eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 65 Packages Wiki Activity Actions
65 releases 142 tags
  • v1.12.1 7a1875936c

    BlumeOps v1.12.1 Stable

    eblume released this 2026-03-02 18:17:06 -08:00 | 30 commits to main since this release

    BlumeOps release v1.12.1

    What's Changed

    Features

    • Mikado branch invariant hook now rejects impl commits that modify Mikado card files (docs with requires:, status:, or branch: mikado/ frontmatter).

    Infrastructure

    • Switch git hooks from pre-commit to prek, a faster Rust-native drop-in replacement. Adds built-in checks for case conflicts, private key detection, and executable shebangs. Configuration migrated from .pre-commit-config.yaml to prek.toml.

    Documentation

    • Review build-authentik-from-source Mikado chain: fix go-server-derivation path errors, remove stale DRF fork content from mirror doc, add last-reviewed to all cards.

    Documentation

    Download docs-v1.12.1.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.12.1/docs-v1.12.1.tar.gz
    Downloads
  • v1.12.0 2a2811d7a5

    BlumeOps v1.12.0 Stable

    eblume released this 2026-03-01 17:24:08 -08:00 | 38 commits to main since this release

    BlumeOps release v1.12.0

    What's Changed

    Bug Fixes

    • Fix authentik 2026.2.0 startup crash caused by Django migration ordering bug (FieldError: Cannot resolve keyword 'group_id'). Patch ensures authentik_core/0056 runs before authentik_rbac/0010.

    Infrastructure

    • Upgrade authentik from 2025.10.1 to 2026.2.0, building core services from source via custom Nix derivations rather than using nixpkgs directly (nixpkgs still provides satellite dependencies like Python, Go, and system libraries). Four components (API client generation, Python backend, web UI, Go server) assembled into a single container image with full supply chain control via forge mirrors.
    • Sync Frigate zone coordinates from live API to manifest (driveway_entrance, driveway)
    • Pin blumeops-pg to PostgreSQL 18.3 (from floating :18 tag at 18.1)

    Documentation

    • Review and update authentik-api-client-generation doc: remove stale patch note, fix test-build.nix section, add last-reviewed date.
    • Review all three forgejo-runner Mikado chain docs: stamp last-reviewed, add cross-links, fix configmap.yamlconfig.yaml reference.
    • Review build-grafana-container docs; fix stale grafana.md reference card (Helm → Kustomize).

    Documentation

    Download docs-v1.12.0.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.12.0/docs-v1.12.0.tar.gz
    Downloads
  • v1.11.5 be3cdad1cb

    BlumeOps v1.11.5 Stable

    eblume released this 2026-02-26 07:56:02 -08:00 | 61 commits to main since this release

    BlumeOps release v1.11.5

    What's Changed

    Features

    • Add authenticated GitHub mirror sync with PAT rotation tooling (mirror-update-pats, mirror-create auth support, how-to doc).
    • Add Transmission Grafana dashboard with metrics exporter sidecar for monitoring upload/download speeds, transfer volumes, and per-torrent breakdowns.

    Bug Fixes

    • Fix Frigate dashboard "Detection Events Rate" panel showing no data — corrected metric name to frigate_camera_events_total and label to camera.
    • Filter car and bird detections from Frigate driveway zone to stop repeated alerts on parked cars at night

    Infrastructure

    • Port CloudNative-PG operator from Helm chart to direct upstream release manifest via forge mirror.
    • Add multi-cluster Kubernetes observability: deploy kube-state-metrics and Alloy on ringtail (k3s), add cluster label to all metrics/logs, replace single-cluster dashboards with multi-cluster Kubernetes dashboard and dedicated Ringtail dashboard with GPU monitoring.
    • Add explicit ExternalSecret defaults for SSA sync parity with ArgoCD v3.3
    • Upgrade ArgoCD from v3.2.6 to v3.3.2 with Server-Side Apply enabled

    AI Assistance

    • Bake default bat options into ai-docs mise task so agents no longer need verbose flags at session start.
    • docs-review task now prints the file path instead of the file content, so the LLM reads it directly.

