Erich Blume
43047423c4
Wrap nixpkgs paperless-ngx in dockerTools.buildLayeredImage, replacing the s6-overlay Dockerfile build. The package bundles the full OCR/imaging closure (tesseract, qpdf, jbig2enc, unpaper, pngquant, ocrmypdf, pikepdf) and nltk data, so the image stays lean. Unlike the s6 image, this runs as four containers on ringtail sharing one image (web/worker/beat/consumer); the web wrapper mirrors the NixOS module's granian + PYTHONPATH invocation. Self-pins nixos-unstable (stable lags at 2.19.6) for paperless-ngx 2.20.15 -- a same-minor forward patch bump from the v2.20.13 Dockerfile build. Build verified on ringtail (nix-build, exit 0, version assert passes). Also fixes pre-existing shower version drift (service-versions 1.1.2 -> 1.1.3 to match its default.nix) so container-version-check passes; the paperless service-versions edit widens that check to all containers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
478 lines
16 KiB
YAML
478 lines
16 KiB
YAML
# Service / Tooling/ Application Version Tracking
|
|
#
|
|
# Tracks when each BlumeOps service was last reviewed for version freshness.
|
|
# Used by `mise run service-review` to surface stale services.
|
|
#
|
|
# Fields:
|
|
# name - kebab-case service identifier
|
|
# type - argocd | ansible | nixos | fly | mise
|
|
# last-reviewed - date (YYYY-MM-DD) or null
|
|
# current-version - deployed version string or null
|
|
# upstream-source - URL to upstream releases/changelog
|
|
# notes - optional context
|
|
|
|
services:
|
|
- name: prometheus
|
|
type: argocd
|
|
last-reviewed: 2026-03-18
|
|
current-version: "v3.10.0"
|
|
upstream-source: https://github.com/prometheus/prometheus/releases
|
|
|
|
- name: loki
|
|
type: argocd
|
|
last-reviewed: 2026-03-20
|
|
current-version: "3.6.7"
|
|
upstream-source: https://github.com/grafana/loki/releases
|
|
|
|
- name: kube-state-metrics
|
|
type: argocd
|
|
last-reviewed: 2026-03-22
|
|
current-version: "v2.18.0"
|
|
upstream-source: https://github.com/kubernetes/kube-state-metrics/releases
|
|
|
|
|
|
- name: ntfy
|
|
type: argocd
|
|
last-reviewed: 2026-03-23
|
|
current-version: "v2.19.2"
|
|
upstream-source: https://github.com/binwiederhier/ntfy/releases
|
|
|
|
- name: homepage
|
|
type: argocd
|
|
last-reviewed: 2026-03-26
|
|
current-version: "v1.11.0"
|
|
upstream-source: https://github.com/gethomepage/homepage/releases
|
|
notes: Custom container, kustomize manifests
|
|
|
|
- name: shower
|
|
type: argocd
|
|
last-reviewed: 2026-05-15
|
|
current-version: "1.1.3"
|
|
upstream-source: https://forge.eblu.me/eblume/adelaide-baby-shower-app
|
|
notes: |
|
|
Django app for Adelaide / Heidi / Addie's baby shower. Wheel
|
|
published to Forgejo Packages PyPI; runs on ringtail k3s. Public
|
|
at shower.eblu.me (fly proxy), tailnet admin at shower.ops.eblu.me.
|
|
|
|
- name: nvidia-device-plugin
|
|
type: argocd
|
|
last-reviewed: 2026-03-27
|
|
current-version: "v0.19.0"
|
|
upstream-source: https://github.com/NVIDIA/k8s-device-plugin/releases
|
|
notes: DaemonSet + RuntimeClass on ringtail for GPU workloads
|
|
|
|
- name: frigate
|
|
type: argocd
|
|
last-reviewed: 2026-03-24
|
|
current-version: "0.17.1"
|
|
upstream-source: https://github.com/blakeblackshear/frigate/releases
|
|
|
|
- name: frigate-notify
|
|
type: argocd
|
|
last-reviewed: 2026-03-28
|
|
current-version: "v0.5.4"
|
|
upstream-source: https://github.com/0x2142/frigate-notify/releases
|
|
|
|
- name: tempo
|
|
type: argocd
|
|
last-reviewed: 2026-04-02
|
|
current-version: "2.10.3"
|
|
upstream-source: https://github.com/grafana/tempo/releases
|
|
notes: Home-built container from forge mirror
|
|
|
|
- name: alloy-tracing-ringtail
|
|
type: argocd
|
|
last-reviewed: 2026-04-30
|
|
current-version: "v1.16.0"
|
|
upstream-source: https://github.com/grafana/alloy/releases
|
|
notes: Privileged DaemonSet with Beyla eBPF for HTTP tracing on ringtail
|
|
|
|
- name: alloy-ringtail
|
|
type: argocd
|
|
last-reviewed: 2026-04-30
|
|
current-version: "v1.16.0"
|
|
upstream-source: https://github.com/grafana/alloy/releases
|
|
notes: DaemonSet on ringtail for host metrics and pod logs
|
|
|
|
- name: alloy-k8s
|
|
type: argocd
|
|
last-reviewed: 2026-04-30
|
|
current-version: "v1.16.0"
|
|
upstream-source: https://github.com/grafana/alloy/releases
|
|
|
|
- name: tailscale-operator
|
|
type: argocd
|
|
last-reviewed: 2026-03-22
|
|
current-version: "v1.94.2"
|
|
upstream-source: https://github.com/tailscale/tailscale/releases
|
|
|
|
- name: tailscale
|
|
type: container
|
|
last-reviewed: 2026-05-10
|
|
current-version: "1.94.2"
|
|
upstream-source: https://github.com/tailscale/tailscale/releases
|
|
notes: |
|
|
Locally mirrored tailscale image used by ringtail's tailscale-operator
|
|
ProxyClass. Built via containers/tailscale/default.nix.
|
|
|
|
- name: grafana
|
|
type: argocd
|
|
last-reviewed: 2026-04-02
|
|
current-version: "12.4.2"
|
|
upstream-source: https://github.com/grafana/grafana/releases
|
|
notes: Home-built container from Alpine; upgraded from Helm to Kustomize
|
|
|
|
- name: grafana-sidecar
|
|
type: argocd
|
|
parent: grafana
|
|
last-reviewed: "2026-04-13"
|
|
current-version: "2.6.0"
|
|
upstream-source: https://github.com/kiwigrid/k8s-sidecar/releases
|
|
notes: Dashboard ConfigMap watcher sidecar in grafana deployment
|
|
|
|
- name: cloudnative-pg
|
|
type: argocd
|
|
last-reviewed: 2026-03-28
|
|
current-version: "v1.28.1"
|
|
upstream-source: https://github.com/cloudnative-pg/cloudnative-pg/releases
|
|
notes: Deployed via Helm chart (chart v0.27.1 from forge mirror)
|
|
|
|
- name: immich
|
|
type: argocd
|
|
last-reviewed: 2026-04-04
|
|
current-version: "v2.6.3"
|
|
upstream-source: https://github.com/immich-app/immich/releases
|
|
notes: Kustomize manifests with upstream images
|
|
|
|
- name: valkey
|
|
type: argocd
|
|
last-reviewed: 2026-05-28
|
|
current-version: "8.1.7"
|
|
upstream-source: https://github.com/valkey-io/valkey/releases
|
|
notes: >-
|
|
Dual-build valkey image: container.py builds Alpine 3.22 + apk valkey
|
|
(arm64, indri) for paperless; default.nix builds via nixpkgs (amd64,
|
|
ringtail) for immich-ringtail. Both track upstream valkey 8.1.x; Alpine
|
|
3.22 currently ships 8.1.7-r0 and nixpkgs valkey is 8.1.7. Alpine 3.23
|
|
jumps to 9.0. Distinct from authentik-redis (nix-built Redis
|
|
8.x) which has its own entry.
|
|
|
|
- name: external-secrets
|
|
type: argocd
|
|
last-reviewed: 2026-03-25
|
|
current-version: "v2.2.0"
|
|
upstream-source: https://github.com/external-secrets/external-secrets/releases
|
|
notes: Static kustomize manifests rendered from upstream Helm chart
|
|
|
|
- name: 1password-connect
|
|
type: argocd
|
|
last-reviewed: 2026-04-06
|
|
current-version: "1.8.2"
|
|
upstream-source: https://hub.docker.com/r/1password/connect-api/tags
|
|
notes: Kustomize manifests rendered from connect-helm-charts v2.4.1
|
|
|
|
- name: argocd
|
|
type: argocd
|
|
last-reviewed: 2026-04-07
|
|
current-version: "v3.3.6"
|
|
upstream-source: https://github.com/argoproj/argo-cd/releases
|
|
notes: Kustomize-based install with ServerSideApply
|
|
|
|
- name: blumeops-pg
|
|
type: argocd
|
|
last-reviewed: 2026-03-28
|
|
current-version: "18.3"
|
|
upstream-source: https://github.com/cloudnative-pg/cloudnative-pg/releases
|
|
notes: CloudNativePG Cluster resource; pinned to PG minor version
|
|
|
|
- name: authentik
|
|
type: argocd
|
|
last-reviewed: "2026-04-08"
|
|
current-version: "2026.2.2"
|
|
upstream-source: https://github.com/goauthentik/authentik/releases
|
|
|
|
- name: authentik-redis
|
|
type: argocd
|
|
parent: authentik
|
|
last-reviewed: "2026-03-24"
|
|
current-version: "8.2.3"
|
|
upstream-source: https://github.com/redis/redis/releases
|
|
notes: >-
|
|
Attached service: Redis cache/broker for Authentik (sessions, Celery task
|
|
queue, caching). Nix-built container from nixpkgs with version assertion.
