Update all services to latest stable versions

[beevelop]

Summary

Brings every service in the repo up to its latest stable image version, applies the config migrations required by major upgrades, and syncs all related files (compose defaults, services/sentry/.env, service READMEs, docs/DEPENDENCIES.md, and services/gitlab/.env.example).

Every target tag was verified to exist in its registry (Docker Hub / quay.io / ghcr.io) before pinning, and all 34 compose files pass DCLint (0 errors) and the service-coverage check.

Major bumps & migrations (require attention)

Service	Change	Migration applied
GitLab	18.9.2 → 19.1.0	DB image sameersbn/postgresql:15 → kkimurak/sameersbn-postgresql:17 (GitLab 19 requires PG17); DB_EXTENSION → pg_trgm,btree_gist; added required ActiveRecord encryption secrets (3 new vars, documented in .env.example + README)
Confluence	9.4.1 → 10.2.13 (UBI9/JDK21)	Major upgrade — Java 21 only; incompatible Server/DC plugins must be re-validated
Crowd	7.1.5 → 7.2.1	—
Jira	11.3.3 → 11.3.7	—
Keycloak	26.5.5 → 26.6.3	Replaced removed KC_PROXY: edge with KC_PROXY_HEADERS: xforwarded (works with existing KC_HTTP_ENABLED)
Directus	11.16.1 → 12.0.2	Healthcheck /server/health → /server/ping (health is now auth-gated); added IP_TRUST_PROXY=true (default flipped) and ACCEPT_TERMS=true
n8n	2.12.3 → 2.28.1	Enabled N8N_RUNNERS_ENABLED=true (task runners)
Graylog	6.2 → 6.3	Added explicit GRAYLOG_ELASTICSEARCH_HOSTS (fixes default 127.0.0.1 lookup)
Weblate	5.16 → 2026.6	CalVer; Postgres backend unaffected by the 5.17 MySQL removal
Zabbix	7.2 → 7.4	7.4 supports the pinned MariaDB 12.2 (previous 7.2 + 12.2 pairing was unsupported)
SonarQube	26.3 → 26.6	—
Metabase	v0.59.3.2 → v0.62.3.2	App DB stays Postgres 15 (≥14 required)
Sentry	stack → 26.6.0	App images + seaweedfs 4.17_large_disk + postgres 14.23-bookworm, aligned to official self-hosted 26.6.0 (.env is authoritative)
MySQL (mysql/directus/monica)	8.0 → 8.4 LTS	8.0 is EOL; no default-authentication-plugin flags in use, so 8.4 is safe

Minor / patch bumps

Vaultwarden 1.36.0, cloudflared 2026.6.1, dependency-track 4.14.2, nexus 3.93.1-alpine, registry 3.1.1, rundeck 5.20.1, tusd v2.10.0, traefik + traefik-tunnel v3.7, duckling 0.2.0.2-r4, elasticsearch (graylog) 7.17.29.

Left unchanged (intentional)

Internal/floating tags that are already current or have no newer stable: beevelop/* (claude-code, shields/varnish), huginn (latest), openvpn (latest, unmaintained), minio, phpmyadmin 5.2.3, statping v0.90.78, cabot 0.11.16 (+ its rabbitmq 3.13 / pg17), monica 5.0.0-beta.5-apache. Redash stays 26.3.0 (latest stable; newer is preview only).

Validation

• ✅ DCLint (dclint services -r -c .dclintrc.yaml): 0 errors (1 pre-existing port-order warning in traefik, non-blocking)
• ✅ ./.github/scripts/check-service-coverage.sh: PASSED (34/34)
• ✅ All new image tags confirmed present in their registries
• ⏳ Full test-services boot matrix runs in CI (no Docker daemon available locally)

Operators upgrading existing GitLab / Confluence deployments must follow upstream's multi-step major-version upgrade paths and the new GitLab encryption-secret requirements — fresh deployments work out of the box.

Co-authored-by: Copilot 223556219+Copilot@users.noreply.github.com

Summary by CodeRabbit

• Chores
  • Updated documentation and default service images across many apps to newer versions, including GitLab, Keycloak, Traefik, SonarQube, Metabase, Graylog, Zabbix, Directus, MySQL, and others.
  • Refreshed several setup guides and example environment files to match the latest supported releases.
  • Added new GitLab setup variables for encryption settings and updated related defaults.
  • Adjusted a few service settings for better compatibility, including Graylog’s database endpoint and Directus/Keycloak proxy-related configuration.

