diff --git a/.github/workflows/renovate-rebase.yaml b/.github/workflows/renovate-rebase.yaml
new file mode 100644
index 00000000..3e0dc4b3
--- /dev/null
+++ b/.github/workflows/renovate-rebase.yaml
@@ -0,0 +1,14 @@
+---
+# yoinked from onedr0p and modified
+# info in comments is accurate as of 2023-11-25
+name: "Renovate (Manual Rebase Re-run)"
+
+on:
+  push:
+    branches: ["renovate/**"]
+
+jobs:
+  renovate:
+    name: Renovate
+    uses: ./.github/workflows/renovate.yaml
+    secrets: inherit
\ No newline at end of file
diff --git a/.github/workflows/renovate.yaml b/.github/workflows/renovate.yaml
index 35710e6e..b88b1816 100644
--- a/.github/workflows/renovate.yaml
+++ b/.github/workflows/renovate.yaml
@@ -4,6 +4,7 @@
 name: "Renovate"
 
 on:
+  workflow_call:
   workflow_dispatch:
     inputs:
       dryRun:
@@ -35,7 +36,6 @@ env:
   RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}" # this is to prevent forks from running Renovate against upstream repo
   RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]"
   RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_API_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>" # get $BOT_API_ID from `curl -s 'https://api.github.com/users/$(BOT_USERNAME)%5Bbot%5D' | yq .id`
-  RENOVATE_REBASE_WHEN: "behind-base-branch"
 
 jobs:
   renovate:
diff --git a/.renovate/groups.json5 b/.renovate/groups.json5
index 976761f8..e319eaa1 100644
--- a/.renovate/groups.json5
+++ b/.renovate/groups.json5
@@ -2,11 +2,17 @@
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
   "packageRules": [
     // NOTE: Renovate processes rules from top to bottom, so the rules below take precedence over rules above it
+    {
+      "description": "Default options",
+      "rebaseWhen": "conflicted",
+      "automerge": false
+    },
     {
       "description": "Auto merge Github Actions",
       "matchManagers": ["github-actions"],
       "automerge": true,
       "automergeType": "pr",
+      "rebaseWhen": "behind-base-branch",
       "ignoreTests": true,
       "matchUpdateTypes": ["minor", "patch", "digest"]
     },
@@ -24,6 +30,7 @@
       // "matchDatasources": ["docker"],
       "automerge": true,
       "automergeType": "pr",
+      "rebaseWhen": "behind-base-branch",
       "matchFileNames": ["kube/deploy/apps/**"],
       "matchUpdateTypes": ["minor", "patch", "digest"],
       "matchCurrentVersion": "!/^0\\./", // avoid breaking changes in 0.x SemVer releases
@@ -41,56 +48,57 @@
       "groupName": "Cilium",
       "matchPackagePatterns": ["cilium"],
       "versioning": "semver",
+      "customChangelogUrl": "https://github.com/cilium/cilium",
       "separateMinorPatch": true,
       "pinDigests": false,
       "group": {
         "commitMessageTopic": "{{{groupName}}} group"
       }
     },
-    // FluxCD
     {
       "description": "Flux Group",
       "groupName": "Flux",
       "matchPackagePatterns": ["fluxcd"],
       "matchDatasources": ["docker", "github-tags"],
       "versioning": "semver",
+      "separateMinorPatch": true,
+      "customChangelogUrl": "https://github.com/fluxcd/flux2",
       "group": {
         "commitMessageTopic": "{{{groupName}}} group"
-      },
-      "separateMinorPatch": true
+      }
     },
-    // automerge patch Flux versions
     {
-      "description": "Flux Group",
+      "description": "Flux Group (Automerge Patch)",
       "groupName": "Flux",
       "matchPackagePatterns": ["fluxcd"],
       "matchDatasources": ["docker", "github-tags"],
       "versioning": "semver",
-      "group": {
-        "commitMessageTopic": "{{{groupName}}} group"
-      },
       "separateMinorPatch": true,
       "matchUpdateTypes": ["patch"],
       "automerge": true,
-      "automergeType": "pr"
+      "automergeType": "pr",
+      "rebaseWhen": "behind-base-branch",
+      "group": {
+        "commitMessageTopic": "{{{groupName}}} group"
+      }
     },
-    // authentik
     {
       "description": "authentik Group",
       "groupName": "authentik",
       "matchPackagePatterns": ["authentik"],
       "labels": ["authentik"],
+      "customChangelogUrl": "https://github.com/goauthentik/authentik",
       "automerge": false,
-      "group": {
-        "commitMessageTopic": "{{{groupName}}} group"
-      },
       "separateMultipleMajor": true,
       "separateMinorPatch": true,
       // TODO: Helm chart uses separate key for digests, which Renovate seems to not recognize? maybe patching the image would be better?
