From 5a461347370527bf9dc21f0371c492c83803f802 Mon Sep 17 00:00:00 2001 From: Micha Date: Fri, 17 Apr 2026 08:28:19 +0200 Subject: [PATCH] Lock mutable image tags to current running digests Lock mutable image tags to current running digests --- apps/homepage/docker-compose.yml | 4 ++-- apps/immich/docker-compose.yml | 6 +++--- apps/ntfy/docker-compose.yml | 2 +- apps/paperless-gpt/docker-compose.yml | 2 +- host-services/tailscale/docker-compose.yml | 4 ++-- infra/ddns-updater/docker-compose.yml | 2 +- ops/backrest/docker-compose.yml | 4 ++-- ops/borg-ui/docker-compose.yml | 2 +- ops/code-server/docker-compose.yml | 2 +- ops/filebrowser/docker-compose.yml | 2 +- ops/glances/docker-compose.yml | 4 ++-- ops/komodo/docker-compose.yml | 4 ++-- ops/scrutiny/docker-compose.yml | 2 +- ops/speedtest/docker-compose.yml | 2 +- security/authelia/docker-compose.yml | 2 +- security/vaultwarden/docker-compose.yml | 2 +- 16 files changed, 23 insertions(+), 23 deletions(-) diff --git a/apps/homepage/docker-compose.yml b/apps/homepage/docker-compose.yml index 8bca7e6..8e5d603 100644 --- a/apps/homepage/docker-compose.yml +++ b/apps/homepage/docker-compose.yml @@ -1,6 +1,6 @@ services: homepage: - image: ghcr.io/gethomepage/homepage:latest + image: ghcr.io/gethomepage/homepage:latest@sha256:cc84f2f5eb3c7734353701ccbaa24ed02dacb0d119114e50e4251e2005f3990a container_name: homepage restart: unless-stopped environment: @@ -39,4 +39,4 @@ services: networks: frontend_net: - external: true \ No newline at end of file + external: true diff --git a/apps/immich/docker-compose.yml b/apps/immich/docker-compose.yml index 7ab085d..cc0c745 100644 --- a/apps/immich/docker-compose.yml +++ b/apps/immich/docker-compose.yml @@ -3,7 +3,7 @@ version: "3.9" services: immich-server: container_name: immich_server - image: ghcr.io/immich-app/immich-server:release + image: ghcr.io/immich-app/immich-server:release@sha256:c15bff75068effb03f4355997d03dc7e0fc58720c2b54ad6f7f10d1bc57efaa5 restart: unless-stopped depends_on: - redis @@ -34,7 +34,7 @@ services: immich-machine-learning: container_name: immich_machine_learning - image: ghcr.io/immich-app/immich-machine-learning:release + image: ghcr.io/immich-app/immich-machine-learning:release@sha256:a2501141440f10516d329fdfba2c68082e19eb9ba6016c061ac80d23beadf7f3 restart: unless-stopped volumes: - model-cache:/cache @@ -77,4 +77,4 @@ networks: internal: true driver: bridge frontend_net: - external: true \ No newline at end of file + external: true diff --git a/apps/ntfy/docker-compose.yml b/apps/ntfy/docker-compose.yml index adc9b99..b8ddf3c 100644 --- a/apps/ntfy/docker-compose.yml +++ b/apps/ntfy/docker-compose.yml @@ -1,6 +1,6 @@ services: ntfy: - image: binwiederhier/ntfy:latest + image: binwiederhier/ntfy:latest@sha256:2b9e12d56a538f4402da53128eeca02696c4b207ab7fbe031c27eca92ca9b86 container_name: ntfy restart: unless-stopped dns: diff --git a/apps/paperless-gpt/docker-compose.yml b/apps/paperless-gpt/docker-compose.yml index 69c9c36..62cbcec 100644 --- a/apps/paperless-gpt/docker-compose.yml +++ b/apps/paperless-gpt/docker-compose.yml @@ -2,7 +2,7 @@ version: '3.8' services: paperless-gpt: - image: icereed/paperless-gpt:latest + image: icereed/paperless-gpt:latest@sha256:c0ce6186028911101a2cfe68353f14a9db2653596f3f1cff94de4b6db3114ff