[coderabbitai]

Warning

Review limit reached

@beevelop, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 42 minutes and 41 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 9ce31e1f-7414-4166-a529-f4db09c138df

📥 Commits

Reviewing files that changed from the base of the PR and between 6688c52 and 51adc22.

📒 Files selected for processing (9)

• docs/OCI_NAMING.md
• services/directus/docker-compose.yml
• services/graylog/README.md
• services/graylog/docker-compose.yml
• services/keycloak/README.md
• services/keycloak/docker-compose.yml
• services/n8n/docker-compose.yml
• services/zabbix/README.md
• services/zabbix/docker-compose.yml

📝 Walkthrough

Walkthrough

Container image default tags are bumped across 25+ services (Bitwarden, Cloudflared, Confluence, Crowd, Dependency-Track, Directus, Duckling, Graylog, Jira, Keycloak, Metabase, Monica, MySQL, n8n, Nexus, Redash, Registry, Rundeck, Sentry, SonarQube, Traefik, TUS, Weblate, Zabbix). GitLab is upgraded to 19.1.0 with three new ActiveRecord encryption variables. Directus, Keycloak, Graylog, and n8n also receive non-trivial configuration additions alongside their version bumps. Documentation and docs/DEPENDENCIES.md are updated in sync.

Changes

Service Version Bumps and Configuration Updates

Layer / File(s)	Summary
GitLab upgrade to v19 with ActiveRecord encryption services/gitlab/docker-compose.yml, services/gitlab/.env.example, services/gitlab/README.md	PostgreSQL switched to kkimurak/sameersbn-postgresql:17 with btree_gist extension added; GitLab bumped to 19.1.0; three GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_* variables added to compose, env example, and README documentation.
Non-trivial config changes: Directus, Keycloak, Graylog, n8n services/directus/docker-compose.yml, services/directus/README.md, services/keycloak/docker-compose.yml, services/keycloak/README.md, services/graylog/docker-compose.yml, services/graylog/README.md, services/n8n/docker-compose.yml, services/n8n/README.md	Directus 12.0.2 adds IP_TRUST_PROXY/ACCEPT_TERMS env vars and changes healthcheck to /server/ping; MySQL backing store bumped to 8.4. Keycloak 26.6.3 replaces KC_PROXY: edge with KC_PROXY_HEADERS: xforwarded. Graylog 6.3 adds explicit GRAYLOG_ELASTICSEARCH_HOSTS. n8n 2.28.1 adds N8N_RUNNERS_ENABLED: "true".
Straightforward version tag bumps services/bitwarden/..., services/cloudflared/..., services/confluence/..., services/crowd/..., services/dependency-track/..., services/duckling/..., services/jira/..., services/metabase/..., services/monica/..., services/mysql/..., services/nexus/..., services/redash/..., services/registry/..., services/rundeck/..., services/sentry/..., services/sonarqube/..., services/traefik*/..., services/tus/..., services/weblate/..., services/zabbix/...	Default image tags updated in docker-compose.yml files with corresponding README and env file documentation kept in sync for all listed services.
Central dependency docs sync docs/DEPENDENCIES.md	Backing-store tables updated to reflect new PostgreSQL, MySQL/MariaDB (8.0 → 8.4), MariaDB (Zabbix), and Elasticsearch patch versions used across services.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Possibly related PRs

• beevelop/BeeCompose#12: Directly related — the Sentry stack structure (.env pins and docker-compose.yml service image references) introduced there is the same structure being updated in this PR.

Poem

🐇 Hop, hop, hooray, new versions today!
From Jira to Graylog, we've bumped them all,
GitLab gets secrets in a JSON array,
Keycloak's old proxy gave way to xforwarded this fall.
The rabbit has tagged each image with care,
Fresh containers are ready to run everywhere! 🎉

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the PR’s broad goal of upgrading service images and related configs to newer stable versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch beevelop-update-all-services-latest

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 9

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@services/directus/docker-compose.yml`:
- Around line 21-22: The newly added Directus flags in the docker-compose
configuration are hardcoded literals instead of using compose-style environment
substitution. Update the Directus service entries for IP_TRUST_PROXY and
ACCEPT_TERMS to use ${VAR} defaults consistent with the existing docker-compose
policy, keeping the change localized to the service block in docker-compose.yml.

In `@services/gitlab/docker-compose.yml`:
- Line 4: The docker-compose image default variable name for the PostgreSQL
service is inconsistent with the required compose convention. Update the image
reference in the compose definition to use the service-version naming pattern
with POSTGRES_VERSION, and make sure any matching docs or env examples refer to
the same symbol so the contract stays consistent across stacks.
- Around line 60-62: Replace the predictable fallback defaults for the
ActiveRecord encryption settings in the docker-compose configuration with
required environment variable checks so startup fails when they are missing.
Update the three GITLAB_SECRETS_ACTIVE_RECORD_ENCRYPTION_* entries to use
required-variable syntax instead of default strings, keeping the change scoped
to the secrets block in docker-compose.yml.

