Immich is fully migrated off minikube-indri onto k3s-ringtail. All
six prerequisite cards plus the goal card converted to historical
documentation by removing status/branch/requires Mikado frontmatter.
Changelog fragment added at docs/changelog.d/migrate-immich-to-ringtail.infra.md.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Sequence executed:
1. Quiesced source: immich-server + immich-machine-learning on
minikube scaled to 0 (done in immich-pg-data-migration).
2. Deleted minikube immich-tailscale Ingress; waited for "photos"
Tailscale device to deregister.
3. (Promote of ringtail pg was done in immich-pg-data-migration.)
4. Renamed ringtail ingress tls.hosts photos-ringtail -> photos.
5. Caddy was already pointing photos.ops.eblu.me ->
photos.tail8d86e.ts.net so no Ansible change needed.
6. Smoke test: photos.ops.eblu.me/api/server/ping -> 200,
/api/server/version -> {"major":2,"minor":6,"patch":3}.
7. Borgmatic continuity: added a ringtail immich-pg-tailscale
Service (same FQDN as before, immich-pg.tail8d86e.ts.net).
Verified borgmatic role can SELECT count(*) FROM asset over the
tailnet (returned 12681, matches source).
Decommission:
- Deleted argocd Application "immich" with --cascade (clears
Deployments, Services, etc. on minikube).
- Pruned blumeops-pg Application against the branch which removed
the Cluster immich-pg, its ExternalSecret, and the old
immich-pg-tailscale Service from minikube.
- Deleted leftover Released PVs on minikube.
- Deleted the empty immich namespace on minikube.
Did not verify minikube host memory drop directly (tailscale-ssh
re-auth was prompting at the time). Caller should confirm via
"docker stats minikube" once SSH is re-authenticated.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1. Registering new ArgoCD apps from a feature branch: the app-of-apps
"apps" Application is self-managing (re-reads apps.yaml on every
sync, which pins targetRevision: main). So setting its revision to
a branch doesn't stick across syncs, and new app definitions on a
branch are invisible to the cluster via the normal flow. The goal
card now documents the kubectl-apply + per-new-app `argocd app set
--revision <branch>` workaround.
2. Tailscale device-name collision on cutover. The minikube immich
ingress claims tailnet hostname "photos" (tls.hosts: [photos]).
The ringtail ingress can't claim the same name while minikube's is
alive (Tailscale enforces uniqueness). Staging uses
tls.hosts: [photos-ringtail], with the rename to "photos" baked
into immich-cutover-and-decommission step 2 + step 5.
Card dependency graph unchanged; no new cards.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Goal: move immich (server, ML, valkey, postgres) off minikube-indri
onto k3s-ringtail. Immich is the largest single tenant on minikube
(~1.5 GiB resident) and minikube is memory-saturated.
Prerequisite cards:
- cnpg-on-ringtail
- immich-pg-on-ringtail (requires cnpg-on-ringtail)
- immich-pg-data-migration (requires immich-pg-on-ringtail)
- sifaka-nfs-from-ringtail
- immich-app-on-ringtail (requires immich-pg-on-ringtail, sifaka-nfs-from-ringtail)
- immich-cutover-and-decommission (requires immich-pg-data-migration, immich-app-on-ringtail)
Data loss is a critical failure; downtime is acceptable. The cutover
plan favors a CNPG externalCluster basebackup (Option A) with pg_dump
as the documented fallback (Option B).
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