container_name: paperless-gpt restart: unless-stopped security_opt: diff --git a/host-services/tailscale/docker-compose.yml b/host-services/tailscale/docker-compose.yml index 23208e3..0d76d47 100644 --- a/host-services/tailscale/docker-compose.yml +++ b/host-services/tailscale/docker-compose.yml @@ -1,6 +1,6 @@ services: tailscale: - image: tailscale/tailscale:stable + image: tailscale/tailscale:stable@sha256:dbeff02d2337344b351afac203427218c4d0a06c43fc10a865184063498472a6 container_name: Tailscale-Docker restart: unless-stopped network_mode: host @@ -22,4 +22,4 @@ services: - TS_AUTH_ONCE=true volumes: - - /mnt/user/appdata/tailscale:/state \ No newline at end of file + - /mnt/user/appdata/tailscale:/state diff --git a/infra/ddns-updater/docker-compose.yml b/infra/ddns-updater/docker-compose.yml index 425f466..4c7b782 100644 --- a/infra/ddns-updater/docker-compose.yml +++ b/infra/ddns-updater/docker-compose.yml @@ -1,6 +1,6 @@ services: ddns-updater: - image: ghcr.io/qdm12/ddns-updater:latest + image: ghcr.io/qdm12/ddns-updater:latest@sha256:ee16ab4f6203bf9e5b0925d38a0b4ebf2d9f23771f933cfb2f5a2dbd5f9a2f88 container_name: ddns-updater restart: unless-stopped networks: diff --git a/ops/backrest/docker-compose.yml b/ops/backrest/docker-compose.yml index 505f2c2..eb9ba88 100644 --- a/ops/backrest/docker-compose.yml +++ b/ops/backrest/docker-compose.yml @@ -1,6 +1,6 @@ services: backrest: - image: ghcr.io/garethgeorge/backrest:latest + image: ghcr.io/garethgeorge/backrest:latest@sha256:f4d34bd6fa985d13bdb6c01c5d8727e07708899afa9567d800808357d77b9fb0 container_name: backrest restart: unless-stopped environment: @@ -45,4 +45,4 @@ networks: backend_net: external: true frontend_net: - external: true \ No newline at end of file + external: true diff --git a/ops/borg-ui/docker-compose.yml b/ops/borg-ui/docker-compose.yml index 4035cce..a5a1215 100644 --- a/ops/borg-ui/docker-compose.yml +++ b/ops/borg-ui/docker-compose.yml @@ -1,6 +1,6 @@ services: borg-ui: - image: ainullcode/borg-ui:latest + image: ainullcode/borg-ui:latest@sha256:867c73983e5bef5491dce1c34acf85fe8a9fe4f6ad5a9381e7ca2c382359ce6 container_name: borg-ui restart: unless-stopped security_opt: diff --git a/ops/code-server/docker-compose.yml b/ops/code-server/docker-compose.yml index 9f8902f..a076b4c 100644 --- a/ops/code-server/docker-compose.yml +++ b/ops/code-server/docker-compose.yml @@ -1,6 +1,6 @@ services: code-server: - image: lscr.io/linuxserver/code-server:latest + image: lscr.io/linuxserver/code-server:latest@sha256:4620adace18935dd6ca79d77e3bc1c379e21875392192f970cf5d6b0fb4aefcd container_name: code-server restart: unless-stopped security_opt: diff --git a/ops/filebrowser/docker-compose.yml b/ops/filebrowser/docker-compose.yml index ee18001..22aec6c 100644 --- a/ops/filebrowser/docker-compose.yml +++ b/ops/filebrowser/docker-compose.yml @@ -1,6 +1,6 @@ services: filebrowser: - image: filebrowser/filebrowser:latest + image: filebrowser/filebrowser:latest@sha256:4dce87308b9f9cfbcf8d0a284fc9565d2b515530a6bae2d920b388161e093f26 container_name: filebrowser restart: unless-stopped security_opt: diff --git a/ops/glances/docker-compose.yml b/ops/glances/docker-compose.yml index f9e94e7..ca4d0c0 100644 --- a/ops/glances/docker-compose.yml +++ b/ops/glances/docker-compose.yml @@ -1,6 +1,6 @@ services: glances: - image: nicolargo/glances:latest-full + image: nicolargo/glances:latest-full@sha256:b4b0f059fa8064a0e8dae5530ce9334834ab07205269cfbf405d16b4d40c0c66 container_name: glances restart: unless-stopped pid: host @@ -37,4 +37,4 @@ services: networks: frontend_net: - external: true \ No newline at end of file + external: true diff --git a/ops/komodo/docker-compose.yml b/ops/komodo/docker-compose.yml index 3eb08b1..820bf19 100644 --- a/ops/komodo/docker-compose.yml +++ b/ops/komodo/docker-compose.yml @@ -31,7 +31,7 @@ services: # Admin-Dienst: dashboard-auth@file + secure-headers@file Pflicht # ────────────────────────────────────────────────────────────────── komodo-core: - image: ghcr.io/mbecker20/komodo:latest + image: ghcr.io/mbecker20/komodo:latest@sha256:d0a201fdf7113b7a47fe925e0a8a9c337f632980a27f151729030f05e99e22c0 container_name: komodo-core restart: unless-stopped depends_on: @@ -74,7 +74,7 @@ services: # Ausnahme: Docker-Socket ohne :ro (Periphery startet/stoppt Container) # ────────────────────────────────────────────────────────────────── komodo-periphery: - image: ghcr.io/mbecker20/periphery:latest + image: ghcr.io/mbecker20/periphery:latest@sha256:087babb8a6090882846750f72c48323007cbf9a548bd930a19a0c09e8220d95c container_name: komodo-periphery restart: unless-stopped volumes: diff --git a/ops/scrutiny/docker-compose.yml b/ops/scrutiny/docker-compose.yml index ebcf734..fd5a36b 100644 --- a/ops/scrutiny/docker-compose.yml +++ b/ops/scrutiny/docker-compose.yml @@ -1,6 +1,6 @@ services: scrutiny: - image: ghcr.io/starosdev/scrutiny:latest-omnibus + image: ghcr.io/starosdev/scrutiny:latest-omnibus@sha256:9f77acf1a567802bbefe0f0e7510cb2ecc20d319276cf183512c7e843214abd8 container_name: scrutiny restart: unless-stopped privileged: true diff --git a/ops/speedtest/docker-compose.yml b/ops/speedtest/docker-compose.yml index 01127b1..a13121b 100644 --- a/ops/speedtest/docker-compose.yml +++ b/ops/speedtest/docker-compose.yml @@ -1,6 +1,6 @@ services: speedtest-tracker: - image: lscr.io/linuxserver/speedtest-tracker:latest + image: lscr.io/linuxserver/speedtest-tracker:latest@sha256:eb3d249f16177964daa4fff7f6a90bbf6645f4e23158d92f5cddb133728d0804 container_name: speedtest-tracker restart: unless-stopped security_opt: diff --git a/security/authelia/docker-compose.yml b/security/authelia/docker-compose.yml index dc222ba..8a59b33 100644 --- a/security/authelia/docker-compose.yml +++ b/security/authelia/docker-compose.yml @@ -2,7 +2,7 @@ name: authelia services: authelia: container_name: authelia - image: authelia/authelia:latest + image: authelia/authelia:latest@sha256:0c824dcab1ae97c56bf673c5e77fe8cc6bcd40056455140c8002a12c6b6463 restart: unless-stopped environment: AUTHELIA_JWT_SECRET_FILE: /secrets/jwt_secret.txt diff --git a/security/vaultwarden/docker-compose.yml b/security/vaultwarden/docker-compose.yml index add9a7a..6624a04 100644 --- a/security/vaultwarden/docker-compose.yml +++ b/security/vaultwarden/docker-compose.yml @@ -1,6 +1,6 @@ services: vaultwarden: - image: vaultwarden/server:latest + image: vaultwarden/server:latest@sha256:9a8eec71f4a52411cc43edc7a50f33e9b6f62b5baca0dd95f0c6e7fd60f1a341 container_name: vaultwarden restart: unless-stopped