I’d definitely go with Renovate + ArgoCD, or any other GitOps-based tooling.

Ansible. Basically if I need to upgrade something for the first time, I write or extend an Ansible script an run those periodically.

Renovate couple with FluxCD if you’re in k8s land, or noco-cd if you’re on docker. GitOps is the way.

Proxmox helper scripts - at least the ones i use - come with a tag updateable. Those tagged have a command update that runs everything necessary on containers, VMs whatever.

Makes life simple, mostly.

The only manual interaction I’ve had was upgrading some VMs Debian from 12 to 13.

Since all my services are dockerized I just pull new images sporadically. But I think I should invest some time into finding automatic update reminders, especially when I have to hear about critical security updates from some random person on mastodon.

Snapshots and for i in $hosts;do ssh -tt "sudo apt update -y && sudo apt upgrade -y";done

For docker/k8s: argocd, helm, etc.

# nix flake update
# nixos-rebuild switch

Proxmox community scripts has some nice update tools

I use dockhand right now, but I used to just use compose pull

A dedicated Forgejo instance f.example.com.

For a small set of trusted “base” images (e.g. docker.io/alpine and docker.io/debian): A Forgejo Action on separate small runner, scheduled on cron to sync images to f.example.com/dockerio/ using skopeo copy.

Then all other runners have their docker/podman configuration changed to use that internal forgejo container registry instead of docker.io.

Other images are built from source in the Forgejo Actions CI. Not everything needs to be (or even should) be fully automated right off. You can keep some workflows manual while starting out and then increase automation as you tighten up your setup and get more confident in it. Follow the usual best practices around security and keep permissions scoped, giving them out only as needed.

Git repos are mirrored as Forgejo repo mirrors, forked if relevant, then built with Forgejo Actions and published to f.example.com/whatever/. Rarely but sometimes is it worth spending time on reusing existing Github Workflows from upstreams. More often I find it easier to just reuse my own workflows.

This way, runners can be kept fully offline and built by only accessing internal resources:

• apt/apk repo mirror or proxy
• synced base container images
• synced git sources

Same idea for npm or pypi packages etc.

Set up renovate¹ and iterate on its configuration to reduce insanity. Look in forgejo and codeberg infra repos for examples of how to automate rebasing of forked repo onto mirrors.

I would previously achieve the same thing by wiring together more targeted services and that’s still viable but Forgejo makes it easy if you want it all in one box. Just add TLS.

¹: Or anyone have anything better that’s straightforward to integrate? I’m not a huge fan of all the npm modules it pulls in or its github-centric perspective. Giving the same treatment to renovate itself here was a little bit more effort and digging than I think should really be necessary.

Arcane docker server checks for updates, notifies me when they’re available

for security relevant stuff I just get notifications of new github releases

Unattended upgrades 11 months out of the year.

Very attended apt upgrades 2 weeks out of the year.

1. Avoid anything with bad supply chains that fail iso27002
2. Yum via cron
3. Huh. That’s all of it.

Everything I run, I deploy and manage with ansible.

When I’m building out the role/playbook for a new service, I make sure to build in any special upgrade tasks it might have and tag them. When it’s time to run infrastructure-wide updates, I can run my single upgrade playbook and pull in the upgrade tasks for everything everywhere - new packages, container images, git releases, and all the service restart steps to load them.

It’s more work at the beginning to set the role/playbook up properly, but it makes maintaining everything so much nicer (which I think is vital to keep it all fun and manageable).

Renovate + GitOps. Check out https://github.com/onedr0p/cluster-template

If you don’t like Kubernetes, you can get a similar setup with doco-CD. Only limitation is that dococd can’t update itself, but you can use SOPS and Renovate all the same for the other services.