diff --git a/playbook.yml b/playbook.yml
index 4fb396e..64c0cae 100644
--- a/playbook.yml
+++ b/playbook.yml
@@ -6,6 +6,7 @@
   hosts: raspberry_pis
   vars_files:
     - vault.yml
+    - versions.yml
   roles:
     # These roles are disabled after they have being applied once for performance reasons, it should be safe to enable them again.
     # Notice that this role changes some settings on reruns (on the "Change various sysctl-settings" task), doesn't seem problematic though.
diff --git a/roles/actual/tasks/main.yml b/roles/actual/tasks/main.yml
index c8f446b..e185ecb 100644
--- a/roles/actual/tasks/main.yml
+++ b/roles/actual/tasks/main.yml
@@ -7,7 +7,7 @@
   become: true
   community.docker.docker_container:
     name: actual-server
-    image: "docker.io/actualbudget/actual-server:{{ actual_version }}"
+    image: "docker.io/actualbudget/actual-server:{{ versions.actual }}"
     ports:
       - "127.0.0.1:5006:5006/tcp"
     mounts:
diff --git a/roles/actual/vars/main/defaults.yml b/roles/actual/vars/main/defaults.yml
deleted file mode 100644
index 74aa20d..0000000
--- a/roles/actual/vars/main/defaults.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-actual_version: 24.12.0
diff --git a/roles/changedetection/templates/docker-compose.yaml.j2 b/roles/changedetection/templates/docker-compose.yaml.j2
index 1faa0b2..66a9bca 100644
--- a/roles/changedetection/templates/docker-compose.yaml.j2
+++ b/roles/changedetection/templates/docker-compose.yaml.j2
@@ -1,7 +1,7 @@
 ---
 services:
   changedetection-server:
-    image: "docker.io/dgtlmoon/changedetection.io:{{ changedetection_version }}"
+    image: "docker.io/dgtlmoon/changedetection.io:{{ versions.changedetection.self }}"
     hostname: changedetection
     restart: always
     ports:
@@ -12,7 +12,7 @@ services:
       - PLAYWRIGHT_DRIVER_URL=ws://browserless-chrome:3000
   # See configuration from: https://www.youtube.com/watch?v=o_iG4Wunh98
   browserless-chrome:
-    image: "browserless/chrome:{{ browserless_chrome_version }}"
+    image: "browserless/chrome:{{ versions.changedetection.headless_chrome }}"
     hostname: browserless-chrome
     restart: always
     environment:
diff --git a/roles/changedetection/vars/main/defaults.yml b/roles/changedetection/vars/main/defaults.yml
deleted file mode 100644
index a19afb6..0000000
--- a/roles/changedetection/vars/main/defaults.yml
+++ /dev/null
@@ -1,6 +0,0 @@
----
-changedetection_version: 0.47.06
-# This isn't preferable, i'd rather pin a version. However
-# it's quite hard to find a suitable candidate (https://hub.docker.com/r/browserless/chrome/tags)
-# for arm64.
-browserless_chrome_version: latest
diff --git a/roles/cloudflared/tasks/main.yml b/roles/cloudflared/tasks/main.yml
index 1a6766a..e5f8bac 100644
--- a/roles/cloudflared/tasks/main.yml
+++ b/roles/cloudflared/tasks/main.yml
@@ -2,7 +2,7 @@
 - name: Install Cloudflared
   become: true
   ansible.builtin.apt:
-    deb: https://github.com/cloudflare/cloudflared/releases/latest/download/cloudflared-linux-arm64.deb
+    deb: "https://github.com/cloudflare/cloudflared/releases/download/{{ versions.cloudflared }}/cloudflared-linux-arm64.deb"
 - name: Install the Cloudflared tunnel as a systemd service
   become: true
   ansible.builtin.command:
diff --git a/roles/immich/templates/.env.j2 b/roles/immich/templates/.env.j2
index 25947df..63ab248 100644
--- a/roles/immich/templates/.env.j2
+++ b/roles/immich/templates/.env.j2
@@ -9,7 +9,7 @@ DB_DATA_LOCATION={{ immich_database_location }}
 TZ=Europe/Amsterdam
 
 # The Immich version to use. You can pin this to a specific version like "v1.71.0"
-IMMICH_VERSION={{ immich_version }}
+IMMICH_VERSION={{ versions.immich }}
 
 # Connection secret for postgres. You should change it to a random password
 # Please use only the characters `A-Za-z0-9`, without special characters or spaces
diff --git a/roles/immich/vars/main/defaults.yml b/roles/immich/vars/main/defaults.yml
index 8815fb7..a69ad07 100644
--- a/roles/immich/vars/main/defaults.yml
+++ b/roles/immich/vars/main/defaults.yml
@@ -1,4 +1,3 @@
 ---
-immich_version: v1.123.0
 immich_upload_location: '/bulk/immich_uploads'
 immich_database_location: '/bulk/immich_database'
diff --git a/roles/monitoring/tasks/main.yml b/roles/monitoring/tasks/main.yml
index e460c23..6e36e8f 100644
--- a/roles/monitoring/tasks/main.yml
+++ b/roles/monitoring/tasks/main.yml
@@ -29,7 +29,7 @@
   become: true
   community.docker.docker_container:
     name: grafana-server
-    image: "docker.io/grafana/grafana:{{ grafana_version }}"
+    image: "docker.io/grafana/grafana:{{ versions.monitoring.grafana }}"
