argocd/manifests/immich-ringtail/kustomization.yaml

@@ -21,8 +21,9 @@ images:
   - name: ghcr.io/immich-app/immich-machine-learning
     # CUDA variant of the same release — ringtail has an RTX 4080
     newTag: v2.6.3-cuda
-  # Using upstream multi-arch valkey image directly; the
-  # registry.ops.eblu.me/blumeops/valkey mirror is arm64-only (built
-  # on indri) and would crashloop on ringtail.
+  # amd64 valkey built via nix on the ringtail nix-container-builder
+  # (see containers/valkey/default.nix). The Alpine container.py build
+  # is arm64-only and serves paperless on indri.
   - name: docker.io/valkey/valkey
-    newTag: "8.1.6"
+    newName: registry.ops.eblu.me/blumeops/valkey
+    newTag: v8.1.7-02859c5-nix

argocd/manifests/paperless/kustomization.yaml

@@ -16,4 +16,4 @@ images:
     newTag: v2.20.13-07f52e9
   - name: docker.io/library/redis
     newName: registry.ops.eblu.me/blumeops/valkey
-    newTag: v8.1.6-r0-fabca04
+    newTag: v8.1.7-02859c5

containers/valkey/container.py

@@ -1,8 +1,8 @@
-"""Valkey — native Dagger build.
+"""Valkey — native Dagger build (arm64, indri).
 
 Alpine 3.22 base with the `valkey` apk package (8.1.x — Redis-compatible).
-Mirrors `docker.io/valkey/valkey:8.1-alpine`, used by paperless and immich
-as a cache/queue sidecar.
+Used by paperless (sidecar) on indri. immich on ringtail uses the
+nix-built amd64 variant from `default.nix` in this directory.
 """
 
 import dagger
@@ -10,9 +10,10 @@ from dagger import dag
 
 from blumeops.containers import oci_labels
 
-# Alpine 3.22 ships valkey 8.1.6-r0. Alpine 3.23 jumps to 9.0 — hold on 3.22
-# to keep this a 1:1 swap for the upstream `valkey:8.1-alpine` image.
-VERSION = "8.1.6-r0"
+# Alpine 3.22 currently ships valkey 8.1.7-r0. Alpine 3.23 jumps to 9.0 —
+# hold on 3.22 to keep this aligned with the 8.1 line.
+VERSION = "8.1.7"
+ALPINE_PIN = "8.1.7-r0"
 
 ALPINE_BASE = "alpine:3.22"
 
@@ -21,7 +22,7 @@ async def build(src: dagger.Directory) -> dagger.Container:
     ctr = (
         dag.container()
         .from_(ALPINE_BASE)
-        .with_exec(["apk", "add", "--no-cache", f"valkey={VERSION}"])
+        .with_exec(["apk", "add", "--no-cache", f"valkey={ALPINE_PIN}"])
         .with_exec(["mkdir", "-p", "/data"])
         .with_exec(["chown", "valkey:valkey", "/data"])
         .with_workdir("/data")

containers/valkey/default.nix

@@ -0,0 +1,30 @@
+# Nix-built Valkey for ringtail (amd64)
+# Companion to container.py (Alpine 3.22, arm64 on indri).
+# Used by immich-ringtail which needs an amd64 image; paperless on indri
+# continues to use the Alpine container.py build.
+#
+# The version assertion ensures nix-build fails if a flake.lock update
+# changes the Valkey version — forcing an explicit version acknowledgment
+# here and in service-versions.yaml (enforced by container-version-check).
+{ pkgs ? import <nixpkgs> { } }:
+
+let
+  version = "8.1.7";
+in
+
+assert pkgs.valkey.version == version;
+
+pkgs.dockerTools.buildLayeredImage {
+  name = "blumeops/valkey";
+  contents = [
+    pkgs.valkey
+  ];
+
+  config = {
+    Entrypoint = [ "${pkgs.valkey}/bin/valkey-server" ];
+    Cmd = [ "--bind" "0.0.0.0" "--protected-mode" "no" "--dir" "/data" ];
+    ExposedPorts = {
+      "6379/tcp" = { };
+    };
+  };
+}

docs/changelog.d/valkey-nix.infra.md

@@ -0,0 +1 @@
+Add nix-built amd64 valkey for ringtail (`containers/valkey/default.nix`) so immich-ringtail can stop pulling the upstream multi-arch `docker.io/valkey/valkey` image. Existing `container.py` continues to build Alpine arm64 for paperless on indri. Both bump to valkey 8.1.7 (Alpine 3.22 8.1.7-r0 / nixpkgs 8.1.7).

service-versions.yaml

@@ -146,14 +146,15 @@ services:
 
   - name: valkey
     type: argocd
-    last-reviewed: 2026-05-01
-    current-version: "8.1.6-r0"
-    upstream-source: https://pkgs.alpinelinux.org/package/v3.22/community/aarch64/valkey
+    last-reviewed: 2026-05-28
+    current-version: "8.1.7"
+    upstream-source: https://github.com/valkey-io/valkey/releases
     notes: >-
-      Shared Alpine-built valkey image, used as a sidecar/cache by paperless
-      (sidecar) and immich (separate Deployment). Mirrors the upstream
-      docker.io/valkey/valkey:8.1-alpine. Pinned to Alpine 3.22 for valkey 8.1.x;
-      Alpine 3.23 jumps to 9.0. Distinct from authentik-redis (nix-built Redis
+      Dual-build valkey image: container.py builds Alpine 3.22 + apk valkey
+      (arm64, indri) for paperless; default.nix builds via nixpkgs (amd64,
+      ringtail) for immich-ringtail. Both track upstream valkey 8.1.x; Alpine
+      3.22 currently ships 8.1.7-r0 and nixpkgs valkey is 8.1.7. Alpine 3.23
+      jumps to 9.0. Distinct from authentik-redis (nix-built Redis
       8.x) which has its own entry.
 
   - name: external-secrets