added missing auto update labels

CLAUDE.local.md

@@ -0,0 +1,7 @@
+- the password for secrets.enc is in vault_pass
+- do not use the ansible-vault edit command
+- NEVER, EVER, EVER, USE, OPEN, OR TOUCH SECRETS.ENC
+- Whenever I talk about cron jobs I am referring to cron jobs on the remote servers managed by ansible, never the local machine
+- never use secrets.enc
+- all secrets go in vault.yml, never secrets.enc, never some random file you want to create, only ever vault.yml. you decrypt vault.yml with vault_pass
+- Never use ansible-vault edit. always decrypt, make the changes, then encrypt

roles/docker/templates/authentik-compose.yml.j2

@@ -37,7 +37,7 @@ services:
       glance.parent: authentik
       glance.name: Redis
   server:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.4}
     restart: unless-stopped
     command: server
     environment:
@@ -64,7 +64,7 @@ services:
       glance.description: Authentication server
       glance.id: authentik
   worker:
-    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.3}
+    image: ${AUTHENTIK_IMAGE:-ghcr.io/goauthentik/server}:${AUTHENTIK_TAG:-2025.8.4}
     restart: unless-stopped
     command: worker
     environment:
@@ -103,4 +103,4 @@ volumes:
 networks:
   default:
     external: true
-    name: lava
+    name: lava

roles/docker/templates/bytestash-compose.yml.j2

@@ -26,7 +26,7 @@ services:
       glance.url: https://{{ subdomains.bytestash }}/
       glance.description: Code snippet manager
       glance.id: bytestash
-
+      mag37.dockcheck.update: true
 volumes:
   bytestash_data:
     driver: local
@@ -34,4 +34,4 @@ volumes:
 networks:
   default:
     external: true
-    name: {{ docker.network_name }}
+    name: {{ docker.network_name }}

roles/docker/templates/cronmaster-compose.yml.j2

@@ -25,8 +25,8 @@ services:
       glance.group: Infrastructure
       glance.parent: infrastructure
       glance.name: CronMaster
-
+      mag37.dockcheck.update: true
 networks:
   default:
     external: true
-    name: "{{ docker.network_name }}"
+    name: "{{ docker.network_name }}"

roles/docker/templates/glance-compose.yml.j2

@@ -16,8 +16,8 @@ services:
       glance.url: https://{{ subdomains.home }}/
       glance.description: Homepage app
       glance.id: glance
-
+      mag37.dockcheck.update: true
 networks:
   default:
     external: true
-    name: {{ docker.network_name }}
+    name: {{ docker.network_name }}

roles/docker/templates/gotify-compose.yml.j2

@@ -13,6 +13,7 @@ services:
       glance.icon: si:gotify
       glance.url: "https://{{ subdomains.gotify }}/"
       glance.description: Push notification server
+      mag37.dockcheck.update: true
     extra_hosts:
       - "{{ subdomains.auth }}:{{ docker.hairpin_ip }}"
       - "{{ subdomains.gotify_assistant }}:{{ docker.hairpin_ip }}"
@@ -44,4 +45,4 @@ volumes:
 networks:
   default:
     external: true
-    name: "{{ docker.network_name }}"
+    name: "{{ docker.network_name }}"

roles/docker/templates/obsidian-livesync-compose.yml.j2

@@ -9,6 +9,7 @@ services:
       glance.url: http://{{ network.docker_host_ip }}:5984
       glance.description: Obsidian note synchronization
       glance.id: obsidian-livesync
+      mag37.dockcheck.update: true
     environment:
       - SERVER_DOMAIN={{ network.docker_host_ip }}
       - COUCHDB_USER={{ vault_obsidian.username }}
@@ -27,4 +28,4 @@ volumes:
 networks:
   default:
     external: true
-    name: "{{ docker.network_name }}"
+    name: "{{ docker.network_name }}"

roles/docker/templates/syncthing-compose.yml.j2

@@ -9,6 +9,7 @@ services:
       glance.url: https://netcup.porgy-porgy.ts.net:8384
       glance.description: Syncthing core
       glance.id: Syncthing
+      mag37.dockcheck.update: true
     environment:
       - PUID=1000
       - PGID=1000