13
How Do you keep your services updated? (piefed.jeena.net)
submitted 1 month ago by jeena@piefed.jeena.net to c/selfhosted@lemmy.world
24 comments fedilink hide all child comments

Back in the day it was nice, apt get update && apt get upgrade and you were done.

But today every tool/service has it's own way to being installed and updated:

  • docker:latest
  • docker:v1.2.3
  • custom script
  • git checkout v1.2.3
  • same but with custom migration commands afterwards
  • custom commands change from release to release
  • expect to do update as a specific user
  • update nginx config
  • update own default config and service has dependencies on the config changes
  • expect new versions of tools
  • etc.

I selfhost around 20 services like PieFed, Mastodon, PeerTube, Paperless-ngx, Immich, open-webui, Grafana, etc. And all of them have some dependencies which need to be updated too.

And nowadays you can't really keep running on an older version especially when it's internet facing.

So anyway, what are your strategies how to keep sanity while keeping all your self hosted services up to date?

top 24 comments
sorted by: hot top controversial new old
[-] mlfh@lm.mlfh.org 4 points 1 month ago

Everything I run, I deploy and manage with ansible.

When I'm building out the role/playbook for a new service, I make sure to build in any special upgrade tasks it might have and tag them. When it's time to run infrastructure-wide updates, I can run my single upgrade playbook and pull in the upgrade tasks for everything everywhere - new packages, container images, git releases, and all the service restart steps to load them.

It's more work at the beginning to set the role/playbook up properly, but it makes maintaining everything so much nicer (which I think is vital to keep it all fun and manageable).

[-] non_burglar@lemmy.world 2 points 1 month ago

+1 for ansible.There's a module for almost everything out there.

[-] jeena@piefed.jeena.net 0 points 1 month ago

Yeah, For some reason I didn't think of ansible even though I use it at work regularly. Thanks for pointing it out!

[-] Cyber@feddit.uk 1 points 1 month ago

Just a word of caution...

I try to upgrade 1 (of a similar group) manually first to check it'a not foobarred after the update, then crack on with the rest. Testing a restore is 1 thing, but restoring the whole system...?

[-] fhoekstra@feddit.nl 3 points 1 month ago* (last edited 1 month ago)

Renovate + GitOps. Check out https://github.com/onedr0p/cluster-template

If you don't like Kubernetes, you can get a similar setup with doco-CD. Only limitation is that dococd can't update itself, but you can use SOPS and Renovate all the same for the other services.

[-] vegetaaaaaaa@lemmy.world 2 points 1 month ago* (last edited 1 month ago)
  • use APT repositories when possible -> then unattended-upgrades
  • For OCI images that do not provide tagged releases (looking at you searxng...), podman auto-update
  • for everything else, subscribe to releases RSS feed, read release notes when they come out, check for breaking changes and possibly interesting stuff, update version in ansible playbook, deploy ansible playbook
[-] ThunderComplex@lemmy.today 2 points 1 month ago

Since all my services are dockerized I just pull new images sporadically. But I think I should invest some time into finding automatic update reminders, especially when I have to hear about critical security updates from some random person on mastodon.

[-] beeb@lemmy.zip 3 points 1 month ago

I switched to dockhand and it handles that nicely, including scanning for vulnerabilities in new images.

[-] ThunderComplex@lemmy.today 1 points 1 month ago

Thanks I’ll check it out

[-] totoro@slrpnk.net 2 points 1 month ago

Wow, that sounds like a nightmare. Here's my workflow:

nix flake update
nixos-rebuild switch

That gives me an atomic, rollbackable update of every service running on the machine.

[-] ryan_@piefed.social 1 points 1 month ago* (last edited 1 month ago)

It’s just a hobby so i know I have room for improvement, but the bigger my environment gets the more difficult it is to keep everything completely up to date, like you said. Given that, my main priorities are:

  • have as few internet facing services as possible
  • use a reverse proxy
  • separate external and internal servers with a dmz
  • use fail2ban or crowsec on servers that have ports forwarded
  • firewall geoblocking
  • BACKUPS, local and remote

Now that being said, I’ve started to use ansible playbooks for deploying OS updates. I have a playbook that uses default options when doing an apt upgrade and it also works for the docker engine user prompt.

About 75% of my services are native installs in LXCs and I try to always install by including the app repo so that apt can update it and the other 25% are in docker. I used to use watchtower but that’s no longer maintained, so I do container updates manually as needed.

It’s not perfect, but it’s just for fun so 🤷

[-] AxiomPraxis@sh.itjust.works 1 points 1 month ago

Kubernetes + helm charts

[-] Decronym@lemmy.decronym.xyz 1 points 1 month ago* (last edited 1 month ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
Git Popular version control system, primarily for code
HTTP Hypertext Transfer Protocol, the Web
LXC Linux Containers
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
k8s Kubernetes container management package
nginx Popular HTTP server

[Thread #233 for this comm, first seen 12th Apr 2026, 05:50] [FAQ] [Full list] [Contact] [Source code]

[-] richardwonka@slrpnk.net 1 points 1 month ago

Proxmox helper scripts - at least the ones i use - come with a tag updateable. Those tagged have a command update that runs everything necessary on containers, VMs whatever.

Makes life simple, mostly.

The only manual interaction I’ve had was upgrading some VMs Debian from 12 to 13.

[-] arcine@jlai.lu 0 points 1 month ago 
# nix flake update
# nixos-rebuild switch
[-] tuhriel@discuss.tchncs.de 2 points 1 month ago

That's the theory...I usually have to first replace some packages that have been removed / renamed then homemanager is acting up because some stuff now is called differently. And every time it just shows me the one error that failed...

[-] Overspark@piefed.social 0 points 1 month ago

Podman automatically updates my containers for me.

[-] jeena@piefed.jeena.net 0 points 1 month ago* (last edited 1 month ago)

Because you point to :latest and everything is dockerized and on one machine? How does it know when it's time to upgrade?

[-] Overspark@piefed.social 0 points 1 month ago

Yeah only for :latest containers, that's true. It automatically runs a daily service to check whether there are newer images available. You can turn it off per container if you don't want it.

One of the nice things about it is that I have containers running under several different users (for security reasons) so that saves me a lot of effort switching to all these users all the time.

[-] melroy@kbin.melroy.org 0 points 1 month ago

It's a bad practice to use latest tag

[-] prenatal_confusion@feddit.org 2 points 1 month ago* (last edited 1 month ago)

Depends on what you want to do. For production with sensitive data, yes it is. For my ytdl and jellyfin? Perfectly fine.

[-] Overspark@piefed.social 2 points 1 month ago

Depends. There are a few things I update by hand, but as long as you have proper backups it's generally safer to run the latest versions of things automatically if you don't mind the possibility of breakage (which is very rare in my experience). This is in the context of self-hosting of course, not a business environment.

[-] quick_snail@feddit.nl 0 points 1 month ago* (last edited 1 month ago)

Unattended upgrades 11 months out of the year.

Very attended apt upgrades 2 weeks out of the year.

[-] corsicanguppy@lemmy.ca 0 points 1 month ago
  1. Avoid anything with bad supply chains that fail iso27002
  2. Yum via cron
  3. Huh. That's all of it.
this post was submitted on 12 Apr 2026
13 points (100.0% liked)

Selfhosted

59001 readers
18 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz