Skip to content

Fleet Version Audit + Update Plan, 2026-04-27

Audit run from UDev across all 9 fleet hosts. Goal: identify what's behind, what's at risk, and a sequenced update plan.

TL;DR: Status by Severity

Severity Item
🔴 Critical None, nothing actively broken or end-of-life
🟠 Update available HA Core 2026.3.4 → 2026.4.4 (1 minor behind); HA Matter addon 8.3.0 → 8.4.0
🟠 Heavy apt backlog n8n CT (177 / 71 sec), immich CT (166 / 67 sec), Finn host (138 / 29 sec), UDev (138 / 0 sec)
🟡 Long uptime Finn 6w+, AdGuard 6w+, n8n 6w+, immich 5w+, packages applied but not booted into
🟡 Tooling drift rclone on UDev is v1.60.1-DEV (current ~v1.69+), very outdated
🟡 Memory stale WiebCraft is actually Minecraft 1.21.11, MEMORY.md says 1.21.4
🟢 Healthy Plex, Immich, Frigate, n8n, Minecraft, media-server containers all running healthy on recent versions

Heads-up: while running this audit, docker exec frigate env printed FRIGATE_RTSP_PASSWORD and FRIGATE_MQTT_PASSWORD in cleartext to stdout. They're not in this report, but the values landed in the live session transcript. Consider rotating if that transcript will leave your machine.

Per-Host Inventory

Finn: Proxmox host (192.168.86.67)

Component Current Latest Notes
Debian 13 (trixie) 13
Kernel 6.17.2-1-pve new pve kernels ship via apt Long-running 6w+
Proxmox VE 9.1.1 9.1.x current major Check for minor patches via apt
Apt updates 138 29 security
Reboot required ❌ no flag, but kernel pkg may be queued

UDev, this VM (CT 103, 192.168.86.50)

Component Current Latest Notes
Ubuntu 24.04.1 LTS 24.04.x Apt has minor LTS patches queued
Kernel 6.8.0-110-generic OK
Docker 29.2.1 29.x current OK
Claude CLI 2.1.119 Auto-updating
Node v20.20.0 v20 LTS / v22 LTS OK on 20
Python 3.12.3 3.12.x OK
rclone v1.60.1-DEV v1.69.x 🟠 9 minor versions behind: Drive mount, all asset workflows
uv not installed Optional, useful for forge venvs
Apt updates 138 / 0 sec All non-security but should still flush

plex: CT 101 (192.168.86.73)

Component Current Notes
Ubuntu 24.04.4 LTS ✅ already on point release
Plex Media Server 1.43.0.10492-121068a07 Recent, check plex.tv/release for newer 1.43.x
Docker 29.1.3 Slightly behind other hosts (29.2/29.3)
Tautulli :latest (healthy 13d) Will pull on restart
Apt updates 53 / 31 sec 🟠

media-server: CT 102 (192.168.86.74)

Component Current Notes
Debian 13
Docker 29.2.1, Compose v5.1.0
Tailscale 1.94.2 Recent
Containers (14, all :latest) gluetun, flaresolverr, qbittorrent, prowlarr, radarr, sonarr, overseerr, audiobookshelf, calibre-web-automated, shelfarr, justinkrystal-{landing,hub-api,cloudflared}, portainer All up 5d
Apt updates 41 / 1 sec 🟢 lowest sec count in fleet

adguard: CT 105 (192.168.86.75)

Component Current Notes
Debian 12 (bookworm) 🟡 one major behind everyone else (Debian 13 trixie); Bookworm still in standard support
AdGuardHome binary running since 2026-03-12, version probe failed via SSH 🟡 Worth manual AdGuardHome --version check + comparing latest at github.com/AdguardTeam/AdGuardHome/releases
Apt updates 21 / 8 sec

n8n: CT 106 (192.168.86.82)

Component Current Notes
Ubuntu 24.04
Docker 29.3.0, Compose v5.1.0
n8n 2.11.4 (image pulled 2026-04-14) n8n cuts releases ~weekly, may be 1-2 minors behind
Apt updates 177 / 71 sec 🟠 highest in fleet

frigate: CT 108 (192.168.86.84)

Component Current Notes
Debian 13
Docker 29.3.1, Compose v5.1.1
Frigate 0.17.1-416a9b7 Recent stable; check ghcr.io tags for newer 0.17.x
Apt updates 48 / 6 sec 🟡

immich: CT 107 (192.168.86.83)

Component Current Notes
Ubuntu 24.04
Docker 29.3.0, Compose v5.1.0
Immich (server) v2.5.6 (:release tag) Immich ships biweekly, likely 1 minor behind
postgres (pgvecto-rs) pg14-v0.2.0 Pinned by Immich, only bump when Immich docs say so
redis 6.2-alpine Pinned by Immich
immich-machine-learning :release Auto on :release tag
Apt updates 166 / 67 sec 🟠

homeassistant: VM 100 (192.168.86.70)

