Which self-hosted apps should I exclude from Watchtower auto-updates?

Databases (PostgreSQL, MySQL, MariaDB) should generally be excluded and updated manually — major version upgrades can require data migration that must be planned. Immich and Photoprism are similar — photo library apps may require database migration scripts on major updates. Use com.centurylinklabs.watchtower.enable=false on these containers and update them manually after reviewing the release notes.

Watchtower Docker for Self-Hosted Apps — Homelab Auto-Updates 2026

Q: Can Watchtower auto-update n8n on Docker?

Yes. n8n runs as a standard Docker container with the n8nio/n8n image on Docker Hub. Watchtower monitors the tag you're running (typically latest or a version tag) and automatically updates n8n when n8n.io publishes a new release. Add com.centurylinklabs.watchtower.enable=true as a label to your n8n container and set WATCHTOWER_CLEANUP=true to keep disk space clean.

Q: Does Watchtower work on macOS Docker?

Yes. Watchtower runs on Docker Desktop for Mac without any macOS-specific configuration. The Docker socket path on macOS is still /var/run/docker.sock (Docker Desktop creates this compatibility symlink). Mount it the same way as Linux: -v /var/run/docker.sock:/var/run/docker.sock. Note that on macOS, Docker containers run inside a Linux VM — Watchtower monitors containers within that VM, not macOS processes.

Q: How do I auto-update Ollama with Watchtower?

Add Watchtower alongside Ollama in your Docker Compose file. Set WATCHTOWER_CLEANUP=true and a suitable schedule. Ollama publishes images as ollama/ollama on Docker Hub — Watchtower will detect new versions and update automatically. Use WATCHTOWER_TIMEOUT=60s since Ollama may take longer than the default 10s to stop gracefully due to model loading.

Why Watchtower Is Perfect for Homelab Docker

The Watchtower Docker homelab combination is one of the most popular setups in the self-hosting community. Here's why:

Security patches arrive automatically — open-source projects like Vaultwarden, Nextcloud, and Home Assistant push security fixes frequently. Without automation, homelabbers run outdated (vulnerable) software for weeks.
No SSH sessions required — set up Watchtower once and forget it. Updates happen on schedule while you sleep.
Disk stays clean — with WATCHTOWER_CLEANUP=true, old images are removed automatically after each update.
Notifications keep you informed — Watchtower sends a Slack or Telegram message every time it updates a container, so you know exactly what changed and when.

Base Watchtower Configuration for Homelab

This is the recommended starting point for any self-hosted Docker homelab with Watchtower:

services:
  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
    environment:
      # Update at 3 AM every night
      - WATCHTOWER_SCHEDULE=0 0 3 * * *
      - TZ=America/New_York

      # Clean up old images automatically
      - WATCHTOWER_CLEANUP=true

      # Update containers one at a time (safer for multi-container stacks)
      - WATCHTOWER_ROLLING_RESTART=true

      # Notify via Telegram when anything updates
      - WATCHTOWER_NOTIFICATION_URL=telegram://BOT_TOKEN@telegram?channels=CHAT_ID

Auto-Update n8n with Watchtower

n8n is a workflow automation platform with a very active release cycle — new versions ship weekly. Watchtower Docker update n8n keeps it current automatically:

services:
  n8n:
    image: n8nio/n8n
    container_name: n8n
    restart: unless-stopped
    ports:
      - "5678:5678"
    volumes:
      - n8n_data:/home/node/.n8n
    environment:
      - N8N_BASIC_AUTH_ACTIVE=true
      - N8N_BASIC_AUTH_USER=admin
      - N8N_BASIC_AUTH_PASSWORD=yourpassword
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  watchtower:
    image: containrrr/watchtower
    container_name: watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_SCHEDULE=0 0 4 * * *
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_LABEL_ENABLE=true   # Only update labeled containers

volumes:
  n8n_data:

Ollama Docker Compose Auto-Update with Watchtower

Ollama (the local LLM runner) is updated frequently with new model support and performance improvements. An Ollama Docker Compose auto-update Watchtower setup:

services:
  ollama:
    image: ollama/ollama
    container_name: ollama
    restart: unless-stopped
    ports:
      - "11434:11434"
    volumes:
      - ollama_data:/root/.ollama
    deploy:
      resources:
        reservations:
          devices:
            - driver: nvidia
              count: 1
              capabilities: [gpu]
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  open-webui:
    image: ghcr.io/open-webui/open-webui:main
    container_name: open-webui
    restart: unless-stopped
    ports:
      - "3000:8080"
    volumes:
      - open_webui_data:/app/backend/data
    environment:
      - OLLAMA_BASE_URL=http://ollama:11434
    labels:
      - "com.centurylinklabs.watchtower.enable=true"

  watchtower:
    image: containrrr/watchtower
    restart: unless-stopped
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
    environment:
      - WATCHTOWER_CLEANUP=true
      - WATCHTOWER_LABEL_ENABLE=true
      - WATCHTOWER_SCHEDULE=0 0 5 * * *
      - WATCHTOWER_TIMEOUT=60s   # Ollama needs more time to stop gracefully

volumes:
  ollama_data:
  open_webui_data:

