Recurring maintenance batch (2026-05-27) (#360)

Bundle of recurring overdue tasks:

- Ringtail flake update
- Security & compliance report review
- Tooling deps bump (prek, fly, mise, forgejo workflows)
- Top stale doc review
- Top stale service review (if trivial)

Larger items (service version bumps requiring upgrades, non-local container migration) split out as separate PRs.

Reviewed-on: #360

docs/changelog.d/recurring-maintenance-2026-05-27.doc.md

@@ -0,0 +1 @@
+Reviewed [[indri]] reference card: added `devpi`, `cv`, and `docs` to the native-services list; widened the k8s note to reflect the growing set of apps now on ringtail and the planned indri-minikube decommission; added CPU/RAM specs.

docs/changelog.d/recurring-maintenance-2026-05-27.infra.md

@@ -0,0 +1,4 @@
+Recurring maintenance batch:
+
+- Ringtail flake inputs refreshed (`disko`, `home-manager`, `nixpkgs`).
+- Tooling deps bumped: prek hooks (trufflehog v3.95.3, kingfisher v1.101.0, ruff v0.15.14, `ansible-core` 2.21.0); fly proxy base images (nginx 1.30.1-alpine, alloy v1.16.1); `typer==0.26.2` in mise tasks.

docs/reference/infrastructure/indri.md

@@ -1,6 +1,7 @@
 ---
 title: Indri
-modified: 2026-02-19
+modified: 2026-05-27
+last-reviewed: 2026-05-27
 tags:
   - infrastructure
   - host
@@ -15,6 +16,7 @@ Primary BlumeOps server. Mac Mini M1 (2020).
 | Property | Value |
 |----------|-------|
 | **Model** | Mac mini M1, 2020 (Macmini9,1) |
+| **CPU / RAM** | 8 cores / 16 GB |
 | **Storage** | 2TB internal SSD |
 | **macOS** | 15.7.3 (Sequoia) |
 | **Tailscale hostname** | `indri.tail8d86e.ts.net` |
@@ -30,9 +32,12 @@ Primary BlumeOps server. Mac Mini M1 (2020).
 - [[borgmatic]] - Backup system
 - [[alloy|Alloy]] - Metrics/logs collector
 - [[caddy]] - Reverse proxy for `*.ops.eblu.me`
+- [[devpi]] - PyPI mirror (LaunchAgent)
+- [[cv]] - Static CV site, served by Caddy
+- [[docs]] - Quartz-built docs site, served by Caddy
 
 **Kubernetes (via minikube):**
-- [[apps|Most k8s applications]] (Frigate, ntfy migrated to [[ringtail]] k3s)
+- [[apps|Most k8s applications]]. A growing set of apps (Authentik, Frigate, ntfy, Immich, Homepage, Shower, Kingfisher, alloy-ringtail) now run on [[ringtail]]'s k3s instead. Long-term plan is to decommission indri's minikube entirely.
 
 **GUI Applications (manual start required):**
 - Docker Desktop - Container runtime for minikube

fly/Dockerfile

@@ -1,5 +1,5 @@
-# nginx 1.30.0-alpine
+# nginx 1.30.1-alpine
-FROM nginx@sha256:0272e4604ed93c1792f03695a033a6e8546840f86e0de20a884bb17d2c924883
+FROM nginx@sha256:c819f83c54b0361f5557601bf5eb4943d09360e7a7fdf426afc466570f45874d
 
 # Copy tailscale binaries from official image (v1.94.2)
 COPY --from=docker.io/tailscale/tailscale@sha256:95e528798bebe75f39b10e74e7051cf51188ee615934f232ba7ad06a3390ffa1 \
@@ -13,8 +13,8 @@ RUN mkdir -p /var/run/tailscale /var/lib/tailscale \
     && apk add --no-cache fail2ban \
     && rm -f /etc/fail2ban/jail.d/alpine-ssh.conf
 
