The Lazy Sysadmin's Guide to Docker Maintenance

Manually running docker compose pull and docker compose up -d every time an update drops is exhausting. We have better things to do.

But ignoring updates isn’t an option either. Security patches matter. New features are nice.

So I built a lazy stack: Watchtower + Telegram notifications. My homelab updates itself at 4 AM and tells me what happened when I wake up.

The tool: Watchtower

Watchtower automates Docker container base image updates. It checks for new images, pulls them, and gracefully restarts your containers with the exact same options you used to deploy them.

The configuration

I use docker-compose. Clean, reproducible, easy to backup.

services:
  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
    environment:
      # Use a recent API version to avoid "client version too old" errors on Arch/Modern Docker
      - DOCKER_API_VERSION=1.45

      # Clean up old images after update to save disk space
      - WATCHTOWER_CLEANUP=true

      # Schedule it! (Cron format: Seconds Minutes Hours Day Month Weekday)
      # This runs at 04:00 AM every day.
      - WATCHTOWER_SCHEDULE=0 0 4 * * *

      # Silence the startup banner in logs
      - WATCHTOWER_NO_STARTUP_MESSAGE=true

      # NOTIFICATIONS (The fun part)
      - WATCHTOWER_NOTIFICATIONS=shoutrrr
      - WATCHTOWER_NOTIFICATION_URL=telegram://YOUR_BOT_TOKEN@telegram?channels=YOUR_CHAT_ID

Breaking down the config

1. Scheduling (WATCHTOWER_SCHEDULE): I set it to 0 0 4 * * *. Why 4 AM? I’m asleep, and if something breaks, I won’t notice until morning anyway. Internet traffic is also low.

2. Cleanup (WATCHTOWER_CLEANUP): Removes the old image after pulling the new one. No more docker system prune panic when your disk hits 100%.

3. API Version (DOCKER_API_VERSION): If you’re on a bleeding-edge distro like Arch, Watchtower might complain that its client is too old. Setting the version (e.g., 1.45) fixes this.

Setting up notifications

Updates are great, but silent updates are scary. I want to know what happened.

Watchtower supports Shoutrrr, which connects to basically everything (Discord, Telegram, Slack, Email, Gotify, etc.).

For Telegram:

1. Create a bot with @BotFather to get a token.
2. Get your Chat ID (use @userinfobot or similar).
3. Format the URL: telegram://TOKEN@telegram?channels=CHAT_ID.

Now every morning I wake up to a message like:

Found new image for container my-app… Updated!

This setup takes 5 minutes and saves hours of manual work over a year.

For mission-critical databases, pin your versions. But for typical homelab services (Plex, *arr apps, simple web servers), it works fine.