this post was submitted on 12 Apr 2026
112 points (97.5% liked)

Selfhosted

60093 readers
958 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require your active participation in selfhosting or related communities, or the post will be removed. No more than 10% of your posts or comments may be self-promotional, or your post will be removed. F/LOSS Exception: If your post is about a project that is completely open source & can be self-hosted in full without payment, and your account is at least 7 days old, your post is exempt from this rule as long as you continue to engage in comments.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
112
How Do you keep your services updated? (piefed.jeena.net)
submitted 2 months ago by jeena@piefed.jeena.net to c/selfhosted@lemmy.world
67 comments fedilink hide all child comments
 

Back in the day it was nice, apt get update && apt get upgrade and you were done.

But today every tool/service has it's own way to being installed and updated:

  • docker:latest
  • docker:v1.2.3
  • custom script
  • git checkout v1.2.3
  • same but with custom migration commands afterwards
  • custom commands change from release to release
  • expect to do update as a specific user
  • update nginx config
  • update own default config and service has dependencies on the config changes
  • expect new versions of tools
  • etc.

I selfhost around 20 services like PieFed, Mastodon, PeerTube, Paperless-ngx, Immich, open-webui, Grafana, etc. And all of them have some dependencies which need to be updated too.

And nowadays you can't really keep running on an older version especially when it's internet facing.

So anyway, what are your strategies how to keep sanity while keeping all your self hosted services up to date?

(page 2) 18 comments
sorted by: hot top controversial new old
[–] lorentz@feddit.it 1 points 2 months ago

I have a shell script that handles all the quircks. I run it every few weeks. It does a btrfs snapshot so I can go back in case something is wrong, and after it updates Docker and Podman to the latest label.

For services not containized I have some automation to fetch the last version from internet (for example some home assistant addons that are just js files).

For the updates that are more difficult to script (or just not worth because they are very infrequent) I have a script that compares the running version with what published on their website and warns me I have a manual update.

Since most of the projecs I host have a gitub page it is relatively simple to write reusable code to do this stuff.

In general I don't trust automatic updates, there are seldom issues but they can be annoying to fix. So I just prefer to updates by hand whenever I have a few minutes free and I know I have direct access to the server in case the connection drops.

[–] seedlord_com@lemmy.zip 1 points 2 months ago

I'd definitely go with Renovate + ArgoCD, or any other GitOps-based tooling.

[–] quick_snail@feddit.nl 1 points 2 months ago* (last edited 2 months ago)

Unattended upgrades 11 months out of the year.

Very attended apt upgrades 2 weeks out of the year.

[–] uenticx@lemmy.world 1 points 2 months ago* (last edited 2 months ago)

Snapshots and for i in $hosts;do ssh -tt "sudo apt update -y && sudo apt upgrade -y";done

For docker/k8s: argocd, helm, etc.

[–] kossa@feddit.org 1 points 2 months ago

Ansible. Basically if I need to upgrade something for the first time, I write or extend an Ansible script an run those periodically.

[–] p4rzivalrp2@piefed.social 1 points 2 months ago

I use dockhand right now, but I used to just use compose pull

[–] richardwonka@slrpnk.net 1 points 2 months ago

Proxmox helper scripts - at least the ones i use - come with a tag updateable. Those tagged have a command update that runs everything necessary on containers, VMs whatever.

Makes life simple, mostly.

The only manual interaction I’ve had was upgrading some VMs Debian from 12 to 13.

[–] 1984@lemmy.today 1 points 2 months ago* (last edited 2 months ago) (1 children)

I just run watchtower in docker. It will watch all your other docker images and update them to latest version automatically if you want.

It works fine but with time, I stopped thinking i need to be on latest version all the time. It really isnt very important.

Just a few of my services are open on the internet, mainly caddy and wireguard.

load more comments (1 replies)
[–] ken@discuss.tchncs.de 1 points 2 months ago* (last edited 2 months ago)

A dedicated Forgejo instance f.example.com.

For a small set of trusted "base" images (e.g. docker.io/alpine and docker.io/debian): A Forgejo Action on separate small runner, scheduled on cron to sync images to f.example.com/dockerio/ using skopeo copy.

Then all other runners have their docker/podman configuration changed to use that internal forgejo container registry instead of docker.io.

Other images are built from source in the Forgejo Actions CI. Not everything needs to be (or even should) be fully automated right off. You can keep some workflows manual while starting out and then increase automation as you tighten up your setup and get more confident in it. Follow the usual best practices around security and keep permissions scoped, giving them out only as needed.

Git repos are mirrored as Forgejo repo mirrors, forked if relevant, then built with Forgejo Actions and published to f.example.com/whatever/. Rarely but sometimes is it worth spending time on reusing existing Github Workflows from upstreams. More often I find it easier to just reuse my own workflows.

This way, runners can be kept fully offline and built by only accessing internal resources:

  • apt/apk repo mirror or proxy
  • synced base container images
  • synced git sources

Same idea for npm or pypi packages etc.

Set up renovate^1^ and iterate on its configuration to reduce insanity. Look in forgejo and codeberg infra repos for examples of how to automate rebasing of forked repo onto mirrors.

I would previously achieve the same thing by wiring together more targeted services and that's still viable but Forgejo makes it easy if you want it all in one box. Just add TLS.

^1^: Or anyone have anything better that's straightforward to integrate? I'm not a huge fan of all the npm modules it pulls in or its github-centric perspective. Giving the same treatment to renovate itself here was a little bit more effort and digging than I think should really be necessary.

[–] eodur@piefed.social 1 points 2 months ago

Renovate couple with FluxCD if you're in k8s land, or noco-cd if you're on docker. GitOps is the way.

[–] corsicanguppy@lemmy.ca 0 points 2 months ago
  1. Avoid anything with bad supply chains that fail iso27002
  2. Yum via cron
  3. Huh. That's all of it.
load more comments
view more: ‹ prev next ›