P5: Migrate devpi to Kubernetes (#34)

## Summary
- Migrate devpi PyPI caching proxy from indri LaunchAgent to Kubernetes
- Custom container image with devpi-server + devpi-web + auto-init
- StatefulSet with 50Gi PVC, Tailscale Ingress at pypi.tail8d86e.ts.net
- Remove devpi from ansible playbooks and update CLAUDE.md with k8s workflow

## Key Changes
- Add CRI-O registry mirror config for registry.tail8d86e.ts.net
- Change ArgoCD apps to manual sync (was auto-sync causing issues)
- 2Gi memory limit for Whoosh indexer (reclaimed after startup)

## Deployment and Testing
- [x] devpi pod healthy in k8s
- [x] pip install through proxy works
- [x] mcquack 1.0.0 uploaded and installable
- [x] Old devpi stopped on indri

## Post-Merge
Reset ArgoCD to main:
```
argocd app set apps --revision main && argocd app sync apps
argocd app set devpi --revision main && argocd app sync devpi
```

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Reviewed-on: https://forge.tail8d86e.ts.net/eblume/blumeops/pulls/34

ansible/playbooks/indri.yml

@@ -42,10 +42,7 @@
       tags: borgmatic_metrics
     - role: forgejo
       tags: forgejo
-    - role: devpi
-      tags: devpi
-    - role: devpi_metrics
-      tags: devpi_metrics
+    # NOTE: devpi and devpi_metrics roles removed - now hosted in k8s (see argocd/apps/devpi.yaml)
     - role: zot
       tags: zot
     - role: zot_metrics

ansible/roles/alloy/defaults/main.yml

@@ -43,12 +43,7 @@ alloy_brew_logs:
   # NOTE: postgresql and miniflux removed - now hosted in k8s
 
 alloy_mcquack_logs:
-  - path: /Users/erichblume/Library/Logs/mcquack.devpi.out.log
-    service: devpi
-    stream: stdout
-  - path: /Users/erichblume/Library/Logs/mcquack.devpi.err.log
-    service: devpi
-    stream: stderr
+  # NOTE: devpi logs removed - now hosted in k8s
   - path: /Users/erichblume/Library/Logs/mcquack.kiwix-serve.out.log
     service: kiwix
     stream: stdout

ansible/roles/borgmatic/defaults/main.yml

@@ -11,13 +11,13 @@ borgmatic_schedule_hour: 2
 borgmatic_schedule_minute: 0
 
 # Source directories to back up
+# NOTE: devpi removed - now hosted in k8s (PVC handles persistence)
 borgmatic_source_directories:
   - /Users/erichblume/code/personal/zk
   - /opt/homebrew/var/forgejo
   - /Users/erichblume/.config/borgmatic
   - /Users/erichblume/Documents
   - /Users/erichblume/Pictures
-  - /Users/erichblume/devpi
   - /opt/homebrew/var/loki
 
 # Backup repository
@@ -28,9 +28,7 @@ borgmatic_repositories:
     append_only: true
 
 # Exclude patterns
-borgmatic_exclude_patterns:
-  # Exclude mirrored PyPI cache (only backup private packages)
-  - /Users/erichblume/devpi/+files/root/pypi
+borgmatic_exclude_patterns: []
 
 # Encryption passcommand (reads borg passphrase)
 borgmatic_encryption_passcommand: cat /Users/erichblume/.borg/config.yaml

ansible/roles/minikube/files/zot-mirror.conf

@@ -2,6 +2,22 @@
 # Uses host.containers.internal which is stable across restarts
 # Applied by ansible minikube role
 
+# Direct access to Zot for private images (blumeops/*)
+[[registry]]
+prefix = "host.containers.internal:5050"
+location = "host.containers.internal:5050"
+insecure = true
+
+# Tailscale hostname for Zot - redirects to local access
+# Allows manifests to use registry.tail8d86e.ts.net which is cleaner
+[[registry]]
+prefix = "registry.tail8d86e.ts.net"
+location = "registry.tail8d86e.ts.net"
+
+[[registry.mirror]]
+location = "host.containers.internal:5050"
+insecure = true
+
 [[registry]]
 prefix = "docker.io"
 location = "docker.io"

ansible/roles/tailscale_serve/defaults/main.yml

@@ -3,7 +3,7 @@
 # Each service maps a Tailscale service name to local endpoints
 
 tailscale_serve_services:
-  # NOTE: svc:grafana, svc:pg, svc:feed removed - now hosted in k8s
+  # NOTE: svc:grafana, svc:pg, svc:feed, svc:pypi removed - now hosted in k8s
 
   - name: svc:forge
     https:
@@ -18,11 +18,6 @@ tailscale_serve_services:
       port: 443
       upstream: http://localhost:5501
 
-  - name: svc:pypi
-    https:
-      port: 443
-      upstream: http://127.0.0.1:3141
-
   - name: svc:registry
     https:
       port: 443