    Documentation

    Download docs-v1.11.5.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.11.5/docs-v1.11.5.tar.gz
    Downloads
  • v1.11.4 e273f399ea

    BlumeOps v1.11.4 Stable

    eblume released this 2026-02-25 07:04:22 -08:00 | 74 commits to main since this release

    BlumeOps release v1.11.4

    What's Changed

    Features

    • Add mirror-create mise task for creating upstream mirrors in the mirrors/ Forgejo org

    Bug Fixes

    • Fix Grafana OAuth role mapping: INI parser was stripping quotes from role_attribute_path = 'Admin', causing all Authentik users to get Viewer role instead of Admin. Now uses group-based mapping from the admins Authentik group.
    • Fix TeslaMate dashboards showing "No Data": Grafana 12.x's grafana-postgresql-datasource plugin requires the database name in jsonData, not just the top-level database field.

    Infrastructure

    • Move image tags to kustomize images: transformer across 22 services and replace hand-written ConfigMaps with configMapGenerator: in 12 services, enabling content-hash-based automatic rollouts on config changes.
    • Migrate upstream mirror repos from eblume/ to mirrors/ Forgejo organization
    • Port Prometheus to local container build (3-stage: Node UI, Go binaries, Alpine runtime) for supply chain control via Zot registry.
    • Fix ArgoCD app definitions and credential template to use mirrors/ org after forge mirror migration; bump immich v2.5.2 → v2.5.6.
    • Document AirPlay cross-VLAN firewall rules for Samsung Frame TV (established/related, AirPlay ports, dynamic reverse) and fix rule ordering in segment-home-network plan.
    • Update image tags for all 6 mirror-migrated containers (homepage, navidrome, ntfy, miniflux, prometheus, teslamate)
    • Switch prometheus, teslamate, and miniflux container builds to forge mirrors; create miniflux mirror

    Documentation

    • Document squash-merge container tag provenance issue and post-merge workflow for updating manifests to main-SHA tags.
    • Add mise-tasks reference card with categorized task inventory; include in ai-docs context
    • Review 3 how-to docs: stamp provision-authentik-database and use-pypi-proxy, fix wrong policy path and misleading --yes in update-tailscale-acls

    Documentation

    Download docs-v1.11.4.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.11.4/docs-v1.11.4.tar.gz
    Downloads
  • v1.11.3 9b4951bf94

    BlumeOps v1.11.3 Stable

    eblume released this 2026-02-23 21:04:33 -08:00 | 95 commits to main since this release

    BlumeOps release v1.11.3

    What's Changed

    Features

    • Upgrade Grafana from 11.4.0 to 12.3.3 with home-built container image and Kustomize manifests, replacing the Helm chart deployment.

    Bug Fixes

    • Fix Dagger pipelines hanging when called from mise tasks in interactive terminals. Added --progress=plain to all dagger call invocations to prevent SIGTTOU from stopping the process when mise's child process group is not the terminal foreground group.
    • Fix Grafana TeslaMate dashboards not appearing in a folder — enabled foldersFromFilesStructure so the sidecar's grafana_folder annotation is respected.
    • Container build workflows now checkout the dispatch ref when building from feature branches, fixing "No Dockerfile — skipping" errors for containers not yet on main.

    Infrastructure

    • Fix Frigate Prometheus scrape target to route via Caddy (nvr.ops.eblu.me) after migration to ringtail, and rebuild Grafana dashboard with updated Frigate 0.17 metrics (GPU usage, temperature, skipped FPS, detection events).
    • Update tooling dependencies: pre-commit hooks (trufflehog, ruff, shellcheck, prettier, actionlint), Fly.io Dockerfile (pin nginx 1.28.2-alpine, alloy v1.13.1), and normalize mise task Python lower bounds.
    • Rename containers/forgejo-runner to containers/runner-job-image to distinguish the CI job execution image from the Forgejo runner daemon, fixing a version-check false positive.

    Documentation

    • Review deploy-authentik card: rewrite as reproducible process guide, remove stale version info and future work section, mark plan as completed.
    • Formalize C0/C1/C2 change classification: C0 allows direct-to-main commits, C1 adds docs-first workflow with branch deployment, C2 introduces the Mikado Branch Invariant for strict commit ordering on multi-phase changes. Add C2 conventions: C2(<chain>): plan/impl/close/finalize commit messages, mikado/<chain-stem> branch naming, and branch: frontmatter on goal cards. New tooling: docs-mikado --resume for cold-start session pickup and mikado-branch-invariant-check pre-commit hook.
    • Replace Grafana Helm upgrade plan with C2 Mikado chain for upgrading to 12.x with kustomize and home-built containers.

    AI Assistance

    • Improved Mikado C2 process: end-of-cycle session prompts, rigorous reset discipline with documented git patterns, and --resume now shows PR number and stash hints.