-      "pinDigests": false
+      "pinDigests": false,
+      "group": {
+        "commitMessageTopic": "{{{groupName}}} group"
+      }
     },
-    // manually approve app-template major releases
     {
+      "description": "Manually approve app-template major releases",
       "matchPackagePatterns": ["app-template"],
       "matchDatasources": ["helm"],
       "matchUpdateTypes": ["major"],
@@ -111,6 +119,7 @@
       "dependencyDashboardApproval": false,
       "automerge": true,
       "automergeType": "pr",
+      "rebaseWhen": "behind-base-branch",
       "separateMajorMinor": true,
       "separateMultipleMajor": true,
       "separateMinorPatch": true,
@@ -118,8 +127,8 @@
       "commitMessagePrefix": "fix(app-template/patch): ",
       "labels": ["app-template", "patch"]
     },
-    // don't automerge app-template minor releases
     {
+      "description": "Don't automerge app-template minor releases",
       "matchPackagePatterns": ["app-template"],
       "matchDatasources": ["helm"],
       "matchUpdateTypes": ["minor"],
@@ -132,15 +141,21 @@
       "commitMessagePrefix": "feat(app-template/minor): ",
       "labels": ["app-template", "major"]
     },
-    // Miniflux enforce distroless images
     {
+      "description": "Miniflux enforce distroless images",
+      "matchPackagePatterns": ["miniflux"],
       "matchDatasources": ["docker"],
-      "versionCompatibility": "^(?<version>[^-]+)(?<compatibility>-.*)?$",
       "versioning": "semver",
-      "matchPackagePatterns": ["miniflux"]
+      "versionCompatibility": "^(?<version>[^-]+)(?<compatibility>-.*)?$"
     },
-    // configure more granular control for apps in ./kube/deploy/core
     {
+      "description": "SearXNG versioning",
+      "matchPackagePatterns": ["searxng"],
+      "matchDatasources": ["docker"],
+      "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)?$"
+    },
+    {
+      "description": "Configure more granular control for apps in ./kube/deploy/core",
       "matchFileNames": ["kube/deploy/core/**"],
       "automerge": false, // enforce no automerge
       "separateMultipleMajor": true,
@@ -152,7 +167,7 @@
       "matchPackagePatterns": ["jjgadgets/k8s-crd-extractor"],
       "matchUpdateTypes": ["major", "minor", "patch", "digest"],
       "automerge": true,
-      "automergeType": "branch",
+      "automergeType": "branch"
     }
   ]
 }
diff --git a/kube/deploy/core/_networking/cilium/app/hr.yaml b/kube/deploy/core/_networking/cilium/app/hr.yaml
index 9b62a9d8..71b7ee59 100644
--- a/kube/deploy/core/_networking/cilium/app/hr.yaml
+++ b/kube/deploy/core/_networking/cilium/app/hr.yaml
@@ -26,9 +26,9 @@ spec:
       valuesKey: "${CLUSTER_NAME:=biohazard}.yaml"
       optional: false
   values:
-    image: # for Renovate changelog
-      repository: "quay.io/cilium/cilium"
-      tag: "v1.15.1"
+    # image: # for Renovate changelog
+    #   repository: "quay.io/cilium/cilium"
+    #   tag: "v1.15.1"
     ## NOTE: Cilium Agent API rate limit configuration
     ### upon reboot/untaint/uncordon, burst(s) of pod creations causes Cilium to 429 rate limit pods from getting their network configuration
     ### current config stolen from https://github.com/cilium/cilium/issues/24361#issuecomment-1564825275