In `@services/graylog/docker-compose.yml`:
- Line 48: The Graylog docker-compose service is hardcoding
GRAYLOG_ELASTICSEARCH_HOSTS instead of using the required environment
substitution style. Update the relevant docker-compose service definition to use
a defaulted ${VAR} expression for GRAYLOG_ELASTICSEARCH_HOSTS, keeping the value
configurable and consistent with the rest of the compose file.

In `@services/graylog/README.md`:
- Around line 83-84: The Elasticsearch image reference in the Graylog README is
inconsistent with the compose source registry, which can cause confusion when
pulling the image. Update the documentation entry for graylog-elasticsearch to
match the image used by the compose setup, and verify the README table stays
aligned with the source used by the Graylog compose configuration.

In `@services/keycloak/docker-compose.yml`:
- Line 15: The KC_PROXY_HEADERS value is hardcoded in the docker-compose service
config, so make it override-friendly by switching the Keycloak service’s
KC_PROXY_HEADERS entry to environment variable substitution using a ${VAR}
default. Update the docker-compose.yml setting for KC_PROXY_HEADERS to follow
the same pattern used by other configurable values in this file.

In `@services/n8n/docker-compose.yml`:
- Line 23: The N8N_RUNNERS_ENABLED setting in the docker-compose service is
hardcoded, so update the service environment block to use environment variable
substitution with a default value instead. Replace the literal value in the
docker-compose.yml entry for N8N_RUNNERS_ENABLED with a ${VAR} style reference
so it can be overridden consistently alongside the other compose variables.

In `@services/traefik-tunnel/README.md`:
- Line 84: The Traefik tunnel README has been updated to default TRAEFIK_VERSION
to v3.7, but the OCI naming documentation still advertises v3.6, so the docs are
out of sync. Update the TRAEFIK_VERSION entry in docs/OCI_NAMING.md to match the
new default and keep the versioning contract consistent across both docs, using
the same naming key to locate the table.

In `@services/zabbix/docker-compose.yml`:
- Line 29: The Zabbix service images are using a mutable `-latest` fallback,
which can change between pulls; update the image references in the
docker-compose service definitions to use explicit immutable patch tags instead
of `7.4-alpine-latest`. Apply the same change to both Zabbix image entries in
the compose file so deployments are reproducible, and keep the existing variable
pattern only if it resolves to a concrete pinned version.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: c5907598-d2fa-4eb9-a9a7-6de415d6f9d9

📥 Commits

Reviewing files that changed from the base of the PR and between 47925eb and 6688c52.

📒 Files selected for processing (48)

• docs/DEPENDENCIES.md
• services/bitwarden/docker-compose.yml
• services/cloudflared/README.md
• services/cloudflared/docker-compose.yml
• services/confluence/docker-compose.yml
• services/crowd/docker-compose.yml
• services/dependency-track/docker-compose.yml
• services/directus/README.md
• services/directus/docker-compose.yml
• services/duckling/docker-compose.yml
• services/gitlab/.env.example
• services/gitlab/README.md
• services/gitlab/docker-compose.yml
• services/graylog/README.md
• services/graylog/docker-compose.yml
• services/jira/README.md
• services/jira/docker-compose.yml
• services/keycloak/README.md
• services/keycloak/docker-compose.yml
• services/metabase/README.md
• services/metabase/docker-compose.yml
• services/monica/README.md
• services/monica/docker-compose.yml
• services/mysql/README.md
• services/mysql/docker-compose.yml
• services/n8n/README.md
• services/n8n/docker-compose.yml
• services/nexus/README.md
• services/nexus/docker-compose.yml
• services/redash/README.md
• services/registry/README.md
• services/registry/docker-compose.yml
• services/rundeck/README.md
• services/rundeck/docker-compose.yml
• services/sentry/.env
• services/sentry/docker-compose.yml
• services/sonarqube/README.md
• services/sonarqube/docker-compose.yml
• services/traefik-tunnel/README.md
• services/traefik-tunnel/docker-compose.yml
• services/traefik/README.md
• services/traefik/docker-compose.yml
• services/tus/README.md
• services/tus/docker-compose.yml
• services/weblate/README.md
• services/weblate/docker-compose.yml
• services/zabbix/README.md
• services/zabbix/docker-compose.yml