Update docs release to v1.15.5

- Built changelog from towncrier fragments

[skip ci]

CHANGELOG.md

@@ -12,6 +12,51 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 
 <!-- towncrier release notes start -->
 
+## [v1.15.5] - 2026-04-14
+
+### Features
+
+- Deploy Paperless-ngx document management system at paperless.ops.eblu.me with OCR, Authentik SSO, and NFS storage on sifaka.
+- Add `ty` (Astral) Python typechecker to prek hooks, configured for Dagger SDK and container.py modules. Add `type: mise` to service-versions.yaml for tracking development tool versions (dagger, ansible-core, prek, pulumi, ty) through the standard service review process.
+- Upgrade grafana-sidecar from 1.28.0 to 2.6.0, adding health probes and porting build to native Dagger container.py.
+- Upgrade Navidrome to v0.61.1 — major artwork overhaul with per-disc cover art, rebuilt search engine (SQLite FTS5), server-managed transcoding, and WebP performance fix.
+- Add `mise run review-compliance-reports` task for weekly compliance report review with muted/unmuted distinction and week-over-week delta
+
+### Bug Fixes
+
+- Add paperless database to borgmatic backup configuration. Previously the only service DB not included in nightly pg_dump backups.
+- Fix Fly.io proxy rate limiting to key on real client IP instead of Fly's internal proxy IP, so crawlers no longer consume the shared rate limit bucket for all clients.
+- Fix UnPoller (UniFi) Grafana dashboards failing to load due to UID exceeding Grafana 12's 40-character limit.
+- Fix blumeops-tasks swallowing wiki-link brackets in task descriptions (rich markup escaping)
+- Fix dagger flake-update pipeline: replace nonexistent `--exclude` flag with dynamic input discovery
+- Fix services-check to display all firing alerts for a given alert name, not just the first one.
+- Pin Fly.io proxy Tailscale to v1.94.1 — the `:stable` tag pulled v1.96.5 which has a MagicDNS regression (SERVFAIL on tailnet names), breaking all public routing through forge.eblu.me, docs.eblu.me, and cv.eblu.me.
+- Rewrite `mise run runner-logs` CLI: list runs by run number (not task ID), drill into jobs per run, fetch logs via Forgejo web API instead of SSH+filesystem. Fixes broken log retrieval caused by incorrect hex path calculation and stale data directory. Added `--repo` to query any forge repo (e.g. sporks) and `--limit`/`-n` to control listing size (0 for all).
+- Route Dagger build telemetry to Tempo, fixing OTEL metrics exporter warnings.
+- Switch paperless redis sidecar from amd64-only nix-built `authentik-redis` image to upstream `valkey:8.1-alpine` (multi-arch). The nix image was previously running under QEMU emulation on arm64 minikube.
+
+### Infrastructure
+
+- Build forgejo-runner container locally via native Dagger pipeline instead of pulling from upstream.
+- Build kube-state-metrics container locally (Dockerfile + nix) from forge mirror, replacing upstream registry.k8s.io image on both indri and ringtail.
+- Upgrade miniflux from 2.2.17 to 2.2.19 and migrate from Dockerfile to native Dagger container.py build (second container after navidrome). Refactor `alpine_runtime()` with `create_user` parameter to support Alpine's built-in nobody user. Pin all mise.toml tool versions to explicit versions instead of "latest".
+- Migrate Dagger module from .dagger/ to repo root (src/blumeops/) and replace docker_build() with native Dagger pipelines for container builds. Navidrome is the first container migrated, with full build error visibility.
+- Migrate teslamate container build from legacy Dockerfile to native Dagger container.py.
+- Add seccomp RuntimeDefault profiles to alloy-k8s and immich pods, resolving 4 unmuted Prowler findings
+- Full DR recovery from power loss and minikube cluster rebuild. Validated bootstrap procedure, identified circular dependencies (forge.eblu.me, Zot/Authentik OIDC), Tailscale device name collision issues, and documented recovery steps for restart-indri.
+- Set Frigate preview quality to CRF 8 (from default 1) to reduce preview file sizes and improve review timeline loading over NFS.
+- Track Fly.io proxy component versions (Tailscale, nginx, Alloy) in service-versions.yaml with new `fly` service type.
+- Upgrade ArgoCD from v3.3.2 to v3.3.6 (bug-fix patches), SHA-pin install manifest
+- Upgrade authentik 2026.2.0 → 2026.2.2 (bug-fix patch release)
+- Upgrade ollama from 0.17.5 to 0.20.4 (adds Gemma 4 support, benchmark tooling, Apple Silicon perf improvements)
+
+### Documentation
+
+- Delete outdated install-dagger-on-nix-runner card; add service-versions reference card; clean up zot.md and review-services.md links.
+- Enhanced the adding-a-service tutorial with kustomization setup, corrected Tailscale ingress format, updated ArgoCD repoURL, and added a step for creating service reference cards.
+- Review gandi.md: add missing forge.eblu.me CNAME, fix program description, stamp review date.
+
+
 ## [v1.15.4] - 2026-04-06
 
