Renovate

Automated dependency updater for Docker image tags. Scans all docker-compose.yml files in the homelab-docker repo and opens PRs in Forgejo when newer image tags are available. All PRs require manual review — nothing auto-merges.

How It Runs

Renovate is a one-shot container (restart: "no"). It does not run as a daemon. A cron job on Nexus launches it at the top of every hour:

0 * * * * cd /home/matt/repos/homelab-docker/renovate && docker compose run --rm renovate

Cron entry runs as the matt user. To view or edit:

ssh matt@192.168.1.226 'crontab -l'
ssh matt@192.168.1.226 'crontab -e'

Configuration Files

File	Location	Purpose
config.js	/mnt/server/containers/renovate/config.js on Nexus	Real config — Forgejo endpoint, API token, PR rules. Not in git.
renovate.json	Repo root of homelab-docker	Schema pointer only — contains no actual settings. See note below.
docker-compose.yml	renovate/docker-compose.yml in homelab-docker repo	Container definition used by cron
Log	/mnt/server/containers/renovate/renovate.log on Nexus	Output from every run

renovate.json is a placeholder. The file in the homelab-docker repo root contains only {"$schema": "https://docs.renovatebot.com/renovate-schema.json"}. It exists to satisfy schema validation tooling. All real Renovate settings live in config.js on Nexus (server-side only — it contains an unencrypted Forgejo API token and must not be committed to git).

Docker Compose

services:
  renovate:
    image: renovate/renovate:43.186.1
    container_name: renovate
    restart: "no"
    environment:
      - RENOVATE_GITHUB_COM_TOKEN=no-github
    volumes:
      - /mnt/server/containers/renovate/config.js:/usr/src/app/config.js:ro
      - /mnt/server/containers/renovate/data:/tmp/renovate

RENOVATE_GITHUB_COM_TOKEN=no-github suppresses the GitHub token requirement. This homelab uses Forgejo and does not need GitHub release notes.

PR Behavior

Setting	Value
automerge	false — all updates require human review
prConcurrentLimit	5 — max 5 open PRs at once
Major version bumps	Auto-labeled needs-manual-review

Treat these PRs with extra caution before merging:

• Bookstack, Tandoor, Home Assistant — stateful data; take a manual snapshot before merging
• Postgres / MariaDB major versions — may require manual migration steps
• Any PR labeled needs-manual-review

What Renovate Tracks

• All pinned image tags in docker-compose.yml files under the homelab-docker repo
• Docker Hub images and GHCR images
• Its own image tag (renovate/renovate)

What Renovate Does Not Track

Service	Reason
dispatcharr	ghcr.io/dispatcharr/dispatcharr only publishes latest — no semver tags. Renovate cannot open PRs for it. Check the GHCR page or GitHub releases manually.

Komodo Relationship

Renovate is intentionally not managed by Komodo. If it were included in the Komodo deploy procedure, every push to main would trigger a Renovate scan — which is redundant and would race with the cron schedule. Renovate is cron-only.

Troubleshooting

Check the log:

ssh matt@192.168.1.226 'tail -f /mnt/server/containers/renovate/renovate.log'

Manually trigger a run:

ssh matt@192.168.1.226 'cd /home/matt/repos/homelab-docker/renovate && docker compose run --rm renovate'

No PRs after a run: Renovate may have found everything up to date. Check the log for "no updates found". Also verify:

• Image tags in compose files are pinned to explicit versions (not :latest)
• renovate-bot has Write collaborator access on the homelab-docker repo in Forgejo
• The homelab-docker repo has the renovate topic set in Forgejo

Auth fails to Forgejo: Verify the token in /mnt/server/containers/renovate/config.js matches the renovate-bot user's active token in Forgejo (Settings → Applications).