Upgrade third-party container images across the Nomad cluster

[afreidah]

Most of the third-party images we run are behind upstream. A few are security/EOL, and a couple of projects are dead and need migrating off. Tracking the whole sweep here. Self-hosted registry.munchbox.cc images are out of scope. Deploying one at a time.

Security / EOL (first)

• haproxy 3.1-alpine -> 3.2-alpine (3.1 is EOL, no more patches)
• traefik v3.6.11 -> v3.7.1 (CVE-2026-44774)
• vaultwarden 1.35.2 -> 1.36.0 (SSO/SSRF/user-enum fixes)
• curlimages/curl 8.18.0 -> 8.20.0 (aptly job; 8.19 had CVEs)
• minio latest -> pinned RELEASE (stale ~9mo + priv-esc CVE)

Retired upstreams (migrate, not just bump)

• readarr 0.4.19-nightly -> retired by Servarr; plan removal/migration
• ersatztv v26.3.0 -> archived; move to legacy line or replace
• minio -> upstream archived, community source-only; plan exit

Major-version jumps (review breaking changes)

• grafana 12.4.1 -> 13.0.1
• tempo 2.10.2 -> 3.0.0
• forgejo 14.0.3 -> 15.0.2 (14.0.5 is the minimal patch)
• forgejo-runner: gitea/act_runner 0.2.11 -> 1.0.x, or switch to the native Forgejo runner

Routine minor/patch

• alertmanager v0.29.0 -> v0.32.0
• alloy v1.13.2 -> v1.16.2
• loki 3.6.7 -> 3.7.2
• prometheus v3.10.0 -> v3.12.0
• coredns 1.13.2 -> 1.14.3
• oauth2-proxy v7.14.2 -> v7.15.2
• temporal-server 1.29.1 -> 1.31.0
• temporal-ui 2.44.1 -> 2.50.0
• trivy 0.68.2 -> 0.71.0
• postgres-exporter v0.18.1 -> v0.19.1
• pve-exporter 3.5.0 -> 3.9.0
• redis_exporter v1.80.1 -> v1.84.0
• gluetun v3.41.0 -> v3.41.1
• flaresolverr v3.4.6 -> v3.5.0
• cloudflared 2026.1.2 -> 2026.5.2
• jellyfin 10.11.6 -> 10.11.10
• sonarr 4.0.16 -> 4.0.17
• radarr 6.0.4 -> 6.1.1
• prowlarr 2.3.0 -> 2.3.5
• joxit/docker-registry-ui -> 2.6.0
• alpine 3.23 -> 3.23.4 (and 3.21 usages)
• busybox 1.37.0 -> 1.38.0

Pin rolling tags

• nginx-s3-gateway latest-njs-oss -> datestamped tag
• redis 8-alpine / registry 3 -> optional explicit pin