 ### Infrastructure

argocd/manifests/docs/deployment.yaml

@@ -30,7 +30,7 @@ spec:
               name: http
           env:
             - name: DOCS_RELEASE_URL
-              value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.4/docs-v1.15.4.tar.gz"
+              value: "https://forge.eblu.me/eblume/blumeops/releases/download/v1.15.5/docs-v1.15.5.tar.gz"
           resources:
             requests:
               memory: "64Mi"

docs/changelog.d/+argocd-v3.3.6.infra.md

@@ -1 +0,0 @@
-Upgrade ArgoCD from v3.3.2 to v3.3.6 (bug-fix patches), SHA-pin install manifest

docs/changelog.d/+authentik-2026.2.2.infra.md

@@ -1 +0,0 @@
-Upgrade authentik 2026.2.0 → 2026.2.2 (bug-fix patch release)

docs/changelog.d/+dagger-otel-metrics-fix.bugfix.md

@@ -1 +0,0 @@
-Route Dagger build telemetry to Tempo, fixing OTEL metrics exporter warnings.

docs/changelog.d/+dr-paperless-backup.bugfix.md

@@ -1 +0,0 @@
-Add paperless database to borgmatic backup configuration. Previously the only service DB not included in nightly pg_dump backups.

docs/changelog.d/+dr-paperless-redis.bugfix.md

@@ -1 +0,0 @@
-Switch paperless redis sidecar from amd64-only nix-built `authentik-redis` image to upstream `valkey:8.1-alpine` (multi-arch). The nix image was previously running under QEMU emulation on arm64 minikube.

docs/changelog.d/+dr-recovery-2026-04.infra.md

@@ -1 +0,0 @@
-Full DR recovery from power loss and minikube cluster rebuild. Validated bootstrap procedure, identified circular dependencies (forge.eblu.me, Zot/Authentik OIDC), Tailscale device name collision issues, and documented recovery steps for restart-indri.

docs/changelog.d/+enhance-adding-a-service-tutorial.doc.md

@@ -1 +0,0 @@
-Enhanced the adding-a-service tutorial with kustomization setup, corrected Tailscale ingress format, updated ArgoCD repoURL, and added a step for creating service reference cards.

docs/changelog.d/+fix-blumeops-tasks-brackets.bugfix.md

@@ -1 +0,0 @@
-Fix blumeops-tasks swallowing wiki-link brackets in task descriptions (rich markup escaping)

docs/changelog.d/+fix-flake-update-pipeline.bugfix.md

@@ -1 +0,0 @@
-Fix dagger flake-update pipeline: replace nonexistent `--exclude` flag with dynamic input discovery

docs/changelog.d/+fix-flyio-rate-limit-key.bugfix.md

@@ -1 +0,0 @@
-Fix Fly.io proxy rate limiting to key on real client IP instead of Fly's internal proxy IP, so crawlers no longer consume the shared rate limit bucket for all clients.

docs/changelog.d/+fix-unpoller-dashboard-uids.bugfix.md

@@ -1 +0,0 @@
-Fix UnPoller (UniFi) Grafana dashboards failing to load due to UID exceeding Grafana 12's 40-character limit.

docs/changelog.d/+frigate-preview-quality.infra.md

@@ -1 +0,0 @@
-Set Frigate preview quality to CRF 8 (from default 1) to reduce preview file sizes and improve review timeline loading over NFS.

docs/changelog.d/+ollama-0.20.4.infra.md

@@ -1 +0,0 @@
-Upgrade ollama from 0.17.5 to 0.20.4 (adds Gemma 4 support, benchmark tooling, Apple Silicon perf improvements)

docs/changelog.d/+pin-tailscale-fly.bugfix.md

@@ -1 +0,0 @@
-Pin Fly.io proxy Tailscale to v1.94.1 — the `:stable` tag pulled v1.96.5 which has a MagicDNS regression (SERVFAIL on tailnet names), breaking all public routing through forge.eblu.me, docs.eblu.me, and cv.eblu.me.