-# Copy Alloy binary from official image (v1.16.0, Ubuntu-based, needs libc6-compat)
+# Copy Alloy binary from official image (v1.16.1, Ubuntu-based, needs libc6-compat)
-COPY --from=docker.io/grafana/alloy@sha256:6e00cf7c5a692ff5f24844529416ed017d76fce922f8199004e73d5eca46b6b8 \
+COPY --from=docker.io/grafana/alloy@sha256:51aeb9d829239345070619dad3edd6873186f913c84f45b365b74574fcb38ec0 \
     /bin/alloy /usr/local/bin/alloy
 
 RUN mkdir -p /var/log/nginx /etc/alloy /tmp/alloy-data

mise-tasks/branch-cleanup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Delete branches that have been merged into main (local and remote)"
 #MISE alias="bc"

mise-tasks/container-build-and-release

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["typer==0.25.0", "httpx==0.28.1"]
+# dependencies = ["typer==0.26.2", "httpx==0.28.1"]
 # ///
 #MISE description="Trigger container build workflows via Forgejo API"
 #USAGE arg "<container>" help="Container name (directory under containers/)"

mise-tasks/container-list

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="List available containers and their recent tags"
 #USAGE arg "[name]" help="Optional container name to filter output"

mise-tasks/container-version-check

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Validate container version consistency across container.py, Dockerfiles, nix derivations, and service-versions.yaml"
 #USAGE flag "--all-files" help="Check all containers, not just changed ones"

mise-tasks/dns-acme-cleanup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Delete orphaned ACME challenge TXT records in eblu.me"
 #USAGE flag "--dry-run" help="List orphans without deleting"

mise-tasks/docs-mikado

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="View active Mikado dependency chains for C2 changes"
 #USAGE arg "[card]" help="Card stem to show chain for"

mise-tasks/docs-preview

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Build docs with Dagger and serve locally, opening to a specific card"
 #USAGE arg "<card>" help="Card path relative to docs/, e.g. how-to/knowledgebase/review-documentation"

mise-tasks/docs-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Review the most stale documentation card by last-reviewed date"
 #USAGE flag "--limit <limit>" default="15" help="Number of docs to show in the table"

mise-tasks/docs-review-stale

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Report docs by git-last-modified date, highlighting stale ones"
 #USAGE flag "--threshold <threshold>" default="180" help="Days before a doc is considered stale"

mise-tasks/mikado-branch-invariant-check

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Validate Mikado Branch Invariant on mikado/* branches"
 #USAGE arg "[commit_msg_file]" help="Commit message file (passed by commit-msg hook)"

mise-tasks/op-backup

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Encrypt a 1Password .1pux export and send to indri for borgmatic"
 #USAGE arg "[export_path]" help="Path to .1pux export file (prompted if omitted)"

mise-tasks/pr-comments

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="List unresolved comments on a PR"
 #USAGE arg "<pr_number>" help="Pull request number"

mise-tasks/prune-ringtail-generations

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Prune old NixOS generations on ringtail, preserving rollback safety"
 #MISE alias="prg"

mise-tasks/review-compliance-reports

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["rich==15.0.0", "typer==0.25.0", "pyyaml==6.0.3"]
+# dependencies = ["rich==15.0.0", "typer==0.26.2", "pyyaml==6.0.3"]
 # ///
 #MISE description="Summarize the latest Prowler and Kingfisher compliance reports from sifaka"
 #USAGE flag "--full" help="Show all unmuted failures, not just new ones"

mise-tasks/runner-logs

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="List recent Forgejo Actions runs or fetch logs for a specific job"
 #USAGE arg "[run_number]" help="Run number to show jobs for (omit to list recent runs)"

mise-tasks/service-review

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["pyyaml==6.0.3", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Review the most stale service for version freshness"
 #USAGE flag "--limit <limit>" default="15" help="Number of services to show in the table"

mise-tasks/spork-create

@@ -1,7 +1,7 @@
 #!/usr/bin/env -S uv run --script
 # /// script
 # requires-python = ">=3.12"
-# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.25.0"]
+# dependencies = ["httpx==0.28.1", "rich==15.0.0", "typer==0.26.2"]
 # ///
 #MISE description="Create a spork (floating-branch soft-fork) of a mirrored upstream project"
 #USAGE arg "<repo_name>" help="Repository name in the mirrors/ org on forge (e.g. kingfisher)"