    Documentation

    Download docs-v1.11.3.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.11.3/docs-v1.11.3.tar.gz
    Downloads
  • v1.11.2 e655f4556e

    BlumeOps v1.11.2 Stable

    eblume released this 2026-02-22 17:52:04 -08:00 | 112 commits to main since this release

    BlumeOps release v1.11.2

    What's Changed

    Features

    • Add branch-cleanup mise task and scheduled Forgejo workflow to delete merged branches locally and on the Forgejo remote. Detects squash-merged PRs via the Forgejo API. The workflow runs approximately every 10 days with a configurable age cutoff (default 30 days).
    • Add Forgejo repository health metrics collector and Grafana dashboard with CI/CD, release, and language tracking across all repos.
    • Switch Frigate object detection from YOLO-NAS-S (320x320) to YOLOv9-c (640x640) with CUDA Graphs support, and add frigate-export-model Dagger pipeline + mise task for reproducible model exports.

    Infrastructure

    • Simplify service-versions.yaml type taxonomy to argocd | ansible | nixos; add nix-container-builder entry; backfill forgejo and forgejo-runner versions
    • Prepare forgejo-runner v12 upgrade: review config compatibility, add workflow schema validation via Dagger, wire pre-commit hook
    • Upgrade k8s forgejo-runner daemon from v6.3.1 to v12.7.0

    Documentation

    • Add Mikado chain for upgrading k8s forgejo-runner from v6.3.1 to v12.x

    Documentation

    Download docs-v1.11.2.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.11.2/docs-v1.11.2.tar.gz
    Downloads
  • v1.11.1 e41c28ed90

    BlumeOps v1.11.1 Stable

    eblume released this 2026-02-22 10:21:19 -08:00 | 120 commits to main since this release

    BlumeOps release v1.11.1

    What's Changed

    Infrastructure

    • Use Zot registry logo instead of Docker logo on homepage dashboard

    Documentation

    Download docs-v1.11.1.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.11.1/docs-v1.11.1.tar.gz
    Downloads
  • v1.11.0 c427f04ec4

    BlumeOps v1.11.0 Stable

    eblume released this 2026-02-22 09:16:00 -08:00 | 123 commits to main since this release

    BlumeOps release v1.11.0

    What's Changed

    Features

    • Add agent change process (C0/C1/C2) documentation and docs-mikado tool for Mikado method dependency chain resolution. Rename zk-docs task to ai-docs.
    • Deploy Authentik identity provider on ringtail k3s cluster, replacing Dex as the SSO provider. Includes Nix-built container, CNPG database, Redis, and Caddy routing at authentik.ops.eblu.me.
    • Integrate Forgejo with Authentik OIDC for single sign-on with group-based admin propagation. Enforce TOTP MFA on Authentik authentication flow.
    • Add Authentik SSO to Jellyfin with admin group mapping
    • Container builds now trigger automatically on merge to main (path-based) and use commit-SHA-based image tags (vX.Y.Z-<sha>) for full traceability. The container-tag-and-release task is replaced by container-build-and-release which dispatches workflows via the Forgejo API. Added pre-commit hook to keep container versions in sync with service-versions.yaml.
    • Register Zot as an OIDC client in Authentik via blueprint, with artifact-workloads group, zot-ci service account, and OIDC credentials template for Ansible deployment.
    • Enable OIDC + API key authentication on zot registry with three-tier access control (anonymous read, CI create, admin full). Wire both CI push paths (Dagger and Nix/skopeo) with registry credentials via Forgejo Actions secrets. Allow anonymous Prometheus metrics scraping via accessControl.metrics.users.

    Bug Fixes

    • Fix frigate-notify notification pipeline: switch to webapi polling, enable dedup, drop events without snapshots, use hi-res snapshots

    Infrastructure

    • Add Mikado prereq for commit-based container tagging scheme to harden-zot-registry chain
    • Convert deploy-authentik plan to C2 Mikado chain entry point.
    • Add flake-update Dagger pipeline for updating ringtail NixOS flake inputs.
    • Upgrade frigate-notify from v0.3.5 to v0.5.4

    Documentation

    • Add deployment plan for Authentik identity provider to replace Dex

    Documentation

    Download docs-v1.11.0.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.11.0/docs-v1.11.0.tar.gz
    Downloads
  • v1.10.0 d21798b1f3

    BlumeOps v1.10.0 Stable

    eblume released this 2026-02-19 20:45:42 -08:00 | 157 commits to main since this release