docs/changelog.d/+review-compliance-reports-task.feature.md

@@ -1 +0,0 @@
-Add `mise run review-compliance-reports` task for weekly compliance report review with muted/unmuted distinction and week-over-week delta

docs/changelog.d/+review-gandi-doc.doc.md

@@ -1 +0,0 @@
-Review gandi.md: add missing forge.eblu.me CNAME, fix program description, stamp review date.

docs/changelog.d/+runner-logs-rewrite.bugfix.md

@@ -1 +0,0 @@
-Rewrite `mise run runner-logs` CLI: list runs by run number (not task ID), drill into jobs per run, fetch logs via Forgejo web API instead of SSH+filesystem. Fixes broken log retrieval caused by incorrect hex path calculation and stale data directory. Added `--repo` to query any forge repo (e.g. sporks) and `--limit`/`-n` to control listing size (0 for all).

docs/changelog.d/+seccomp-alloy-immich.infra.md

@@ -1 +0,0 @@
-Add seccomp RuntimeDefault profiles to alloy-k8s and immich pods, resolving 4 unmuted Prowler findings

docs/changelog.d/+service-versions-ref-card.doc.md

@@ -1 +0,0 @@
-Delete outdated install-dagger-on-nix-runner card; add service-versions reference card; clean up zot.md and review-services.md links.

docs/changelog.d/+services-check-show-all-alerts.bugfix.md

@@ -1 +0,0 @@
-Fix services-check to display all firing alerts for a given alert name, not just the first one.

docs/changelog.d/+track-fly-versions.infra.md

@@ -1 +0,0 @@
-Track Fly.io proxy component versions (Tailscale, nginx, Alloy) in service-versions.yaml with new `fly` service type.

docs/changelog.d/deploy-paperless.feature.md

@@ -1 +0,0 @@
-Deploy Paperless-ngx document management system at paperless.ops.eblu.me with OCR, Authentik SSO, and NFS storage on sifaka.

docs/changelog.d/grafana-sidecar-2.6.0.feature.md

@@ -1 +0,0 @@
-Upgrade grafana-sidecar from 1.28.0 to 2.6.0, adding health probes and porting build to native Dagger container.py.

docs/changelog.d/local-forgejo-runner.infra.md

@@ -1 +0,0 @@
-Build forgejo-runner container locally via native Dagger pipeline instead of pulling from upstream.

docs/changelog.d/localize-kube-state-metrics.infra.md

@@ -1 +0,0 @@
-Build kube-state-metrics container locally (Dockerfile + nix) from forge mirror, replacing upstream registry.k8s.io image on both indri and ringtail.

docs/changelog.d/miniflux-upgrade-and-ty.feature.md

@@ -1 +0,0 @@
-Add `ty` (Astral) Python typechecker to prek hooks, configured for Dagger SDK and container.py modules. Add `type: mise` to service-versions.yaml for tracking development tool versions (dagger, ansible-core, prek, pulumi, ty) through the standard service review process.

docs/changelog.d/miniflux-upgrade-and-ty.infra.md

@@ -1 +0,0 @@
-Upgrade miniflux from 2.2.17 to 2.2.19 and migrate from Dockerfile to native Dagger container.py build (second container after navidrome). Refactor `alpine_runtime()` with `create_user` parameter to support Alpine's built-in nobody user. Pin all mise.toml tool versions to explicit versions instead of "latest".

docs/changelog.d/native-dagger-containers.infra.md

@@ -1 +0,0 @@
-Migrate Dagger module from .dagger/ to repo root (src/blumeops/) and replace docker_build() with native Dagger pipelines for container builds. Navidrome is the first container migrated, with full build error visibility.

docs/changelog.d/teslamate-dagger-migration.infra.md

@@ -1 +0,0 @@
-Migrate teslamate container build from legacy Dockerfile to native Dagger container.py.

docs/changelog.d/upgrade-navidrome-v0.61.1.feature.md

@@ -1 +0,0 @@
-Upgrade Navidrome to v0.61.1 — major artwork overhaul with per-disc cover art, rebuilt search engine (SQLite FTS5), server-managed transcoding, and WebP performance fix.