# Service Version Tracking
#
# Tracks when each BlumeOps service was last reviewed for version freshness.
# Used by `mise run service-review` to surface stale services.
#
# Fields:
#   name            - kebab-case service identifier
#   type            - argocd | ansible | nixos | fly | mise
#   last-reviewed   - date (YYYY-MM-DD) or null
#   current-version - deployed version string or null
#   upstream-source - URL to upstream releases/changelog
#   notes           - optional context

services:
  - name: prometheus
    type: argocd
    last-reviewed: 2026-03-18
    current-version: "v3.10.0"
    upstream-source: https://github.com/prometheus/prometheus/releases

  - name: loki
    type: argocd
    last-reviewed: 2026-03-20
    current-version: "3.6.7"
    upstream-source: https://github.com/grafana/loki/releases

  - name: kube-state-metrics
    type: argocd
    last-reviewed: 2026-03-22
    current-version: "v2.18.0"
    upstream-source: https://github.com/kubernetes/kube-state-metrics/releases


  - name: ntfy
    type: argocd
    last-reviewed: 2026-03-23
    current-version: "v2.19.2"
    upstream-source: https://github.com/binwiederhier/ntfy/releases

  - name: homepage
    type: argocd
    last-reviewed: 2026-03-26
    current-version: "v1.11.0"
    upstream-source: https://github.com/gethomepage/homepage/releases
    notes: Custom container, kustomize manifests

  - name: nvidia-device-plugin
    type: argocd
    last-reviewed: 2026-03-27
    current-version: "v0.19.0"
    upstream-source: https://github.com/NVIDIA/k8s-device-plugin/releases
    notes: DaemonSet + RuntimeClass on ringtail for GPU workloads

  - name: frigate
    type: argocd
    last-reviewed: 2026-03-24
    current-version: "0.17.1"
    upstream-source: https://github.com/blakeblackshear/frigate/releases

  - name: frigate-notify
    type: argocd
    last-reviewed: 2026-03-28
    current-version: "v0.5.4"
    upstream-source: https://github.com/0x2142/frigate-notify/releases

  - name: tempo
    type: argocd
    last-reviewed: 2026-04-02
    current-version: "2.10.3"
    upstream-source: https://github.com/grafana/tempo/releases
    notes: Home-built container from forge mirror

  - name: alloy-tracing-ringtail
    type: argocd
    last-reviewed: 2026-03-13
    current-version: "v1.14.0"
    upstream-source: https://github.com/grafana/alloy/releases
    notes: Privileged DaemonSet with Beyla eBPF for HTTP tracing on ringtail

  - name: alloy-ringtail
    type: argocd
    last-reviewed: 2026-03-13
    current-version: "v1.14.0"
    upstream-source: https://github.com/grafana/alloy/releases
    notes: DaemonSet on ringtail for host metrics and pod logs

  - name: alloy-k8s
    type: argocd
    last-reviewed: 2026-03-13
    current-version: "v1.14.0"
    upstream-source: https://github.com/grafana/alloy/releases

  - name: tailscale-operator
    type: argocd
    last-reviewed: 2026-03-22
    current-version: "v1.94.2"
    upstream-source: https://github.com/tailscale/tailscale/releases

  - name: grafana
    type: argocd
    last-reviewed: 2026-04-02
    current-version: "12.4.2"
    upstream-source: https://github.com/grafana/grafana/releases
    notes: Home-built container from Alpine; upgraded from Helm to Kustomize

  - name: grafana-sidecar
    type: argocd
    parent: grafana
    last-reviewed: "2026-03-03"
    current-version: "1.28.0"
    upstream-source: https://github.com/kiwigrid/k8s-sidecar/releases
    notes: Dashboard ConfigMap watcher sidecar in grafana deployment

  - name: cloudnative-pg
    type: argocd
    last-reviewed: 2026-03-28
    current-version: "v1.28.1"
    upstream-source: https://github.com/cloudnative-pg/cloudnative-pg/releases
    notes: Deployed via Helm chart (chart v0.27.1 from forge mirror)

  - name: immich
    type: argocd
    last-reviewed: 2026-04-04
    current-version: "v2.6.3"
    upstream-source: https://github.com/immich-app/immich/releases
    notes: Kustomize manifests with upstream images

  - name: external-secrets
    type: argocd
    last-reviewed: 2026-03-25
    current-version: "v2.2.0"
    upstream-source: https://github.com/external-secrets/external-secrets/releases
    notes: Static kustomize manifests rendered from upstream Helm chart

  - name: 1password-connect
    type: argocd
    last-reviewed: 2026-04-06
    current-version: "1.8.2"
    upstream-source: https://hub.docker.com/r/1password/connect-api/tags
    notes: Kustomize manifests rendered from connect-helm-charts v2.4.1

  - name: argocd
    type: argocd
    last-reviewed: 2026-04-07
    current-version: "v3.3.6"
    upstream-source: https://github.com/argoproj/argo-cd/releases
    notes: Kustomize-based install with ServerSideApply