nixos/ringtail/flake.lock

@@ -7,11 +7,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1777713215,
+        "lastModified": 1779699611,
-        "narHash": "sha256-8GzXDOXckDWwST8TY5DbwYFjdvQLlP7K9CLSVx6iTTo=",
+        "narHash": "sha256-EcCaSTKnmg2o4wLKaN1aqQFomwyhO7ik0bX9COdyCas=",
         "owner": "nix-community",
         "repo": "disko",
-        "rev": "63b4e7e6cf75307c1d26ac3762b886b5b0247267",
+        "rev": "5ba0c9555c28685e57fa54c7a25e42c7efdbfc8d",
         "type": "github"
       },
       "original": {
@@ -27,11 +27,11 @@
         ]
       },
       "locked": {
-        "lastModified": 1778401693,
+        "lastModified": 1779506708,
-        "narHash": "sha256-OVHdCqXXUF5UdGkH+FF2ZL06OLZjj2kvP2dIUmzVWoo=",
+        "narHash": "sha256-QOD/CNm196nCJRheux/URi4/HE66fthdOMqCJoPP1Y0=",
         "owner": "nix-community",
         "repo": "home-manager",
-        "rev": "389b83002efc26f1145e89a6a8e6edc5a6435948",
+        "rev": "3ee51fbdac8c8bdfe1e7e1fcaba6520a563f394f",
         "type": "github"
       },
       "original": {
@@ -43,11 +43,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1778430510,
+        "lastModified": 1779467186,
-        "narHash": "sha256-Ti+ZBvW6yrWWAg2szExVTwCd4qOJ3KlVr1tFHfyfi8Q=",
+        "narHash": "sha256-nOesoDCiXcUftqbRBMz9tt4blI5PvljMWbm3kuCA+0s=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "8fd9daa3db09ced9700431c5b7ad0e8ba199b575",
+        "rev": "b77b3de8775677f84492abe84635f87b0e153f0f",
         "type": "github"
       },
       "original": {

prek.toml

@@ -28,7 +28,7 @@ hooks = [{ id = "check-yaml", args = ["--unsafe"] }]
 # Secret detection (running both tools in parallel to compare coverage)
 [[repos]]
 repo = "https://github.com/trufflesecurity/trufflehog"
-rev = "17456f8c7d042d8c82c9a8ca9e937231f9f42e26" # v3.95.2
+rev = "37b77001d0174ebec2fcca2bd83ff83a6d45a3ab" # v3.95.3
 hooks = [
   { id = "trufflehog", entry = "trufflehog git file://. --since-commit HEAD --no-verification --fail", stages = [
     "pre-commit",
@@ -38,7 +38,7 @@ hooks = [
 
 [[repos]]
 repo = "https://github.com/mongodb/kingfisher"
-rev = "9ddec4ab8b53653d4941e6b3fd4ff602ce91d81b" # v1.97.0
+rev = "6f560103cc6ea082ef4b80a9098e3f3111afb8bc" # v1.101.0
 hooks = [
   { id = "kingfisher", args = [
     "scan",
@@ -69,12 +69,12 @@ name = "ansible-lint"
 entry = "env ANSIBLE_ROLES_PATH=ansible/roles ansible-lint"
 language = "python"
 files = "^ansible/"
-additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.20.5"]
+additional_dependencies = ["ansible-lint==26.4.0", "ansible-core==2.21.0"]
 
 # Python - ruff for linting and formatting
 [[repos]]
 repo = "https://github.com/astral-sh/ruff-pre-commit"
-rev = "6fec9b7edb08fd9989088709d864a7826dc74e80"                    # v0.15.12
+rev = "0c7b6c989466a93942def1f84baf36ddfcd60c83"                    # v0.15.14
 hooks = [{ id = "ruff", args = ["--fix"] }, { id = "ruff-format" }]
 
 # Python - ty type checker