chore(deps): update rybbit to v2.5.0

Reviewed-on: #5281

.gitea/workflows/renovate.yaml

@@ -13,7 +13,7 @@ on:
 jobs:
   renovate:
     runs-on: ubuntu-latest
-    container: ghcr.io/renovatebot/renovate:43.99.0@sha256:aae697086b93427dcde46eb92e08e334b018946ce19339bf044ce971ca1626e2
+    container: ghcr.io/renovatebot/renovate:43.100.0@sha256:1188aeae54f7f2103a9dcea554316efde65eb4221793bcee5a0b29772e16aed3
     steps:
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

clusters/cl01tl/helm/code-server/values.yaml

@@ -28,7 +28,7 @@ code-server:
           resources:
             requests:
               cpu: 1m
-              memory: 50Mi
+              memory: 40Mi
   service:
     main:
       controller: main

clusters/cl01tl/helm/directus/values.yaml

@@ -143,7 +143,7 @@ directus:
           resources:
             requests:
               cpu: 10m
-              memory: 1Gi
+              memory: 300Mi
   service:
     main:
       controller: main

clusters/cl01tl/helm/foldergram/Chart.yaml

@@ -24,4 +24,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://raw.githubusercontent.com/foldergram/foldergram/refs/heads/main/client/public/icon-512.png
 # renovate: datasource=github-releases depName=foldergram/foldergram
-appVersion: v1.0.8
+appVersion: v1.0.9

clusters/cl01tl/helm/freshrss/values.yaml

@@ -79,7 +79,7 @@ freshrss:
           resources:
             requests:
               cpu: 1m
-              memory: 128Mi
+              memory: 100Mi
   service:
     main:
       controller: main

clusters/cl01tl/helm/garage/values.yaml

@@ -28,7 +28,7 @@ garage:
           resources:
             requests:
               cpu: 10m
-              memory: 400Mi
+              memory: 200Mi
     server-2:
       type: deployment
       replicas: 1
@@ -57,7 +57,7 @@ garage:
           resources:
             requests:
               cpu: 10m
-              memory: 400Mi
+              memory: 200Mi
     server-3:
       type: deployment
       replicas: 1
@@ -86,7 +86,7 @@ garage:
           resources:
             requests:
               cpu: 10m
-              memory: 400Mi
+              memory: 200Mi
     webui:
       type: deployment
       replicas: 1

clusters/cl01tl/helm/grafana-operator/templates/grafana.yaml

@@ -61,7 +61,7 @@ spec:
               resources:
                 requests:
                   cpu: 20m
-                  memory: 120Mi
+                  memory: 150Mi
               env:
                 - name: AUTH_CLIENT_ID
                   valueFrom:

clusters/cl01tl/helm/harbor/Chart.yaml

@@ -4,15 +4,14 @@ version: 1.0.0
 description: Harbor
 keywords:
   - harbor
-  - images
+  - image-registry
-  - cache
+home: https://docs.alexlebens.dev/applications/harbor/
-  - kubernetes
-home: https://wiki.alexlebens.dev/s/7e132c13-afee-48ec-b3dd-efd656d240c9
 sources:
   - https://github.com/goharbor
-  - https://github.com/cloudnative-pg/cloudnative-pg
+  - https://github.com/orgs/goharbor/packages
   - https://github.com/goharbor/harbor-helm
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/harbor/templates/external-secret.yaml

@@ -14,85 +14,49 @@ spec:
   data:
     - secretKey: HARBOR_ADMIN_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/config
-        metadataPolicy: None
         property: admin-password
     - secretKey: secretKey
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/config
-        metadataPolicy: None
         property: secretKey
     - secretKey: CSRF_KEY
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: CSRF_KEY
     - secretKey: secret
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: secret
     - secretKey: tls.crt
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: tls.crt
     - secretKey: tls.key
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/core
-        metadataPolicy: None
         property: tls.key
     - secretKey: JOBSERVICE_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/jobservice
-        metadataPolicy: None
         property: JOBSERVICE_SECRET
     - secretKey: REGISTRY_HTTP_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_HTTP_SECRET
     - secretKey: REGISTRY_REDIS_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_REDIS_PASSWORD
     - secretKey: REGISTRY_HTPASSWD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_HTPASSWD
     - secretKey: REGISTRY_CREDENTIAL_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_CREDENTIAL_PASSWORD
     - secretKey: REGISTRY_PASSWD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/harbor/registry
-        metadataPolicy: None
         property: REGISTRY_CREDENTIAL_PASSWORD

