m
+    cpus: "1.0"
+    healthcheck:
+      test: ["CMD-SHELL", "nc -z localhost 4822 || exit 1"]
+      interval: 10s
+      timeout: 5s
+      retries: 3
+      start_period: 10s
   portainer-agent:
     container_name: portainer_agent
-    image: portainer/agent:latest@sha256:7af856876dcb2778108bf6846f3da31b176443db90e3de31fcfdf17e5ab7857e
+    image: portainer/agent:latest@sha256:236246fc09b3e7e9269aad53e57ec71f27b7e114a2b6b70d4fd98c117ccc36d8
     volumes:
       - /:/host
       - /var/lib/docker/volumes:/var/lib/docker/volumes
@@ -209,7 +302,7 @@ services:
 
       # --- Scheduling ---
       # Renovate will only process PRs/updates in this time window
-      RENOVATE_SCHEDULE: "[\"after 2am and before 6am\"]"
+      RENOVATE_SCHEDULE: '["after 2am and before 6am"]'
       OTEL_EXPORTER_OTLP_ENDPOINT: http://192.168.1.254:4318
       OTEL_SERVICE_NAME: renovate
       OTEL_SERVICE_NAMESPACE: renovate.${MY_TLD}
@@ -221,7 +314,7 @@ services:
       GHCR_USER: ${RENOVATE__GHCR_USER}
       GITEA_BOT_PASS: ${RENOVATE__GITEA_BOT_PASS}
       GITEA_BOT_USER: ${RENOVATE__GITEA_BOT_USER}
-    image: renovate/renovate:42.84.2-full@sha256:d102b070154132b32ab1629939e5762f82a65899f154a7d267150929d2999d0e
+    image: renovate/renovate:43.170.22-full@sha256:934f64671c3f6535f5cce940b921a06aaaf47a347ce7de82b01b4028b223dcda
     restart: unless-stopped
     volumes:
       - ${RIKKU_DOCKER_DIR}/renovate/config.js:/etc/renovate/config.js
@@ -229,7 +322,7 @@ services:
     container_name: renovate-valkey
     healthcheck:
       test: redis-cli ping || exit 1
-    image: docker.io/valkey/valkey:9-alpine@sha256:e1095c6c76ee982cb2d1e07edbb7fb2a53606630a1d810d5a47c9f646b708bf5
+    image: docker.io/valkey/valkey:9-alpine@sha256:a35428eba9043cc0b79dbe54100f0c92784f2de00ad09b01182bfb1c5c83d1bd
     environment:
       ALLOW_EMPTY_PASSWORD: yes
       VALKEY_DATA_DIR: /data/valkey
@@ -250,25 +343,22 @@ services:
     volumes:
       - /var/run/docker.sock:/var/run/docker.sock
   snapcast-server:
-    image: docker.io/sweisgerber/snapcast:latest
+    image: docker.io/sweisgerber/snapcast:latest@sha256:8859aaf7949781d47787fa048a3c85c7b3ea97aad4270d6f4ae2ff8b341db22c
     hostname: snapcast-server
     container_name: snapcast-server
     environment:
-      PUID: ${PUID}
-      PGID: ${PGID} # set to audio group ID
       TZ: ${TZ}
     restart: "unless-stopped"
     ports:
       - 1704:1704
       - 1705:1705
       - 1780:1780
+      - 4953:4953
       # devices:
       # - /dev/snd:/dev/snd # optional, only if you want to use snapclient
     volumes:
       - ${RIKKU_DOCKER_DIR}/snapcast/config/:/config/
       - ${RIKKU_DOCKER_DIR}/snapcast/data/:/data/
-      # /audio should get used to place FIFOs for audio playback from mpd/mopidy/host/etc
-      - ${RIKKU_DOCKER_DIR}/snapcast/audio/:/audio/
   upsnap:
     container_name: upsnap
     dns:
@@ -288,7 +378,7 @@ services:
     healthcheck:
       test: curl -fs "http://localhost:5000/api/health" || exit 1
       interval: 10s
-    image: ghcr.io/seriousm4x/upsnap:5@sha256:689851f41098d4cdbbf04261a1321d0b0f84f4695fed4ce24d67d0f6c1a275d4 # images are also available on docker hub: seriousm4x/upsnap:5
+    image: ghcr.io/seriousm4x/upsnap:5@sha256:a73c9db5a987289da68dc602e68fc0307c9ee57c563f53004d09ae3e3cf45a0a # images are also available on docker hub: seriousm4x/upsnap:5
     network_mode: host
     privileged: true
     restart: unless-stopped
@@ -307,5 +397,9 @@ services:
 volumes:
   dockflare_data:
     name: dockflare_data
+  patchmon-pg-data:
+    name: patchmon-pg-data
+  patchmon-redis-data:
+    name: patchmon-redis-data
   renovate-valkey-data:
     name: renovate-valkey-data