Pin Docker image versions and fix config drift

- Pin all :latest tags to specific versions for reproducibility: jellyfin→10.11.6, gitea→1.24, portainer→2.39.0, qbittorrent→5.1.4 - Fix nextcloud config drift: repo had :29, live was running :32 - Fix qbittorrent: remove user: directive (breaks s6-overlay init) - Fix portainer: remove healthcheck (distroless image has no shell)
2026-02-28 00:28:17 +01:00
parent 059daa77aa
commit ea1c71f0f0
5 changed files with 7 additions and 13 deletions
--- a/config/docker/gitea/docker-compose.yml
+++ b/config/docker/gitea/docker-compose.yml
@@ -14,7 +14,7 @@ networks:

 services:
  server:
-    image: gitea/gitea:latest
+    image: gitea/gitea:1.24
    container_name: gitea
    environment:
      - USER_UID=1000
--- a/config/docker/jellyfin/docker-compose.yml
+++ b/config/docker/jellyfin/docker-compose.yml
@@ -11,7 +11,7 @@

 services:
  jellyfin:
-    image: jellyfin/jellyfin:latest
+    image: jellyfin/jellyfin:10.11.6
    container_name: jellyfin
    restart: unless-stopped

--- a/config/docker/nextcloud/docker-compose.yml
+++ b/config/docker/nextcloud/docker-compose.yml
@@ -31,7 +31,7 @@ services:
      - nextcloud

  nextcloud-app:
-    image: nextcloud:29
+    image: nextcloud:32
    restart: unless-stopped
    container_name: nextcloud-app
    ports:
--- a/config/docker/portainer/docker-compose.yml
+++ b/config/docker/portainer/docker-compose.yml
@@ -9,7 +9,7 @@

 services:
  portainer:
-    image: portainer/portainer-ce:latest
+    image: portainer/portainer-ce:2.39.0
    container_name: portainer
    restart: unless-stopped

@@ -38,13 +38,7 @@ services:
          cpus: '0.1'
          memory: 128M

-    # Health check
-    healthcheck:
-      test: ["CMD", "wget", "--no-verbose", "--tries=1", "--spider", "http://localhost:9000/api/status"]
-      interval: 30s
-      timeout: 10s
-      retries: 3
-      start_period: 30s
+    # No healthcheck — Portainer is distroless (no shell available)

 volumes:
  portainer_data:
--- a/config/docker/qbittorrent/docker-compose.yml
+++ b/config/docker/qbittorrent/docker-compose.yml
@@ -11,7 +11,7 @@

 services:
  qbittorrent:
-    image: linuxserver/qbittorrent:latest
+    image: linuxserver/qbittorrent:5.1.4
    container_name: qbittorrent
    restart: unless-stopped

@@ -23,7 +23,7 @@ services:
      - WEBUI_PORT=8080

    # Security hardening
-    user: "1000:1000"
+    # NOTE: No user: directive — linuxserver uses s6-overlay (starts as root, drops to PUID/PGID)
    read_only: false  # qBittorrent needs write access for downloads
    tmpfs:
      - /tmp:noexec,nosuid,size=100m