     ports:
       - "127.0.0.1:3000:3000/tcp"
     mounts:
diff --git a/roles/monitoring/vars/main/defaults.yml b/roles/monitoring/vars/main/defaults.yml
index 2801ba6..82ebe4d 100644
--- a/roles/monitoring/vars/main/defaults.yml
+++ b/roles/monitoring/vars/main/defaults.yml
@@ -1,6 +1,5 @@
 ---
 # Prometheus
-prometheus_version: "2.54.1"
 prometheus_targets:
   prometheus:
     - targets:
@@ -37,14 +36,12 @@ prometheus_alertmanager_config:
       - targets:
           - raspberry-pi-1.kleinendorst.info:9093
 # Node exporter
-node_exporter_version: "1.8.2"
 node_exporter_enabled_collectors:
   - systemd
   - {"textfile": {"directory": "{{ node_exporter_textfile_dir }}"}}
   - processes
 node_exporter_web_listen_address: 127.0.0.1:9100
 # Alertmanager
-alertmanager_version: "0.27.0"
 alertmanager_web_listen_address: 127.0.0.1:9093
 # Telegram configuration inspired by this source:
 # https://www.stranatesta.eu/tech/how-to-configure-prometheus-alertmanager-to-send-alerts-to-telegram/#configure-alertmanager
@@ -58,5 +55,4 @@ alertmanager_receivers:
 alertmanager_route:
   receiver: telegram
 # Grafana
-grafana_version: "11.2.0"
 grafana_username: grafana
diff --git a/roles/postgres/templates/docker-compose.yaml.j2 b/roles/postgres/templates/docker-compose.yaml.j2
index c93b95f..be6a638 100644
--- a/roles/postgres/templates/docker-compose.yaml.j2
+++ b/roles/postgres/templates/docker-compose.yaml.j2
@@ -1,7 +1,7 @@
 ---
 services:
   postgres:
-    image: docker.io/postgres:{{ postgres_version }}
+    image: docker.io/postgres:{{ versions.postgres.self }}
     ports:
       - "0.0.0.0:5432:5432"
     restart: always
@@ -19,7 +19,7 @@ services:
     environment:
       POSTGRES_PASSWORD: "{{ postgres_password }}"
   postgres-prometheus-exporter:
-    image: quay.io/prometheuscommunity/postgres-exporter:{{ postgres_prometheus_exporter_version }}
+    image: quay.io/prometheuscommunity/postgres-exporter:{{ versions.postgres.prometheus_exporter }}
     ports:
       - "0.0.0.0:9187:9187"
     environment:
diff --git a/roles/postgres/vars/main/defaults.yml b/roles/postgres/vars/main/defaults.yml
index be623b9..ccc3973 100644
--- a/roles/postgres/vars/main/defaults.yml
+++ b/roles/postgres/vars/main/defaults.yml
@@ -1,4 +1,2 @@
 ---
 postgres_unix_username: postgres
-postgres_version: 17-alpine
-postgres_prometheus_exporter_version: v0.15.0
diff --git a/roles/wedding/tasks/main.yml b/roles/wedding/tasks/main.yml
index 7fc36fb..d981282 100644
--- a/roles/wedding/tasks/main.yml
+++ b/roles/wedding/tasks/main.yml
@@ -9,7 +9,7 @@
   become: true
   community.docker.docker_container:
     name: wedding-server
-    image: "ghcr.io/kleinendorst/wedding:{{ wedding_version }}"
+    image: "ghcr.io/kleinendorst/wedding:{{ versions.wedding }}"
     ports:
       - "127.0.0.1:3001:3000/tcp"
     env:
diff --git a/roles/wedding/vars/main/defaults.yml b/roles/wedding/vars/main/defaults.yml
deleted file mode 100644
index 62d61e8..0000000
--- a/roles/wedding/vars/main/defaults.yml
+++ /dev/null
@@ -1,2 +0,0 @@
----
-wedding_version: 0.0.17
diff --git a/versions.yml b/versions.yml
new file mode 100644
index 0000000..d95705d
--- /dev/null
+++ b/versions.yml
@@ -0,0 +1,31 @@
+---
+versions:
+  # Changelog: https://actualbudget.org/docs/releases/
+  actual: 24.12.0
+  changedetection:
+    # Changelog: https://changedetection.io/CHANGELOG.txt
+    self: 0.48.05
+    # ⬇️ This isn't preferable, i'd rather pin a version. However
+    # it's quite hard to find a suitable candidate (https://hub.docker.com/r/browserless/chrome/tags)
+    # for arm64.
+    headless_chrome: latest
+  # Changelog: https://github.com/immich-app/immich/discussions/8930
+  immich: v1.123.0
+  monitoring:
+    # Changelog: https://github.com/prometheus/prometheus/blob/main/CHANGELOG.md
+    # Note that version 3.0.0 was just released, upgrading is probably necessary.
+    prometheus: 2.55.1
+    # Changelog: https://github.com/prometheus/node_exporter/blob/master/CHANGELOG.md
+    node_exporter: 1.8.2
+    # Changelog: https://github.com/prometheus/alertmanager/blob/main/CHANGELOG.md
+    alertmanager: 0.27.0
+    # Changelog: https://github.com/grafana/grafana/blob/main/CHANGELOG.md
+    grafana: 11.4.0
+  postgres:
+    # Docker version: https://hub.docker.com/_/postgres
+    self: 17.2-alpine
+    # Releases: https://github.com/prometheus-community/postgres_exporter/releases
+    prometheus_exporter: v0.16.0
+  # Releases: https://github.com/Kleinendorst/wedding/pkgs/container/wedding
+  wedding: 0.0.17
+  cloudflared: 2024.12.2