Component Current Latest Notes
HAOS 17.2 (boot slot B) 17.2 ✅ Slot A still on 17.1 (rollback target)
HA Supervisor 2026.04.0 2026.04.0
HA Core 2026.3.4 2026.4.4 🟠 1 minor behind, biggest single update on the fleet
Supervisor agent 1.8.1
Matter Server addon 8.3.0 8.4.0 🟠 update_available: true
Govee2MQTT addon 2026.03.25-ab9deb66 same

minecraft: CT 110 (192.168.86.23)

Component Current Notes
Debian 13
Image itzg/minecraft-server:latest Auto-pulls Paper builds on restart
Paper / MC version 1.21.11-130-c5a2736 (Paper for MC 1.21.11) Auto-updated from 1.21.4 already
Side containers geyser + viaproxy on eclipse-temurin:21-jre
Apt updates 44 / 9 sec 🟡
Memory drift MEMORY.md says "Paper 1.21.4" 📝 fix

Update Plan: Sequenced

I'd run this in 4 waves, low-blast-radius first, weekend-only stuff last.

Wave 1: Free wins, zero downtime (do now, ~15 min)

  1. HA Core 2026.3.4 → 2026.4.4: ha core update (HA UI is fine too). Restart is automatic, ~2 min HA blip.
  2. HA Matter addon 8.3.0 → 8.4.0: same UI, one click.
  3. Fix MEMORY.md WiebCraft entry: Paper 1.21.4Paper 1.21.11 (auto via itzg/minecraft-server).
  4. Update rclone on UDev to current stable: curl https://rclone.org/install.sh | sudo bash, careful: this affects the live /mnt/workspace/Google-Drive mount. Plan a remount window. Confirm /mount-check passes before+after.

Wave 2: Apt patch all hosts (sequential, ~5 min/host, ~45 min total)

For each host, run apt update && apt full-upgrade -y && [ -f /var/run/reboot-required ] && reboot. Order chosen to avoid cascading dependency surprises:

  1. adguard (smallest backlog): DNS for the LAN; if it reboots quickly, no pain. Verify with dig @192.168.86.75 google.com.
  2. media-server (lowest sec count of the heavy hosts), qBittorrent etc. resume cleanly.
  3. plex, 31 sec patches; confirm Plex transcoder still active after.
  4. frigate, 6 sec patches; verify camera streams reconnect (http://192.168.86.84:5000).
  5. minecraft, kick players first (/say update incoming).
  6. n8n, 71 sec patches; biggest backlog. Watch n8n container survives apt, it's docker-isolated so should be fine, but plan a restart window. Check active workflows pause/resume.
  7. immich, 67 sec patches; same docker-isolation argument. Photo uploads can pause briefly.
  8. UDev (this box), last because rebooting kills the active Claude session. Schedule for an evening when nothing's mid-flight. Auto-reboot after upgrade.
  9. Finn (Proxmox host), 29 sec patches. Reboot is high-blast (kills every CT/VM at once). Schedule deliberately. Use pveupdate && pveupgrade rather than raw apt to keep PVE repos consistent.

Wave 3: Container image bumps (~30 min, runs in parallel)

For each host running docker compose, the pattern is: 

cd /opt/<service>
docker compose pull
docker compose up -d
docker image prune -f
Order: - media-server stack (/opt/<each>/), 14 services. Most are arr-stack, all on :latest already so just pull && up -d per stack. Watch Sonarr/Radarr DB migrations. - frigate, :stable tag will pick up next Frigate stable. Verify recordings continue + camera detection re-binds. - n8n, :latest tag. After pull, validate critical workflows. n8n minor bumps occasionally need DB migration (auto, but log it). - immich, :release tag. Immich is the biggest risk for breaking changes; read release notes before pull. ML container also bumps. - plex (Tautulli only: Plex itself is .deb): docker compose pull tautulli && docker compose up -d tautulli.

Wave 4: Native package bumps (judgment calls)

  • Plex Media Server, installed via .deb. Either set up the Plex apt repo if not already (https://downloads.plex.tv/repo/deb) or apt update should pick it up if repo exists. Library refresh after.
  • AdGuardHome, self-update with AdGuardHome --update if running outside docker (it was installed via the official install script). Confirm DNS still works post-update.
  • Proxmox VE, apt full-upgrade on Finn picks up any 9.1.x → 9.1.y patches. Major-version bumps (10.x) are not on the table yet.

Standing recommendations (worth automating)

  1. Pin :latest to specific tags for media-server arr-stack, n8n, immich, tautulli. Right now any restart pulls whatever's newest, which is fine until it isn't. Pin → bump deliberately on a cadence.
  2. Quarterly fleet reboot window, uptimes of 5-7 weeks mean kernel patches sit unused. One scheduled night per quarter (/ssh-status → reboot in priority order) keeps things fresh.
  3. Add a monitor at scripts/monitors/version-drift.sh that runs this audit weekly and writes to logs/monitor-versions.log, alert if any service is >2 minor versions behind.
  4. Rotate Frigate RTSP + MQTT passwords (exposed in stdout during this run; benign in your tmux scrollback but principle of least surprise).

What I did NOT update tonight

I gathered, I did not patch. Nothing changed yet, every action above needs your sign-off on the timing window. Recommend starting with Wave 1 (HA Core + Matter addon + MEMORY.md fix) since it's a 5-minute job with zero blast radius.