Watchtower on macOS Docker Desktop

Watchtower Docker macOS with Docker Desktop works the same as Linux — no special configuration required. Docker Desktop creates a standard /var/run/docker.sock compatibility socket:

# macOS: exact same command as Linux
docker run -d \
  --name watchtower \
  --restart unless-stopped \
  -v /var/run/docker.sock:/var/run/docker.sock \
  -e WATCHTOWER_CLEANUP=true \
  -e WATCHTOWER_POLL_INTERVAL=86400 \
  containrrr/watchtower

# If you get a socket permission error on macOS:
# Docker Desktop → Settings → Advanced → Enable "Allow the default Docker socket to be used"

ℹ️

On macOS, Docker containers run inside a Linux VM managed by Docker Desktop. Watchtower monitors containers within this VM. When macOS restarts or Docker Desktop is quit, all containers (including Watchtower) stop. They restart automatically when Docker Desktop relaunches if you use --restart unless-stopped.

Container-Specific Recommendations

Not all self-hosted containers should be auto-updated equally. Here's a guide for popular self-hosted apps:

Application	Image	Auto-Update Safe?	Notes
Vaultwarden	vaultwarden/server	✓ Yes	Security patches are critical — always keep updated
n8n	n8nio/n8n	✓ Yes	Back up workflow data before major version jumps
Ollama	ollama/ollama	✓ Yes	Use WATCHTOWER_TIMEOUT=60s for graceful stop
Home Assistant	homeassistant/home-assistant	⚠ Caution	Major versions may break integrations — review release notes
Nextcloud	nextcloud	⚠ Caution	Major versions require manual upgrade wizard — don't auto-update
Jellyfin	jellyfin/jellyfin	✓ Yes	Safe to auto-update, media library is unaffected
Plex	linuxserver/plex	✓ Yes	Regular updates with new codec support
PostgreSQL	postgres	✗ Manual only	Major version upgrades require data migration
MySQL/MariaDB	mysql / mariadb	✗ Manual only	Same as PostgreSQL — data migration required for major versions
Immich	ghcr.io/immich-app/immich-server	⚠ Caution	Check migration notes on each release

Excluding Critical Containers

# Exclude databases and critical services from Watchtower
services:
  postgres:
    image: postgres:16
    labels:
      - "com.centurylinklabs.watchtower.enable=false"   # Never auto-update

  nextcloud:
    image: nextcloud:latest
    labels:
      - "com.centurylinklabs.watchtower.enable=false"   # Manual major version updates

  vaultwarden:
    image: vaultwarden/server:latest
    labels:
      - "com.centurylinklabs.watchtower.enable=true"    # Always auto-update for security

  n8n:
    image: n8nio/n8n
    labels:
      - "com.centurylinklabs.watchtower.enable=true"    # Safe to auto-update

Frequently Asked Questions

Can Watchtower auto-update n8n on Docker?

Yes. n8n runs as a standard Docker container with the n8nio/n8n image on Docker Hub. Watchtower detects new n8n releases and updates automatically. Add com.centurylinklabs.watchtower.enable=true to your n8n container and set WATCHTOWER_CLEANUP=true to manage disk space. Back up your n8n workflow data volume before major version updates.

Does Watchtower work on macOS Docker Desktop?

Yes. Docker Desktop for Mac creates a standard /var/run/docker.sock compatibility path. Mount it the same way as Linux: -v /var/run/docker.sock:/var/run/docker.sock. No macOS-specific configuration is needed. If you get a socket permission error, enable "Allow the default Docker socket to be used" in Docker Desktop settings.

How do I auto-update Ollama with Watchtower?

Add Watchtower to your Ollama Docker Compose file. Set WATCHTOWER_CLEANUP=true and WATCHTOWER_TIMEOUT=60s (Ollama needs more time to stop gracefully). Label the Ollama container with com.centurylinklabs.watchtower.enable=true. Watchtower will detect new ollama/ollama releases on Docker Hub and update automatically.

Which self-hosted apps should I exclude from Watchtower?

Databases (PostgreSQL, MySQL, MariaDB) must be excluded — major version upgrades require manual data migration. Nextcloud and Immich should also be excluded for the same reason. Add com.centurylinklabs.watchtower.enable=false to these containers. Everything else — Vaultwarden, Jellyfin, n8n, Ollama, Plex — is generally safe for auto-updates.

Jamie Lee

Homelab Engineer · Self-hosting advocate

Jamie runs a 40+ container homelab with Watchtower managing automatic updates for every application. The per-container update recommendations in this guide are drawn from two years of homelab operation, including several incidents with database auto-updates that informed the exclusion recommendations.