Compare commits
3 commits
main
...
localize-r
| Author | SHA1 | Date | |
|---|---|---|---|
| 8876422d1f | |||
| 353a141181 | |||
| a1a97966cc |
9 changed files with 67 additions and 7 deletions
|
|
@ -30,6 +30,7 @@ jobs:
|
|||
- name: Checkout
|
||||
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
||||
with:
|
||||
ref: ${{ inputs.ref || github.sha }}
|
||||
fetch-depth: 2
|
||||
|
||||
- name: Detect and classify changed containers
|
||||
|
|
|
|||
|
|
@ -15,4 +15,5 @@ images:
|
|||
- name: registry.ops.eblu.me/blumeops/authentik
|
||||
newTag: v2026.2.0-2d4098e-nix
|
||||
- name: docker.io/library/redis
|
||||
newName: registry.ops.eblu.me/blumeops/authentik-redis
|
||||
newTag: 7-alpine
|
||||
|
|
|
|||
|
|
@ -116,8 +116,6 @@ in
|
|||
|
||||
pkgs.dockerTools.buildLayeredImage {
|
||||
name = "blumeops/alloy";
|
||||
tag = "latest";
|
||||
|
||||
contents = [
|
||||
alloy
|
||||
pkgs.cacert
|
||||
|
|
|
|||
29
containers/authentik-redis/default.nix
Normal file
29
containers/authentik-redis/default.nix
Normal file
|
|
@ -0,0 +1,29 @@
|
|||
# Nix-built Redis for Authentik
|
||||
# Attached service: cache/broker (sessions, Celery task queue, caching)
|
||||
# Uses Redis from nixpkgs, packaged with dockerTools.buildLayeredImage
|
||||
#
|
||||
# The version assertion ensures nix-build fails if a flake.lock update
|
||||
# changes the Redis version — forcing an explicit version acknowledgment
|
||||
# here and in service-versions.yaml (enforced by container-version-check).
|
||||
{ pkgs ? import <nixpkgs> { } }:
|
||||
|
||||
let
|
||||
version = "8.2.3";
|
||||
in
|
||||
|
||||
assert pkgs.redis.version == version;
|
||||
|
||||
pkgs.dockerTools.buildLayeredImage {
|
||||
name = "blumeops/authentik-redis";
|
||||
contents = [
|
||||
pkgs.redis
|
||||
];
|
||||
|
||||
config = {
|
||||
Entrypoint = [ "${pkgs.redis}/bin/redis-server" ];
|
||||
Cmd = [ "--protected-mode" "no" ];
|
||||
ExposedPorts = {
|
||||
"6379/tcp" = { };
|
||||
};
|
||||
};
|
||||
}
|
||||
|
|
@ -41,8 +41,6 @@ in
|
|||
|
||||
pkgs.dockerTools.buildLayeredImage {
|
||||
name = "blumeops/authentik";
|
||||
tag = "latest";
|
||||
|
||||
contents = [
|
||||
ak
|
||||
authentik-django
|
||||
|
|
|
|||
|
|
@ -67,8 +67,6 @@ in
|
|||
|
||||
pkgs.dockerTools.buildLayeredImage {
|
||||
name = "blumeops/ntfy";
|
||||
tag = "latest";
|
||||
|
||||
contents = [
|
||||
ntfy
|
||||
pkgs.cacert
|
||||
|
|
|
|||
1
docs/changelog.d/localize-redis.infra.md
Normal file
1
docs/changelog.d/localize-redis.infra.md
Normal file
|
|
@ -0,0 +1 @@
|
|||
Localize authentik-redis container: replace upstream `redis:7-alpine` with nix-built image from nixpkgs (Redis 8.2.3). Introduces attached service pattern with `parent` field in service-versions.yaml and version assertion in default.nix to prevent silent version drift.
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
---
|
||||
title: Review Services
|
||||
modified: 2026-02-19
|
||||
modified: 2026-03-24
|
||||
last-reviewed: 2026-03-07
|
||||
tags:
|
||||
- how-to
|
||||
|
|
@ -59,6 +59,29 @@ mise run service-review --type hybrid
|
|||
2. Review the Nix derivation or flake input for version pins
|
||||
3. If upgrading, update and deploy via `mise run provision-ringtail`
|
||||
|
||||
## Attached Services
|
||||
|
||||
Some services have auxiliary dependencies that run as separate containers — caches, sidecars, init helpers. These are tracked as **attached services** with a naming convention and an optional `parent` field:
|
||||
|
||||
```yaml
|
||||
- name: authentik-redis
|
||||
type: argocd
|
||||
parent: authentik
|
||||
current-version: "8.2.3"
|
||||
upstream-source: https://github.com/redis/redis/releases
|
||||
notes: >-
|
||||
Attached service: Redis cache/broker for Authentik.
|
||||
```
|
||||
|
||||
**Conventions:**
|
||||
|
||||
- **Naming:** `<parent>-<component>` (e.g., `authentik-redis`, `grafana-sidecar`)
|
||||
- **`parent` field:** points to the parent service entry. Currently informational — the review task doesn't use it yet, but it enables future grouping/dependency-aware reviews.
|
||||
- **`notes` field:** always starts with "Attached service:" to make the relationship clear at a glance.
|
||||
- **Version tracking:** attached services that use nixpkgs packages should include a version assertion in `default.nix` (`assert pkgs.<pkg>.version == version;`) so that `flake.lock` updates that change the package version break the build and force explicit acknowledgment.
|
||||
|
||||
Existing attached services: `grafana-sidecar`, `authentik-redis`.
|
||||
|
||||
## Version Tracking Convention
|
||||
|
||||
The `current-version` field in `service-versions.yaml` tracks the **upstream application version**, not the container image tag. For services with custom-built containers, the container image tag (e.g., `v1.0.0`) is decoupled from the contained app version (e.g., `v1.10.1`). This allows container rebuilds (base image updates, build fixes) without implying an upstream version change.
|
||||
|
|
|
|||
|
|
@ -104,6 +104,7 @@ services:
|
|||
|
||||
- name: grafana-sidecar
|
||||
type: argocd
|
||||
parent: grafana
|
||||
last-reviewed: "2026-03-03"
|
||||
current-version: "1.28.0"
|
||||
upstream-source: https://github.com/kiwigrid/k8s-sidecar/releases
|
||||
|
|
@ -157,6 +158,16 @@ services:
|
|||
current-version: "2026.2.0"
|
||||
upstream-source: https://github.com/goauthentik/authentik/releases
|
||||
|
||||
- name: authentik-redis
|
||||
type: argocd
|
||||
parent: authentik
|
||||
last-reviewed: "2026-03-24"
|
||||
current-version: "8.2.3"
|
||||
upstream-source: https://github.com/redis/redis/releases
|
||||
notes: >-
|
||||
Attached service: Redis cache/broker for Authentik (sessions, Celery task
|
||||
queue, caching). Nix-built container from nixpkgs with version assertion.
|
||||
|
||||
- name: ollama
|
||||
type: argocd
|
||||
last-reviewed: "2026-03-02"
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue