From 243a8629017d3cd3fc54d13a851f97e5492e985e Mon Sep 17 00:00:00 2001
From: Forgejo Actions <actions@forge.ops.eblu.me>
Date: Tue, 24 Mar 2026 19:51:17 -0700
Subject: [PATCH] Update docs release to v1.15.0

- Built changelog from towncrier fragments

[skip ci]
---
 CHANGELOG.md                                  | 31 +++++++++++++++++++
 argocd/manifests/docs/deployment.yaml         |  2 +-
 docs/changelog.d/+alerts-dashboard.feature.md |  1 -
 .../+argocd-config-doc-review.doc.md          |  1 -
 .../+authentik-worker-concurrency.bugfix.md   |  1 -
 .../changelog.d/+doc-review-march-2026.doc.md |  1 -
 .../changelog.d/+fix-apps-outofsync.bugfix.md |  1 -
 docs/changelog.d/+frigate-0.17.1.infra.md     |  1 -
 docs/changelog.d/+prowler-iac-scan.feature.md |  1 -
 .../+prowler-image-scan.feature.md            |  1 -
 docs/changelog.d/+seccomp-profiles.infra.md   |  1 -
 .../changelog.d/decommission-jobsync.infra.md |  1 -
 docs/changelog.d/deploy-prowler.feature.md    |  1 -
 docs/changelog.d/localize-redis.infra.md      |  1 -
 .../unify-container-workflows.infra.md        |  1 -
 .../update-tooling-deps-2026-03.infra.md      |  1 -
 .../changelog.d/upgrade-ntfy-v2.19.2.infra.md |  1 -
 ...upgrade-tailscale-operator-1.96.3.infra.md |  1 -
 18 files changed, 32 insertions(+), 17 deletions(-)
 delete mode 100644 docs/changelog.d/+alerts-dashboard.feature.md
 delete mode 100644 docs/changelog.d/+argocd-config-doc-review.doc.md
 delete mode 100644 docs/changelog.d/+authentik-worker-concurrency.bugfix.md
 delete mode 100644 docs/changelog.d/+doc-review-march-2026.doc.md
 delete mode 100644 docs/changelog.d/+fix-apps-outofsync.bugfix.md
 delete mode 100644 docs/changelog.d/+frigate-0.17.1.infra.md
 delete mode 100644 docs/changelog.d/+prowler-iac-scan.feature.md
 delete mode 100644 docs/changelog.d/+prowler-image-scan.feature.md
 delete mode 100644 docs/changelog.d/+seccomp-profiles.infra.md
 delete mode 100644 docs/changelog.d/decommission-jobsync.infra.md
 delete mode 100644 docs/changelog.d/deploy-prowler.feature.md
 delete mode 100644 docs/changelog.d/localize-redis.infra.md
 delete mode 100644 docs/changelog.d/unify-container-workflows.infra.md
 delete mode 100644 docs/changelog.d/update-tooling-deps-2026-03.infra.md
 delete mode 100644 docs/changelog.d/upgrade-ntfy-v2.19.2.infra.md
 delete mode 100644 docs/changelog.d/upgrade-tailscale-operator-1.96.3.infra.md

diff --git a/CHANGELOG.md b/CHANGELOG.md
index fe58f8c..ced38b3 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -12,6 +12,37 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 <!-- towncrier release notes start -->
 
+## [v1.15.0] - 2026-03-24
+
+### Features
+
+- Deploy Prowler CIS scanner as a weekly CronJob on minikube-indri, with reports written to sifaka NFS share.
+- Add Grafana "Alerts" dashboard showing currently firing alerts and recent state changes.
+- Add IaC scanning via Prowler IaC provider (Saturday 2am, Dockerfiles and K8s manifests).
+- Add container image vulnerability scanning via Prowler image provider (Saturday 3am, all blumeops/* images).
+
+### Bug Fixes
+
+- Fix authentik worker OOMKill by setting AUTHENTIK_WORKER_CONCURRENCY=2 (was defaulting to 16 based on CPU count).
+- Remove `group: ""` from tailscale-operator ignoreDifferences — ArgoCD normalizes away the empty string, causing permanent OutOfSync on the apps app.
+
+### Infrastructure
+
+- Decommission JobSync service — removed ArgoCD app, k8s manifests, container build, Caddy proxy, Homepage entry, docs, and forge mirror. Replaced by datasette-based job tracking (coming soon).
+- Localize authentik-redis container: replace upstream `redis:7-alpine` with nix-built image from nixpkgs (Redis 8.2.3). Introduces attached service pattern with `parent` field in service-versions.yaml and version assertion in default.nix to prevent silent version drift.
+- Unified Dockerfile and Nix container build workflows into a single workflow that auto-classifies containers by build type and routes to the correct runner (k8s for Dockerfile, nix-container-builder for Nix). Removed nettest container (outgrown). Nix builds now require an explicit `version = "..."` declaration — no implicit nixpkgs fallback.
+- Monthly tooling dependency update: bump prek hooks (trufflehog 3.94.0, ruff 0.15.7, shfmt 3.13.0), Fly.io images (nginx 1.29.6, Alloy 1.14.1), actions/checkout v4.3.1→v6.0.2, tighten mise task Python lower bounds (rich 14, typer 0.24, httpx 0.28.1, pyyaml 6.0.2), and bump ansible-lint/ansible-core floors.
+- Upgrade ntfy v2.17.0 → v2.19.2 (adds experimental PostgreSQL support, read replicas, web push fixes)
+- Revert Tailscale operator to v1.94.2 (v1.96.3 images not yet published); keep Fly proxy `tailscale wait` improvement
+- Add RuntimeDefault seccomp profiles to all managed deployments, statefulsets, and cronjobs.
+- Upgrade Frigate from 0.17.0-rc2 to 0.17.1 (security fixes, bugfixes). Add motion retention tier (365 days), reduce continuous retention from 180 to 30 days.
+
+### Documentation
+
+- Review and fix ArgoCD config tutorial: correct sync policy example, fix typo, add missing cross-references and frontmatter.
+- Review and update 12 reference docs: fix stale image references to point at kustomization manifests instead of hardcoded tags, correct Prometheus scrape target, expand external-secrets stub, add cross-references between backup/disaster-recovery docs, and remove misleading `.ts.net` URLs from Quick Reference tables.
+
+
 ## [v1.14.3] - 2026-03-22
 
