Localize authentik-redis container #309

Merged

eblume merged 3 commits from localize-redis into main

2026-03-24 13:27:37 -07:00

eblume commented

2026-03-24 13:17:08 -07:00

Owner

Summary

Replace upstream docker.io/library/redis:7-alpine (Redis 7.4.8) with a nix-built container using Redis 8.2.3 from nixpkgs
Introduce attached service pattern: parent field in service-versions.yaml, <parent>-<component> naming convention, and assert pkgs.redis.version == version in default.nix to prevent silent version drift on flake.lock updates
Document the pattern in review-services so future attached services slot in cleanly
Backfill parent: grafana on existing grafana-sidecar entry

Version drift protection

flake.lock update bumps nixpkgs redis → assert in default.nix breaks nix-build
Developer updates version in default.nix → prek's container-version-check demands matching service-versions.yaml update
Both must agree before commit succeeds

Test plan

Build container from branch on ringtail (mise run container-build-and-release authentik-redis)
Update kustomization newTag to branch-built image tag
Sync authentik ArgoCD app from branch (argocd app set authentik --revision localize-redis && argocd app sync authentik)
Verify Authentik login, session persistence, and task queue still work
After merge: C0 follow-up to update newTag to the main-built image tag

🤖 Generated with Claude Code

## Summary - Replace upstream `docker.io/library/redis:7-alpine` (Redis 7.4.8) with a nix-built container using Redis 8.2.3 from nixpkgs - Introduce **attached service pattern**: `parent` field in service-versions.yaml, `<parent>-<component>` naming convention, and `assert pkgs.redis.version == version` in default.nix to prevent silent version drift on `flake.lock` updates - Document the pattern in [[review-services]] so future attached services slot in cleanly - Backfill `parent: grafana` on existing `grafana-sidecar` entry ## Version drift protection 1. `flake.lock` update bumps nixpkgs redis → `assert` in `default.nix` breaks `nix-build` 2. Developer updates `version` in `default.nix` → prek's `container-version-check` demands matching `service-versions.yaml` update 3. Both must agree before commit succeeds ## Test plan - [ ] Build container from branch on ringtail (`mise run container-build-and-release authentik-redis`) - [ ] Update kustomization `newTag` to branch-built image tag - [ ] Sync authentik ArgoCD app from branch (`argocd app set authentik --revision localize-redis && argocd app sync authentik`) - [ ] Verify Authentik login, session persistence, and task queue still work - [ ] After merge: C0 follow-up to update `newTag` to the main-built image tag 🤖 Generated with [Claude Code](https://claude.com/claude-code)

eblume added 1 commit

2026-03-24 13:17:09 -07:00

Localize authentik-redis: nix-built container from nixpkgs a1a97966cc

Replace upstream docker.io/library/redis:7-alpine with a nix-built
container using Redis 8.2.3 from nixpkgs. Introduces the attached
service pattern: parent field in service-versions.yaml, naming
convention (<parent>-<component>), and version assertion in default.nix
to prevent silent version drift on flake.lock updates.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-03-24 13:19:51 -07:00

Remove tag = "latest" from nix container definitions 353a141181

The tag field in buildLayeredImage is optional and only affects the
local docker-archive output. The CI workflow tags with immutable
SHA-based tags via skopeo, so "latest" is misleading noise.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

eblume added 1 commit

2026-03-24 13:26:53 -07:00

Fix detect job checkout for workflow_dispatch builds 8876422d1f

The detect job was checking out main instead of the dispatched ref,
so it couldn't find build files that only exist on feature branches.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>