    BlumeOps release v1.10.0

    What's Changed

    Features

    • Deploy Dex OIDC identity provider on ringtail with Grafana as first SSO client.
    • Added Nix container build for nettest, validating the full nix-container-builder pipeline on ringtail. One git tag now triggers both Dockerfile and Nix workflows — each skips if its build file is absent. Rewrote container-tag-and-release as a typer CLI with --dry-run support. Added container policy.json and registries.conf to ringtail for skopeo.
    • Add NixOS configuration for ringtail (gaming/compute workstation with RTX 4080). Includes declarative disk partitioning via disko, NVIDIA drivers, sway/Wayland desktop, Steam, Tailscale, and Ansible-driven provisioning.
    • Add screen lock, idle timeout, and sleep prevention to ringtail: swaylock locks after 15min, display powers off after 60min, machine never suspends.
    • Systemd Forgejo Actions runner on ringtail (nix-container-builder label) for building containers with nix build and pushing via skopeo. K3s cluster retained for future workloads. 1Password Connect + External Secrets Operator available for k8s secret management.

    Bug Fixes

    • Cap detect FPS to 2 and sync motion masks/zones from live config
    • Fix zk-docs task to use new path for troubleshooting doc after how-to reorg.
    • Inhibit swayidle lock screen when a fullscreen window is active on ringtail, preventing screen lock during gamepad-only gaming sessions.
    • Make 1Password secret tasks in ringtail playbook idempotent by checking kubectl apply output instead of always reporting changed.

    Infrastructure

    • Port Frigate NVR to ringtail k3s with RTX 4080 GPU acceleration (TensorRT/ONNX), replacing the ZMQ-based Apple Silicon detector on indri.
    • Replace Homepage Helm chart (jameswynn/homepage v2.1.0, pinned at app v1.2.0) with plain kustomize manifests and a custom Dockerfile built from upstream v1.10.1. Gives full version control and matches the pattern used by other blumeops services.
    • Port ntfy to a locally built container image from forge mirror source.
    • Port Mosquitto (MQTT) and ntfy to ringtail k3s; retire Apple Silicon Detector from indri.
    • Ringtail post-install: NixOS config (sway with Catppuccin Macchiato theme, fish, 1Password, Steam, LibreWolf, Bluetooth audio, chezmoi, dev tools, nix-ld), Dagger flake-lock pipeline, improved provision-ringtail workflow, services-check integration, and reference documentation.
    • Add ringtail DeviceTags to Pulumi and allow homelab-to-homelab Tailscale SSH for cross-host ansible/management.
    • Update Frigate zone masks from live config and expand alert notifications to cover both Driveway and Driveway_entrance zones.
    • Add Apple Silicon ZMQ detector for Frigate — inference moves from in-pod ONNX CPU to CoreML on indri via ZMQ, using YOLOv9-m model
    • Deploy Tailscale operator on ringtail k3s cluster
    • Upgrade ntfy from v2.11.0 to v2.17.0 and add ntfy and frigate reference docs.
    • Update External Secrets Operator Helm chart from 1.3.1 to 2.0.0 (operator v1.3.2)
    • Upgrade Frigate NVR from 0.16.4 to 0.17.0-rc2 (prerequisite for Apple Silicon ZMQ detector)

    Documentation

    • Add Dex OIDC documentation: reference card, federated login explanation, services-check integration, and updated plan.
    • Update services-check and documentation to reflect Frigate, Mosquitto, and ntfy migration from indri minikube to ringtail k3s (PRs #216, #217).
    • Review and fix update-documentation how-to: add missing cache purge step, clean up fragment types table.

    Documentation

    Download docs-v1.10.0.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.10.0/docs-v1.10.0.tar.gz
    Downloads
  • v1.9.4 27d8f3cf1f

    BlumeOps v1.9.4 Stable

    eblume released this 2026-02-17 07:30:38 -08:00 | 195 commits to main since this release

    BlumeOps release v1.9.4

    What's Changed

    Documentation

    • Reorganize how-to guides into deployment/, configuration/, and operations/ subdirectories; review and update gandi-operations doc; fix missing cv.eblu.me CNAME in gandi reference card.

    Documentation

    Download docs-v1.9.4.tar.gz and configure the quartz container with:

    DOCS_RELEASE_URL=https://forge.ops.eblu.me/eblume/blumeops/releases/download/v1.9.4/docs-v1.9.4.tar.gz
    Downloads