 ### Features
diff --git a/argocd/manifests/docs/deployment.yaml b/argocd/manifests/docs/deployment.yaml
index 5b54ee6..c1203dd 100644
--- a/argocd/manifests/docs/deployment.yaml
+++ b/argocd/manifests/docs/deployment.yaml
@@ -30,7 +30,7 @@ spec:
               name: http
           env:
             - name: DOCS_RELEASE_URL
-              value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.14.3/docs-v1.14.3.tar.gz"
+              value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.0/docs-v1.15.0.tar.gz"
           resources:
             requests:
               memory: "64Mi"
diff --git a/docs/changelog.d/+alerts-dashboard.feature.md b/docs/changelog.d/+alerts-dashboard.feature.md
deleted file mode 100644
index d69802f..0000000
--- a/docs/changelog.d/+alerts-dashboard.feature.md
+++ /dev/null
@@ -1 +0,0 @@
-Add Grafana "Alerts" dashboard showing currently firing alerts and recent state changes.
diff --git a/docs/changelog.d/+argocd-config-doc-review.doc.md b/docs/changelog.d/+argocd-config-doc-review.doc.md
deleted file mode 100644
index 00c0283..0000000
--- a/docs/changelog.d/+argocd-config-doc-review.doc.md
+++ /dev/null
@@ -1 +0,0 @@
-Review and fix ArgoCD config tutorial: correct sync policy example, fix typo, add missing cross-references and frontmatter.
diff --git a/docs/changelog.d/+authentik-worker-concurrency.bugfix.md b/docs/changelog.d/+authentik-worker-concurrency.bugfix.md
deleted file mode 100644
index f438361..0000000
--- a/docs/changelog.d/+authentik-worker-concurrency.bugfix.md
+++ /dev/null
@@ -1 +0,0 @@
-Fix authentik worker OOMKill by setting AUTHENTIK_WORKER_CONCURRENCY=2 (was defaulting to 16 based on CPU count).
diff --git a/docs/changelog.d/+doc-review-march-2026.doc.md b/docs/changelog.d/+doc-review-march-2026.doc.md
deleted file mode 100644
index 40cbc7f..0000000
--- a/docs/changelog.d/+doc-review-march-2026.doc.md
+++ /dev/null
@@ -1 +0,0 @@
-Review and update 12 reference docs: fix stale image references to point at kustomization manifests instead of hardcoded tags, correct Prometheus scrape target, expand external-secrets stub, add cross-references between backup/disaster-recovery docs, and remove misleading `.ts.net` URLs from Quick Reference tables.
diff --git a/docs/changelog.d/+fix-apps-outofsync.bugfix.md b/docs/changelog.d/+fix-apps-outofsync.bugfix.md
deleted file mode 100644
index 00faf4f..0000000
--- a/docs/changelog.d/+fix-apps-outofsync.bugfix.md
+++ /dev/null
@@ -1 +0,0 @@
-Remove `group: ""` from tailscale-operator ignoreDifferences — ArgoCD normalizes away the empty string, causing permanent OutOfSync on the apps app.
diff --git a/docs/changelog.d/+frigate-0.17.1.infra.md b/docs/changelog.d/+frigate-0.17.1.infra.md
deleted file mode 100644
index 8d2025b..0000000
--- a/docs/changelog.d/+frigate-0.17.1.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Upgrade Frigate from 0.17.0-rc2 to 0.17.1 (security fixes, bugfixes). Add motion retention tier (365 days), reduce continuous retention from 180 to 30 days.
diff --git a/docs/changelog.d/+prowler-iac-scan.feature.md b/docs/changelog.d/+prowler-iac-scan.feature.md
deleted file mode 100644
index b422efa..0000000
--- a/docs/changelog.d/+prowler-iac-scan.feature.md
+++ /dev/null
@@ -1 +0,0 @@
-Add IaC scanning via Prowler IaC provider (Saturday 2am, Dockerfiles and K8s manifests).
diff --git a/docs/changelog.d/+prowler-image-scan.feature.md b/docs/changelog.d/+prowler-image-scan.feature.md
deleted file mode 100644
index e109074..0000000
--- a/docs/changelog.d/+prowler-image-scan.feature.md
+++ /dev/null
@@ -1 +0,0 @@
-Add container image vulnerability scanning via Prowler image provider (Saturday 3am, all blumeops/* images).
diff --git a/docs/changelog.d/+seccomp-profiles.infra.md b/docs/changelog.d/+seccomp-profiles.infra.md
deleted file mode 100644
index c0ee00d..0000000
--- a/docs/changelog.d/+seccomp-profiles.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Add RuntimeDefault seccomp profiles to all managed deployments, statefulsets, and cronjobs.
diff --git a/docs/changelog.d/decommission-jobsync.infra.md b/docs/changelog.d/decommission-jobsync.infra.md
deleted file mode 100644
index c0e81ee..0000000
--- a/docs/changelog.d/decommission-jobsync.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Decommission JobSync service — removed ArgoCD app, k8s manifests, container build, Caddy proxy, Homepage entry, docs, and forge mirror. Replaced by datasette-based job tracking (coming soon).
diff --git a/docs/changelog.d/deploy-prowler.feature.md b/docs/changelog.d/deploy-prowler.feature.md
deleted file mode 100644
index 64236c7..0000000
--- a/docs/changelog.d/deploy-prowler.feature.md
+++ /dev/null
@@ -1 +0,0 @@
-Deploy Prowler CIS scanner as a weekly CronJob on minikube-indri, with reports written to sifaka NFS share.
diff --git a/docs/changelog.d/localize-redis.infra.md b/docs/changelog.d/localize-redis.infra.md
deleted file mode 100644
index 2d6b382..0000000
--- a/docs/changelog.d/localize-redis.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Localize authentik-redis container: replace upstream `redis:7-alpine` with nix-built image from nixpkgs (Redis 8.2.3). Introduces attached service pattern with `parent` field in service-versions.yaml and version assertion in default.nix to prevent silent version drift.
diff --git a/docs/changelog.d/unify-container-workflows.infra.md b/docs/changelog.d/unify-container-workflows.infra.md
deleted file mode 100644
index 2225297..0000000
--- a/docs/changelog.d/unify-container-workflows.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Unified Dockerfile and Nix container build workflows into a single workflow that auto-classifies containers by build type and routes to the correct runner (k8s for Dockerfile, nix-container-builder for Nix). Removed nettest container (outgrown). Nix builds now require an explicit `version = "..."` declaration — no implicit nixpkgs fallback.
diff --git a/docs/changelog.d/update-tooling-deps-2026-03.infra.md b/docs/changelog.d/update-tooling-deps-2026-03.infra.md
deleted file mode 100644
index b0f162f..0000000
--- a/docs/changelog.d/update-tooling-deps-2026-03.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Monthly tooling dependency update: bump prek hooks (trufflehog 3.94.0, ruff 0.15.7, shfmt 3.13.0), Fly.io images (nginx 1.29.6, Alloy 1.14.1), actions/checkout v4.3.1→v6.0.2, tighten mise task Python lower bounds (rich 14, typer 0.24, httpx 0.28.1, pyyaml 6.0.2), and bump ansible-lint/ansible-core floors.
diff --git a/docs/changelog.d/upgrade-ntfy-v2.19.2.infra.md b/docs/changelog.d/upgrade-ntfy-v2.19.2.infra.md
deleted file mode 100644
index 4eccbfe..0000000
--- a/docs/changelog.d/upgrade-ntfy-v2.19.2.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Upgrade ntfy v2.17.0 → v2.19.2 (adds experimental PostgreSQL support, read replicas, web push fixes)
diff --git a/docs/changelog.d/upgrade-tailscale-operator-1.96.3.infra.md b/docs/changelog.d/upgrade-tailscale-operator-1.96.3.infra.md
deleted file mode 100644
index a0f50db..0000000
--- a/docs/changelog.d/upgrade-tailscale-operator-1.96.3.infra.md
+++ /dev/null
@@ -1 +0,0 @@
-Revert Tailscale operator to v1.94.2 (v1.96.3 images not yet published); keep Fly proxy `tailscale wait` improvement