C1: switch to strategic merge patch for proxyclass image rewrite

Kustomize's images: directive only rewrites image fields on built-in k8s
kinds (Pod, Deployment, etc.), not on custom resources like ProxyClass.
The first attempt left the rendered ProxyClass pointing at upstream
docker.io. Replaces it with a strategic merge patch over
spec.statefulSet.pod.tailscale{Container,InitContainer}.image.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

argocd/manifests/tailscale-operator-ringtail/kustomization.yaml

@@ -8,3 +8,17 @@ resources:
   - ../tailscale-operator-base
   - proxygroup-ingress.yaml
   - external-secret.yaml
+
+# Rewrite the proxyclass image to our local nix-built mirror.
+# Scoped to ringtail only; indri's tailscale-operator/kustomization.yaml still
+# pulls from upstream docker.io. A strategic merge patch is used instead of
+# kustomize's `images:` directive because that directive only rewrites images
+# in standard k8s container fields, not custom-resource fields like
+# ProxyClass.spec.statefulSet.pod.tailscaleContainer.image.
+patches:
+  - path: proxyclass-image.yaml
+    target:
+      group: tailscale.com
+      version: v1alpha1
+      kind: ProxyClass
+      name: default

argocd/manifests/tailscale-operator-ringtail/proxyclass-image.yaml

@@ -0,0 +1,11 @@
+apiVersion: tailscale.com/v1alpha1
+kind: ProxyClass
+metadata:
+  name: default
+spec:
+  statefulSet:
+    pod:
+      tailscaleContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix
+      tailscaleInitContainer:
+        image: registry.ops.eblu.me/blumeops/tailscale:v1.94.2-67af7a8-nix

containers/tailscale/default.nix

@@ -0,0 +1,77 @@
+# Nix-built tailscale container for ringtail's tailscale-operator ProxyClass
+# Builds v1.94.2 from forge mirror; mirrors upstream Dockerfile contents.
+# Built with dockerTools.buildLayeredImage on the ringtail nix-container-builder.
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "1.94.2";
+
+  src = pkgs.fetchgit {
+    url = "https://forge.ops.eblu.me/mirrors/tailscale.git";
+    rev = "v${version}";
+    hash = "sha256-qjWVB8xWVgIVUgrf27F6hwiFIE+4ERXWeHv26ugg/x4=";
+  };
+
+  tailscale = pkgs.buildGoModule {
+    inherit src version;
+    pname = "tailscale";
+    vendorHash = "sha256-WeMTOkERj4hvdg4yPaZ1gRgKnhRIBXX55kUVbX/k/xM=";
+
+    subPackages = [
+      "cmd/tailscale"
+      "cmd/tailscaled"
+      "cmd/containerboot"
+    ];
+
+    ldflags = [
+      "-s"
+      "-w"
+      "-X tailscale.com/version.longStamp=${version}"
+      "-X tailscale.com/version.shortStamp=${version}"
+    ];
+
+    doCheck = false;
+
+    meta = with pkgs.lib; {
+      description = "The easiest, most secure way to use WireGuard";
+      homepage = "https://tailscale.com";
+      license = licenses.bsd3;
+    };
+  };
+in
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/tailscale";
+  tag = "v${version}";
+
+  contents = [
+    tailscale
+    pkgs.cacert
+    pkgs.iptables
+    pkgs.iproute2
+    pkgs.tzdata
+    pkgs.busybox
+  ];
+
+  # Match upstream Dockerfile: symlink iptables-legacy over iptables.
+  # Synology NAS and similar hosts don't support nftables.
+  # Also recreate the /tailscale/run.sh compat symlink.
+  extraCommands = ''
+    rm -f usr/sbin/iptables usr/sbin/ip6tables
+    ln -s ${pkgs.iptables}/bin/iptables-legacy usr/sbin/iptables || true
+    ln -s ${pkgs.iptables}/bin/ip6tables-legacy usr/sbin/ip6tables || true
+    mkdir -p tailscale
+    ln -s /bin/containerboot tailscale/run.sh
+    mkdir -p tmp
+    chmod 1777 tmp
+  '';
+
+  config = {
+    Entrypoint = [ "/bin/containerboot" ];
+    Env = [
+      "SSL_CERT_FILE=${pkgs.cacert}/etc/ssl/certs/ca-bundle.crt"
+      "TZDIR=${pkgs.tzdata}/share/zoneinfo"
+      "PATH=/bin:/usr/bin:/usr/sbin"
+    ];
+  };
+}

docs/changelog.d/mirror-tailscale-container.infra.md

@@ -0,0 +1 @@
+Add local nix container build for `tailscale` (`containers/tailscale/default.nix`) so ringtail's tailscale-operator ProxyClass proxy pods pull from the forge mirror instead of `docker.io/tailscale/tailscale`. Pinned at v1.94.2 to match `service-versions.yaml`. Indri's tailscale-operator continues to use upstream during the k8s-to-ringtail migration.