clusters/cl01tl/helm/harbor/values.yaml

@@ -21,13 +21,9 @@ harbor:
         size: 100Gi
   existingSecretAdminPassword: harbor-secret
   existingSecretAdminPasswordKey: HARBOR_ADMIN_PASSWORD
-  internalTLS:
-    enabled: false
   ipFamily:
     ipv6:
       enabled: false
-    ipv4:
-      enabled: true
   updateStrategy:
     type: Recreate
   existingSecretSecretKey: harbor-secret
@@ -73,12 +69,12 @@ harbor:
     credentials:
       existingSecret: harbor-secret
     upload_purging:
-      enabled: true
       age: 72h
-      interval: 24h
-      dryrun: false
   trivy:
     enabled: true
+    image:
+      repository: ghcr.io/goharbor/trivy-adapter-photon
+      tag: v2.15.0@sha256:6fd6de9cfbbb04cb1d94722cfa01cf71b8994d3f9e7891d3b03a89a7536480ba
   database:
     type: external
     external:
@@ -109,32 +105,9 @@ postgres-18-cluster:
         destinationBucket: postgres-backups
         externalSecretCredentialPath: /garage/home-infra/postgres-backups
         isWALArchiver: true
-      # - name: garage-remote
-      #   index: 1
-      #   destinationBucket: postgres-backups
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   retentionPolicy: "90d"
-      #   data:
-      #     compression: bzip2
-      # - name: external
-      #   index: 1
-      #   endpointURL: https://nyc3.digitaloceanspaces.com
-      #   destinationBucket: postgres-backups-ce540ddf106d186bbddca68a
-      #   externalSecretCredentialPath: /garage/home-infra/postgres-backups
-      #   isWALArchiver: false
     scheduledBackups:
       - name: live-backup
         suspend: false
         immediate: true
         schedule: "0 35 14 * * *"
         backupName: garage-local
-      # - name: weekly-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 4 * * SAT"
-      #   backupName: garage-remote
-      # - name: daily-backup
-      #   suspend: true
-      #   immediate: true
-      #   schedule: "0 0 0 * * *"
-      #   backupName: external

clusters/cl01tl/helm/headlamp/Chart.yaml

@@ -5,8 +5,7 @@ description: Headlamp
 keywords:
   - headlamp
   - dashboard
-  - kubernetes
+home: https://docs.alexlebens.dev/applications/headlamp/
-home: https://wiki.alexlebens.dev/s/6cc43960-78df-459d-aab6-433844249243
 sources:
   - https://github.com/headlamp-k8s/headlamp
   - https://github.com/headlamp-k8s/headlamp/tree/main/charts/headlamp

clusters/cl01tl/helm/headlamp/templates/external-secret.yaml

@@ -14,43 +14,25 @@ spec:
   data:
     - secretKey: OIDC_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: client
     - secretKey: OIDC_CLIENT_SECRET
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: secret
     - secretKey: OIDC_ISSUER_URL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: issuer
     - secretKey: OIDC_SCOPES
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: scopes
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_IDP_ISSUER_URL
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: validator-issuer-url
     - secretKey: HEADLAMP_CONFIG_OIDC_VALIDATOR_CLIENT_ID
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /authentik/oidc/headlamp
-        metadataPolicy: None
         property: validator-client-id

clusters/cl01tl/helm/headlamp/templates/http-route.yaml

@@ -1,28 +0,0 @@
-apiVersion: gateway.networking.k8s.io/v1
-kind: HTTPRoute
-metadata:
-  name: headlamp
-  namespace: {{ .Release.Namespace }}
-  labels:
-    app.kubernetes.io/name: headlamp
-    app.kubernetes.io/instance: {{ .Release.Name }}
-    app.kubernetes.io/part-of: {{ .Release.Name }}
-spec:
-  parentRefs:
-    - group: gateway.networking.k8s.io
-      kind: Gateway
-      name: traefik-gateway
-      namespace: traefik
-  hostnames:
-    - headlamp.alexlebens.net
-  rules:
-    - matches:
-      - path:
-          type: PathPrefix
-          value: /
-      backendRefs:
-        - group: ''
-          kind: Service
-          name: headlamp
-          port: 80
-          weight: 100

clusters/cl01tl/helm/headlamp/values.yaml

@@ -1,5 +1,9 @@
 headlamp:
   replicaCount: 2
+  image:
+    registry: ghcr.io
+    repository: headlamp-k8s/headlamp
+    tag: v0.41.0@sha256:89c6c65810bfde61796483c93c70d659104355593792bf55cab680d685da8eeb
   config:
     oidc:
       secret:
@@ -10,10 +14,30 @@ headlamp:
     watchPlugins: true
     # Bypasses: https://github.com/kubernetes-sigs/headlamp/issues/4883
     sessionTTL: null
+  httpRoute:
+    enabled: true
+    parentRefs:
+      - group: gateway.networking.k8s.io
+        kind: Gateway
+        name: traefik-gateway
+        namespace: traefik
+    hostnames:
+      - headlamp.alexlebens.net
+    rules:
+      - matches:
+        - path:
+            type: PathPrefix
+            value: /
+        backendRefs:
+          - group: ''
+            kind: Service
+            name: headlamp
+            port: 80
+            weight: 100
   resources:
     requests:
-      cpu: 10m
+      cpu: 1m
-      memory: 128Mi
+      memory: 80Mi
   pluginsManager:
     enabled: true
     securityContext:

clusters/cl01tl/helm/home-assistant/Chart.yaml

@@ -4,14 +4,13 @@ version: 1.0.0
 description: Home Assistant
 keywords:
   - home-assistant
-  - home
+  - home-automation
-  - automation
+home: https://docs.alexlebens.dev/applications/home-assistant/
-home: https://wiki.alexlebens.dev/s/5462c17e-cd39-4082-ad01-94545a2fa3ca
 sources:
-  - https://www.home-assistant.io/
   - https://github.com/home-assistant/core
   - https://github.com/home-assistant/core/pkgs/container/home-assistant
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/volsync-target
 maintainers:
   - name: alexlebens
 dependencies:

clusters/cl01tl/helm/home-assistant/templates/external-secret.yaml

@@ -14,17 +14,11 @@ spec:
   data:
     - secretKey: PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/home-assistant/code-server/auth
-        metadataPolicy: None
         property: PASSWORD
     - secretKey: SUDO_PASSWORD
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/home-assistant/code-server/auth
-        metadataPolicy: None
         property: SUDO_PASSWORD
 
 ---
@@ -44,8 +38,5 @@ spec:
   data:
     - secretKey: bearer-token
       remoteRef:
-        conversionStrategy: Default
-        decodingStrategy: None
         key: /cl01tl/home-assistant/auth
-        metadataPolicy: None
         property: bearer-token