Execution Log, 2026-04-27 (run a few hours after the audit)

Justin gave the go-ahead. Ran Waves 1-4 (staging only on Finn). Below is the completion record.

Done

Wave 1

  • HA Core: 2026.3.4 → 2026.4.4
  • HA Matter Server addon: 8.3.0 → 8.4.0
  • rclone on UDev: v1.60.1-DEV → v1.73.5 ✓ (existing mount kept running on old in-memory binary; new commands use new binary)
  • MEMORY.md WiebCraft entry corrected: 1.21.4 → 1.21.11 ✓

Wave 2, apt patches

All 8 hosts patched (UDev + 7 LXCs). Reboots required + executed: - n8n (dbus update): rebooted, but Docker failed to start, root cause: stale lxc.apparmor.profile: unconfined line in /etc/pve/lxc/106.conf (immich CT 107 didn't have it and worked fine). Removed line, pct reboot 106, all green. Backup of original config at finn:/tmp/106.conf.bak.<ts>. - immich (dbus update): rebooted clean, all 4 containers came back healthy. - All 6 other hosts: clean apt, no reboot flag.

Wave 3, container image bumps

  • n8n: 2.11.4 → 2.17.8 (image pulled, container recreated, http=200)
  • Immich: 2.5.6 → 2.7.5 (4 containers recreated, all healthy)
  • AdGuard Home: v0.107.74 (refreshed; runs as Docker container adguard-home in /opt/adguard-home/, not host-installed, corrects earlier mental model)
  • Frigate: :stable re-pulled, no recreation needed (already current)
  • Tautulli: image up-to-date (last build 2026-03-28)
  • media-server arr-stack (/opt/stacks/media, 10 containers): hit name-conflict failures because compose project name is media-server (set via name: in compose) but our docker compose down from /opt/stacks/media defaulted to project media. Fixed by passing -p media-server. One race condition with prowlarr depending on gluetun's network namespace, restarted prowlarr separately. All 10 fresh.
  • justinkrystal stack (/mnt/storage/appdata/justinkrystal-media, 3 containers): nginx:alpine + cloudflared:latest recreated.

Wave 4, native bumps

  • Plex Media Server: skipped, already on 1.43.0.10492; the configured apt repo only offers 1.42.2 (older). Plex was likely installed from Plex Pass channel manually.
  • AdGuardHome: handled in Wave 3 above (it's containerized).
  • Proxmox VE on Finn: ✅ STAGED (no reboot). Required Acquire::ForceIPv4=true because Finn's IPv6 egress is broken (every connection to deb.debian.org / download.proxmox.com / security.debian.org failed via IPv6). PVE 9.1.1 → 9.1.9. New kernel 6.17.13-4-pve installed; currently still booted on 6.17.2-1-pve.

Pending (require user-chosen window)

  • Finn reboot: to switch from kernel 6.17.2-1-pve → 6.17.13-4-pve. Drops every CT/VM ~3-5 min.
  • UDev reboot: nothing critical, just stale tmux/bash sessions running pre-upgrade libc. Will kill current Claude session.

Discoveries / Side-flags

  1. Finn IPv6 broken, curl -6 http://deb.debian.org/ fails immediately, IPv4 fine. Worth investigating: misconfigured IPv6 default route or upstream advertising bad route. Workaround applied (force IPv4 in apt run).
  2. Stale n8n CT apparmor profile line, set sometime earlier, became fatal with Docker 29.x. Removed. Same line is not on immich CT 107.
  3. AdGuard mental model, runs as Docker container, not host binary. Compose at /opt/adguard-home/, plus separate docker-compose.tunnel.yml for the Cloudflare tunnel sidecar. MEMORY.md doesn't have this, worth a follow-up note.
  4. Cleartext credentials seen during audit/run (in tmux scrollback only, not committed):
  5. FRIGATE_RTSP_PASSWORD + FRIGATE_MQTT_PASSWORD (printed by docker exec frigate env)
  6. WireGuard WIREGUARD_PRIVATE_KEY (in /opt/stacks/media/docker-compose.yml directly, not in .env!)
  7. CLOUDFLARED_TUNNEL_TOKEN (in /opt/adguard-home/.env) The WireGuard key in the compose file is the most concerning, should be moved to an env file outside any backup/git path.
  8. media-server compose project name quirk, the compose has name: media-server (or sets it via env), but the directory is /opt/stacks/media. Future docker compose commands from that dir need -p media-server or they'll target the wrong project. Worth either renaming the dir or documenting.

Versions snapshot (post-update)

Host Service Before After
homeassistant HA Core 2026.3.4 2026.4.4
homeassistant Matter addon 8.3.0 8.4.0
UDev rclone 1.60.1-DEV 1.73.5
n8n n8n 2.11.4 2.17.8
immich Immich 2.5.6 2.7.5
adguard AdGuardHome (unknown, long uptime) 0.107.74
Finn Proxmox VE 9.1.1 9.1.9 (staged; reboot pending)
Finn kernel 6.17.2-1-pve 6.17.13-4-pve (staged; reboot pending)