C0: wave-1 decommission follow-ups (argocd admin RBAC, teslamate probe)

- argocd: grant local break-glass admin the admin role (g, admin, role:admin);
  previously only the Authentik admins group had access, locking out admin
  once its token expired (policy.default is unset).
- alloy-k8s: repoint the teslamate blackbox probe from the deleted minikube
  service to https://tesla.ops.eblu.me/ (Caddy over Tailscale), like immich.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

argocd/manifests/alloy-k8s/config.alloy

@@ -191,8 +191,9 @@ prometheus.exporter.blackbox "services" {
   }
 
   target {
+    // Migrated to ringtail (wave-1); probe through Caddy over Tailscale.
     name    = "teslamate"
-    address = "http://teslamate.teslamate.svc.cluster.local:4000/"
+    address = "https://tesla.ops.eblu.me/"
     module  = "http_2xx"
   }
 

argocd/manifests/argocd/argocd-rbac-cm-patch.yaml

@@ -2,6 +2,9 @@
 #
 # - workflow-bot: minimal CI/CD permissions (sync, get)
 # - admins: Authentik admins group mapped to ArgoCD admin role
+# - admin: local break-glass account — keeps ArgoCD admin rights for when
+#   Authentik SSO is unavailable (without this it has no permissions, since
+#   policy.default is unset)
 #
 apiVersion: v1
 kind: ConfigMap
@@ -14,3 +17,4 @@ data:
     p, role:workflow-bot, applications, get, *, allow
     g, workflow-bot, role:workflow-bot
     g, admins, role:admin
+    g, admin, role:admin

docs/changelog.d/+wave1-decommission-followups.infra.md

@@ -0,0 +1,8 @@
+Fix three follow-ups from the wave-1 decommission: grant the local
+break-glass `admin` account ArgoCD admin rights (`g, admin, role:admin` —
+previously only the Authentik `admins` group had access, so admin was
+locked out whenever its token expired), and repoint the alloy blackbox
+probe for teslamate from the deleted minikube service to
+`https://tesla.ops.eblu.me/` (through Caddy over Tailscale). The orphaned
+paperless/teslamate roles + ExternalSecrets left on the minikube
+blumeops-pg are also cleaned up.