clusters/cl01tl/helm/home-assistant/values.yaml

@@ -4,28 +4,29 @@ home-assistant:
       type: deployment
       replicas: 1
       strategy: Recreate
-      revisionHistoryLimit: 3
+      pod:
+        securityContext:
+          fsGroup: 1000
+          fsGroupChangePolicy: OnRootMismatch
       containers:
         main:
           image:
             repository: ghcr.io/home-assistant/home-assistant
-            tag: 2026.3.4
+            tag: 2026.3.4@sha256:916682086154a7390114a9788782b8efb199852d4f7d47066722c2bc5d1829e6
-            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: US/Central
+              value: America/Chicago
           resources:
             requests:
-              cpu: 50m
+              cpu: 1m
-              memory: 512Mi
+              memory: 400Mi
         code-server:
           image:
             repository: ghcr.io/linuxserver/code-server
             tag: 4.112.0@sha256:4bb5b8ad22268001687c047f0f04933799fb03df1eb0e1e266ba15ed2d9f4e8b
-            pullPolicy: IfNotPresent
           env:
             - name: TZ
-              value: US/Central
+              value: America/Chicago
             - name: PUID
               value: 1000
             - name: PGID
@@ -35,10 +36,6 @@ home-assistant:
           envFrom:
             - secretRef:
                 name: home-assistant-code-server-password-secret
-          resources:
-            requests:
-              cpu: 10m
-              memory: 128Mi
   service:
     main:
       controller: main
@@ -82,11 +79,8 @@ home-assistant:
         - home-assistant.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
+            - name: home-assistant-main
-              kind: Service
-              name: home-assistant-main
               port: 80
-              weight: 100
           matches:
             - path:
                 type: PathPrefix
@@ -102,11 +96,8 @@ home-assistant:
         - home-assistant-code-server.alexlebens.net
       rules:
         - backendRefs:
-            - group: ''
+            - name: home-assistant-code-server
-              kind: Service
-              name: home-assistant-code-server
               port: 8443
-              weight: 100
           matches:
             - path:
                 type: PathPrefix

clusters/cl01tl/helm/homepage/Chart.yaml

@@ -19,4 +19,4 @@ dependencies:
     version: 4.6.2
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons/png/homepage.png
 # renovate: datasource=github-releases depName=gethomepage/homepage
-appVersion: v1.12.0
+appVersion: v1.12.1

clusters/cl01tl/helm/homepage/values.yaml

@@ -16,7 +16,7 @@ homepage:
         main:
           image:
             repository: ghcr.io/gethomepage/homepage
-            tag: v1.12.0
+            tag: v1.12.1
             pullPolicy: IfNotPresent
           env:
             - name: HOMEPAGE_ALLOWED_HOSTS

clusters/cl01tl/helm/music-grabber/Chart.yaml

@@ -17,4 +17,5 @@ dependencies:
     alias: music-grabber
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
-appVersion: 2.0.4
+# renovate: datasource=docker depName=g33kphr33k/musicgrabber
+appVersion: 2.5.3

clusters/cl01tl/helm/music-grabber/values.yaml

@@ -9,7 +9,7 @@ music-grabber:
         main:
           image:
             repository: g33kphr33k/musicgrabber
-            tag: 2.5.2
+            tag: 2.5.3
             pullPolicy: IfNotPresent
           env:
             - name: MUSIC_DIR

clusters/cl01tl/helm/postiz/values.yaml

@@ -9,7 +9,7 @@ postiz:
         main:
           image:
             repository: ghcr.io/gitroomhq/postiz-app
-            tag: v2.21.2
+            tag: v2.21.4
             pullPolicy: IfNotPresent
           env:
             - name: MAIN_URL

clusters/cl01tl/helm/rybbit/Chart.yaml

@@ -31,4 +31,4 @@ dependencies:
     repository: oci://harbor.alexlebens.net/helm-charts
 icon: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/rybbit.webp
 # renovate: datasource=github-releases depName=rybbit-io/rybbit
-appVersion: v2.4.0
+appVersion: v2.5.0

clusters/cl01tl/helm/rybbit/values.yaml

@@ -9,7 +9,7 @@ rybbit:
         main:
           image:
             repository: ghcr.io/rybbit-io/rybbit-backend
-            tag: v2.4.0
+            tag: v2.5.0
             pullPolicy: IfNotPresent
           env:
             - name: NODE_ENV

clusters/cl01tl/helm/searxng/values.yaml

@@ -9,7 +9,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:c026ed4cb1a29b21878fed2c13f4c31fa811b8b03d931aa8764e8528177e2862
+            tag: latest@sha256:4d7ed8b7035ecf827bd901ba6d32f5c32d8119bc09bb3cdafeb0ce58f1b951c1
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL
@@ -39,7 +39,7 @@ searxng:
         main:
           image:
             repository: searxng/searxng
-            tag: latest@sha256:c026ed4cb1a29b21878fed2c13f4c31fa811b8b03d931aa8764e8528177e2862
+            tag: latest@sha256:4d7ed8b7035ecf827bd901ba6d32f5c32d8119bc09bb3cdafeb0ce58f1b951c1
             pullPolicy: IfNotPresent
           env:
             - name: SEARXNG_BASE_URL