  - name: blumeops-pg
    type: argocd
    last-reviewed: 2026-03-28
    current-version: "18.3"
    upstream-source: https://github.com/cloudnative-pg/cloudnative-pg/releases
    notes: CloudNativePG Cluster resource; pinned to PG minor version

  - name: authentik
    type: argocd
    last-reviewed: "2026-04-08"
    current-version: "2026.2.2"
    upstream-source: https://github.com/goauthentik/authentik/releases

  - name: authentik-redis
    type: argocd
    parent: authentik
    last-reviewed: "2026-03-24"
    current-version: "8.2.3"
    upstream-source: https://github.com/redis/redis/releases
    notes: >-
      Attached service: Redis cache/broker for Authentik (sessions, Celery task
      queue, caching). Nix-built container from nixpkgs with version assertion.

  - name: ollama
    type: argocd
    last-reviewed: "2026-04-09"
    current-version: "0.20.4"
    upstream-source: https://github.com/ollama/ollama/releases
    notes: LLM inference server on ringtail (GPU); upstream container image

  - name: navidrome
    type: argocd
    last-reviewed: 2026-04-11
    current-version: "v0.61.1"
    upstream-source: https://github.com/navidrome/navidrome/releases

  - name: miniflux
    type: argocd
    last-reviewed: 2026-04-12
    current-version: "2.2.19"
    upstream-source: https://github.com/miniflux/v2/releases

  - name: teslamate
    type: argocd
    last-reviewed: 2026-03-03
    current-version: "v3.0.0"
    upstream-source: https://github.com/teslamate-org/teslamate/releases

  - name: transmission
    type: argocd
    last-reviewed: 2026-03-04
    current-version: "4.1.1-r1"
    upstream-source: https://github.com/transmission/transmission/releases

  - name: transmission-exporter
    type: argocd
    last-reviewed: 2026-03-05
    current-version: "1.0.1"
    upstream-source: null
    notes: Homegrown Python exporter, no upstream

  - name: kiwix
    type: argocd
    last-reviewed: 2026-03-05
    current-version: "3.8.2"
    upstream-source: https://github.com/kiwix/kiwix-tools/releases

  - name: devpi
    type: argocd
    last-reviewed: 2026-03-06
    current-version: "6.19.1"
    upstream-source: https://github.com/devpi/devpi/releases

  - name: cv
    type: argocd
    last-reviewed: 2026-03-07
    current-version: "1.0.3"
    upstream-source: https://forge.eblu.me/eblume/cv
    notes: Personal static site; review build deps (WeasyPrint, Jinja2) in source repo

  - name: docs
    type: argocd
    last-reviewed: 2026-03-07
    current-version: "1.28.2"
    upstream-source: https://github.com/jackyzha0/quartz/releases
    notes: Quartz static site generator; container version tracks nginx base

  - name: forgejo-runner
    type: argocd
    last-reviewed: 2026-03-30
    current-version: "12.7.3"
    upstream-source: https://code.forgejo.org/forgejo/runner/releases
    notes: >-
      Runner daemon version (code.forgejo.org/forgejo/runner). Job execution
      image is tracked separately as runner-job-image.

  - name: runner-job-image
    type: argocd
    last-reviewed: 2026-03-06
    current-version: "0.20.1"
    upstream-source: https://github.com/dagger/dagger/releases
    notes: >-
      Forgejo Actions job execution image. CONTAINER_APP_VERSION tracks the
      Dagger CLI version, the primary build tool in the image.

  - name: nix-container-builder
    type: nixos
    last-reviewed: 2026-04-01
    current-version: "12.7.2"
    upstream-source: https://code.forgejo.org/forgejo/runner/releases
    notes: >-
      Forgejo runner on ringtail; pinned via nixpkgs-services overlay in flake.nix.
      Update nixpkgs-services rev during service reviews, not via nix flake update.

  - name: snowflake-proxy
    type: nixos
    last-reviewed: 2026-04-01
    current-version: "2.11.0"
    upstream-source: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/releases
    notes: >-
      Tor Snowflake proxy on ringtail; pinned via nixpkgs-services overlay in flake.nix.
      Anti-censorship bridge, not an exit node.

  - name: k3s
    type: nixos
    last-reviewed: 2026-04-01
    current-version: "1.34.5+k3s1"
    upstream-source: https://github.com/k3s-io/k3s/releases
    notes: >-
      Single-node k3s cluster on ringtail; pinned via nixpkgs-services overlay in flake.nix.
      Update nixpkgs-services rev during service reviews.

  - name: minikube
    type: ansible
    last-reviewed: 2026-04-01
    current-version: "1.38.0"
    upstream-source: https://github.com/kubernetes/minikube/releases
    notes: >-
      Single-node minikube on indri; installed via homebrew (not version-pinned).
      Homebrew may silently upgrade on brew update/upgrade.

