I’d definitely go with Renovate + ArgoCD, or any other GitOps-based tooling.

Ansible. Basically if I need to upgrade something for the first time, I write or extend an Ansible script an run those periodically.

Renovate couple with FluxCD if you’re in k8s land, or noco-cd if you’re on docker. GitOps is the way.

Proxmox helper scripts - at least the ones i use - come with a tag updateable. Those tagged have a command update that runs everything necessary on containers, VMs whatever.

Makes life simple, mostly.

The only manual interaction I’ve had was upgrading some VMs Debian from 12 to 13.

Everything I run, I deploy and manage with ansible.

When I’m building out the role/playbook for a new service, I make sure to build in any special upgrade tasks it might have and tag them. When it’s time to run infrastructure-wide updates, I can run my single upgrade playbook and pull in the upgrade tasks for everything everywhere - new packages, container images, git releases, and all the service restart steps to load them.

It’s more work at the beginning to set the role/playbook up properly, but it makes maintaining everything so much nicer (which I think is vital to keep it all fun and manageable).

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

5 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.

[Thread #233 for this comm, first seen 12th Apr 2026, 05:50] [FAQ] [Full list] [Contact] [Source code]

Renovate + GitOps. Check out https://github.com/onedr0p/cluster-template

If you don’t like Kubernetes, you can get a similar setup with doco-CD. Only limitation is that dococd can’t update itself, but you can use SOPS and Renovate all the same for the other services.

I run most of my services in containers with Podman Quadlets. One of them is Forgejo on which I have repos for all my quadlet (systemd) files and use renovate to update the image tags. Renovate creates PRs and can also show you release notes for the image it wants you to update to.

I currently check the PRs manually as well as pulling the latest git commits on my server. But this could also be further automated to one’s liking.

• use APT repositories when possible -> then unattended-upgrades
• For OCI images that do not provide tagged releases (looking at you searxng…), podman auto-update
• for everything else, subscribe to releases RSS feed, read release notes when they come out, check for breaking changes and possibly interesting stuff, update version in ansible playbook, deploy ansible playbook

Since all my services are dockerized I just pull new images sporadically. But I think I should invest some time into finding automatic update reminders, especially when I have to hear about critical security updates from some random person on mastodon.

Snapshots and for i in $hosts;do ssh -tt "sudo apt update -y && sudo apt upgrade -y";done

For docker/k8s: argocd, helm, etc.

Wow, that sounds like a nightmare. Here’s my workflow:

nix flake update
nixos-rebuild switch

That gives me an atomic, rollbackable update of every service running on the machine.

One of the reasons I switched to YunoHost (the other being backups).

All my services run in podman containers managed by systemd (using quadlets). They usually point to the :latest tag and I’ve configured the units to pull on start when there is a new version in my repository. Since I’m using opensuse microos, my server (and thus all services) restart regularly.

For the units that are configured differently, I update the versions in their respective ansible playbooks and redeploy (though I guess I could optimize this a bit, I’ve only scratched the surface of ansible).

Podman automatically updates my containers for me.