clusters/cl01tl/helm/tdarr/values.yaml

@@ -39,9 +39,28 @@ tdarr:
               cpu: 200m
               memory: 1Gi
     node:
-      type: daemonset
+      type: statefulset
+      replicas: 3
       revisionHistoryLimit: 3
+      statefulset:
+        volumeClaimTemplates:
+          - name: transcode-cache
+            accessMode: ReadWriteOnce
+            size: 20Gi
+            storageClass: local-path
+            globalMounts:
+              - path: /tcache
       pod:
+        affinity:
+          podAntiAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              - labelSelector:
+                  matchExpressions:
+                    - key: app.kubernetes.io/instance
+                      operator: In
+                      values:
+                        - tdarr
+                topologyKey: kubernetes.io/hostname
         nodeSelector:
           intel.feature.node.kubernetes.io/gpu: "true"
       containers:
@@ -144,13 +163,6 @@ tdarr:
           main:
             - path: /tcache
               readOnly: false
-    node-cache:
-      type: emptyDir
-      advancedMounts:
-        node:
-          main:
-            - path: /tcache
-              readOnly: false
     media:
       existingClaim: tdarr-nfs-storage
       advancedMounts:
@@ -166,7 +178,7 @@ tdarr-exporter:
   image:
     name: homeylab/tdarr-exporter
     # renovate: datasource=docker depName=homeylab/tdarr-exporter
-    tag: 1.4.2
+    tag: 1.4.3
   metrics:
     serviceMonitor:
       enabled: true

hosts/ps10rp/homepage/compose.yaml

@@ -32,7 +32,7 @@ services:
             - /var/run/docker.sock:/var/run/docker.sock:ro
 
     homepage:
-        image: ghcr.io/gethomepage/homepage:v1.12.0@sha256:5bb66eac5d48f021fd60414add03aa123d1feb85770550ddb1d99a5b8851c6c2
+        image: ghcr.io/gethomepage/homepage:v1.12.1@sha256:9627769818fbfb14147d3e633e57cef9c27c0c5f07585f5a1d6c3d3425b3b33c
         container_name: homepage
         labels:
             traefik.enable: true