  - name: mealie
    type: argocd
    last-reviewed: 2026-03-16
    current-version: "v3.12.0"
    upstream-source: https://github.com/mealie-recipes/mealie/releases
    notes: Recipe manager; built from source via forge mirror

  - name: paperless
    type: argocd
    last-reviewed: "2026-04-08"
    current-version: "v2.20.13"
    upstream-source: https://github.com/paperless-ngx/paperless-ngx/releases
    notes: Document management; built from source via forge mirror

  - name: unpoller
    type: argocd
    last-reviewed: 2026-03-16
    current-version: "v2.34.0"
    upstream-source: https://github.com/unpoller/unpoller/releases
    notes: UniFi metrics exporter for Prometheus

  - name: prowler
    type: argocd
    last-reviewed: 2026-03-24
    current-version: "5.22.0"
    upstream-source: https://github.com/prowler-cloud/prowler/releases
    notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri

  - name: kingfisher
    type: argocd
    last-reviewed: 2026-03-29
    current-version: "165768b"
    upstream-source: https://github.com/mongodb/kingfisher/releases
    notes: Secret scanner; sporked from upstream with --clone-url-base patch. Version is upstream main SHA.

  - name: forgejo
    type: ansible
    last-reviewed: 2026-03-28
    current-version: "14.0.3"
    upstream-source: https://codeberg.org/forgejo/forgejo/releases
    notes: Built from source on indri (~/code/3rd/forgejo)

  - name: alloy
    type: ansible
    last-reviewed: 2026-03-13
    current-version: "v1.14.0"
    upstream-source: https://github.com/grafana/alloy/releases
    notes: Built from source on indri

  - name: zot
    type: ansible
    last-reviewed: 2026-03-14
    current-version: "v2.1.15"
    upstream-source: https://github.com/project-zot/zot/releases
    notes: Built from source on indri

  - name: caddy
    type: ansible
    last-reviewed: 2026-03-15
    current-version: "v2.11.2"
    upstream-source: https://github.com/caddyserver/caddy/releases
    notes: Built from source with Gandi DNS and Layer 4 plugins

  - name: borgmatic
    type: ansible
    last-reviewed: 2026-03-16
    current-version: "2.1.3"
    upstream-source: https://github.com/borgmatic-collective/borgmatic/releases
    notes: Installed via mise (pipx), not managed by Ansible role

  - name: jellyfin
    type: ansible
    last-reviewed: 2026-03-17
    current-version: "10.11.6"
    upstream-source: https://github.com/jellyfin/jellyfin/releases

  - name: automounter
    type: ansible
    last-reviewed: 2026-03-17
    current-version: "1.11.0"
    upstream-source: https://www.pixeleyes.co.nz/automounter/
    notes: Mac App Store app, no Ansible role. Updates via App Store.

  - name: flyio-tailscale
    type: fly
    last-reviewed: "2026-04-10"
    current-version: "v1.94.1"
    upstream-source: https://github.com/tailscale/tailscale/releases
    notes: >-
      Pinned after v1.96.5 broke MagicDNS in containers. Test DNS resolution
      inside Fly container before upgrading. COPY --from in fly/Dockerfile.

  - name: flyio-nginx
    type: fly
    last-reviewed: "2026-04-10"
    current-version: "1.29.6-alpine"
    upstream-source: https://hub.docker.com/_/nginx
    notes: Base image for Fly proxy (fly/Dockerfile)

  - name: flyio-alloy
    type: fly
    parent: flyio-nginx
    last-reviewed: "2026-04-10"
    current-version: "v1.14.1"
    upstream-source: https://github.com/grafana/alloy/releases
    notes: COPY --from in fly/Dockerfile for log shipping and metrics

  # --- Mise-managed development tools ---

  - name: dagger
    type: mise
    last-reviewed: 2026-04-12
    current-version: "0.20.1"
    upstream-source: https://github.com/dagger/dagger/releases
    notes: Dagger CI/CD engine; pinned in mise.toml

  - name: ansible-core
    type: mise
    last-reviewed: 2026-04-12
    current-version: "2.20.1"
    upstream-source: https://github.com/ansible/ansible/releases
    notes: Installed via pipx/uvx with botocore and boto3

  - name: prek
    type: mise
    last-reviewed: 2026-04-12
    current-version: "0.3.4"
    upstream-source: https://github.com/j178/prek/releases
    notes: Pre-commit hook runner (Rust reimplementation)

  - name: pulumi-cli
    type: mise
    last-reviewed: 2026-04-12
    current-version: "3.215.0"
    upstream-source: https://github.com/pulumi/pulumi/releases
    notes: IaC CLI for tailscale and gandi stacks

  - name: ty
    type: mise
    last-reviewed: 2026-04-12
    current-version: "0.0.29"
    upstream-source: https://github.com/astral-sh/ty/releases
    notes: Astral Python typechecker (beta); prek hook