renovate.json

@@ -3,10 +3,7 @@
   "extends": [
     "config:recommended",
     "mergeConfidence:all-badges",
-    ":rebaseStalePrs",
+    ":rebaseStalePrs"
-    "group:recommended",
-    "group:monorepos",
-    "group:kubernetesMonorepo"
   ],
   "timezone": "America/Chicago",
   "labels": [],
@@ -19,18 +16,28 @@
   ],
   "customManagers": [
     {
-      "description": "Generic Renovate tag matcher for Helm",
+      "description": "Renovate tag matcher for Helm chart appVersion",
       "customType": "regex",
       "managerFilePatterns": [
-        "(^|/)Chart\\.yaml$",
+        "/(^|/)Chart\\.yaml$/"
-        "(^|/)values\\.yaml$",
-        "(^|/)templates/.*\\.yaml$"
       ],
       "matchStrings": [
-        "#\\s*renovate:\\s*datasource=(?<datasource>[^\\s]+)\\s+depName=(?<depName>[^\\s]+)(?:\\s+versioning=(?<versioning>[^\\s]+))?\\s*[a-zA-Z0-9_-]+:\\s*[\"']?(?<currentValue>[^\"'\\s]+(?:@sha256:[a-f0-9]+)?)[\"']?"
+        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)(?:\\s+versioning=(?<versioning>\\S+))?\\s+appVersion:\\s*[\"']?(?<currentValue>[^\\s\"']+)[\"']?"
       ],
       "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver-coerced{{/if}}"
     },
+    {
+      "description": "Renovate tag matcher for Helm values and templates",
+      "customType": "regex",
+      "managerFilePatterns": [
+        "/(^|/)values\\.yaml$/",
+        "/(^|/)templates/.*\\.yaml$/"
+      ],
+      "matchStrings": [
+        "#\\s*renovate:\\s*datasource=(?<datasource>\\S+)\\s+depName=(?<depName>\\S+)(?:\\s+versioning=(?<versioning>\\S+))?\\s+tag:\\s*[\"']?(?<currentValue>[^@\\s\"']+)(?:@(?<currentDigest>sha256:[a-f0-9]+))?[\"']?"
+      ],
+      "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}docker{{/if}}"
+    },
     {
       "description": "Update Helm CLI version in GitHub Actions",
       "customType": "regex",
@@ -67,39 +74,48 @@
       "enabled": false
     },
     {
-      "description": "Universal dynamic labeling by datasource",
+      "description": "Label Helm updates",
-      "matchPackageNames": [
+      "matchDatasources": [
-        "*"
+        "helm"
       ],
       "addLabels": [
-        "{{{datasource}}}"
+        "helm"
+      ]
+    },
+    {
+      "description": "Label Docker updates",
+      "matchDatasources": [
+        "docker"
+      ],
+      "addLabels": [
+        "docker"
       ]
     },
     {
       "description": "Versioning for LinuxServer images",
       "versioning": "regex:^v?(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-ls(?<revision>\\d+)$",
       "matchPackageNames": [
-        "/^linuxserver\\//",
+        "/^linuxserver//",
-        "/^ghcr\\.io/linuxserver\\//",
+        "/^ghcr\\.io/linuxserver//",
-        "/^lscr\\.io/linuxserver\\//"
+        "/^lscr\\.io/linuxserver//"
       ]
     },
     {
       "description": "Group packages together by stripping all registry/namespace prefixes",
-      "matchManagers": [
+      "groupName": "{{#if packageName}}{{{replace '^.*/([^/]+)$' '$1' packageName}}}{{else}}{{{replace '^.*/([^/]+)$' '$1' depName}}}{{/if}}",
+      "groupSlug": "unified-{{{groupName}}}",
+      "matchPackageNames": [
         "*"
-      ],
+      ]
-      "groupName": "{{#if packageName}}{{{replace '^.*?/(.*)$' '$1' packageName}}}{{else}}{{{replace '^.*?/(.*)$' '$1' depName}}}{{/if}}",
-      "groupSlug": "unified-{{{groupName}}}"
     },
     {
-      "description": "Group for specific apps",
+      "description": "Group for specific apps, these have different package and repo names",
+      "groupName": "{{{replace '^.*(argo-cd|bazarr|cilium|code-server|dawarich|element-web|home-assistant|immich|komodo|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik).*$' '$1' depName}}}",
+      "groupSlug": "unified-{{{groupName}}}",
       "matchPackageNames": [
-        "/(^|/)(argo-cd|bazarr|cilium|code-server|dawarich|element-web|home-assistant|immich|komodo|rook-ceph|tdarr|traefik)/",
+        "/(^|/)(argo-cd|bazarr|cilium|code-server|dawarich|element-web|home-assistant|immich|komodo|postiz|rook-ceph|roundcube|rybbit|tdarr|traefik)/",
-        "/^rook(-ceph|\\/rook|\\/ceph)/"
+        "/^rook(-ceph|/rook|/ceph)/"
-      ],
+      ]
-      "groupName": "{{{replace '^.*(argo-cd|bazarr|cilium|code-server|dawarich|element-web|home-assistant|immich|komodo|rook-ceph|tdarr|traefik).*$' '$1' depName}}}",
-      "groupSlug": "unified-{{{groupName}}}"
     },
     {
       "description": "Automerge helm chart lock files",
@@ -147,9 +163,6 @@
         "patch",
         "pinDigest"
       ],
-      "matchDatasources": [
-        "*"
-      ],
       "addLabels": [
         "{{{datasource}}}",
         "automerge"