|
|
|
|
- name: ollama
|
|
type: argocd
|
|
last-reviewed: "2026-04-09"
|
|
current-version: "0.20.4"
|
|
upstream-source: https://github.com/ollama/ollama/releases
|
|
notes: LLM inference server on ringtail (GPU); upstream container image
|
|
|
|
- name: navidrome
|
|
type: argocd
|
|
last-reviewed: 2026-04-11
|
|
current-version: "v0.61.1"
|
|
upstream-source: https://github.com/navidrome/navidrome/releases
|
|
|
|
- name: miniflux
|
|
type: argocd
|
|
last-reviewed: 2026-04-12
|
|
current-version: "2.2.19"
|
|
upstream-source: https://github.com/miniflux/v2/releases
|
|
|
|
- name: teslamate
|
|
type: argocd
|
|
last-reviewed: 2026-04-14
|
|
current-version: "v3.0.0"
|
|
upstream-source: https://github.com/teslamate-org/teslamate/releases
|
|
|
|
- name: transmission
|
|
type: argocd
|
|
last-reviewed: 2026-04-15
|
|
current-version: "4.1.1-r1"
|
|
upstream-source: https://github.com/transmission/transmission/releases
|
|
|
|
- name: transmission-exporter
|
|
type: argocd
|
|
last-reviewed: 2026-04-15
|
|
current-version: "1.0.1"
|
|
upstream-source: null
|
|
notes: Homegrown Python exporter, no upstream
|
|
|
|
- name: kiwix
|
|
type: argocd
|
|
last-reviewed: 2026-04-17
|
|
current-version: "3.8.2"
|
|
upstream-source: https://github.com/kiwix/kiwix-tools/releases
|
|
|
|
- name: devpi
|
|
type: ansible
|
|
last-reviewed: 2026-04-29
|
|
current-version: "6.19.3"
|
|
upstream-source: https://github.com/devpi/devpi/releases
|
|
notes: Installed via uv into a venv on indri; version pinned in ansible/roles/devpi/defaults/main.yml
|
|
|
|
- name: cv
|
|
type: ansible
|
|
last-reviewed: 2026-04-29
|
|
current-version: "1.0.3"
|
|
upstream-source: https://forge.eblu.me/eblume/cv
|
|
notes: >-
|
|
Static tarball downloaded by ansible/roles/cv into ~/blumeops/cv/content on indri;
|
|
served directly by Caddy (kind=static). Migrated from minikube 2026-04-29.
|
|
Review build deps (WeasyPrint, Jinja2) in source repo on upstream review.
|
|
|
|
- name: docs
|
|
type: ansible
|
|
last-reviewed: 2026-04-29
|
|
current-version: "v1.16.0"
|
|
upstream-source: https://forge.eblu.me/eblume/blumeops/releases
|
|
notes: >-
|
|
Quartz-built tarball downloaded by ansible/roles/docs into ~/blumeops/docs/content
|
|
on indri; served directly by Caddy (kind=static, try_html). current-version
|
|
tracks the blumeops docs release tag.
|
|
|
|
- name: forgejo-runner
|
|
type: argocd
|
|
last-reviewed: 2026-04-20
|
|
current-version: "12.8.2"
|
|
upstream-source: https://code.forgejo.org/forgejo/runner/releases
|
|
notes: >-
|
|
Runner daemon version (code.forgejo.org/forgejo/runner). Job execution
|
|
image is tracked separately as runner-job-image.
|
|
|
|
- name: runner-job-image
|
|
type: argocd
|
|
last-reviewed: 2026-04-21
|
|
current-version: "0.20.6"
|
|
upstream-source: https://github.com/dagger/dagger/releases
|
|
notes: >-
|
|
Forgejo Actions job execution image. CONTAINER_APP_VERSION tracks the
|
|
Dagger CLI version, the primary build tool in the image.
|
|
|
|
- name: nix-container-builder
|
|
type: nixos
|
|
last-reviewed: 2026-04-01
|
|
current-version: "12.7.2"
|
|
upstream-source: https://code.forgejo.org/forgejo/runner/releases
|
|
notes: >-
|
|
Forgejo runner on ringtail; pinned via nixpkgs-services overlay in flake.nix.
|
|
Update nixpkgs-services rev during service reviews, not via nix flake update.
|
|
|
|
- name: snowflake-proxy
|
|
type: nixos
|
|
last-reviewed: 2026-04-01
|
|
current-version: "2.11.0"
|
|
upstream-source: https://gitlab.torproject.org/tpo/anti-censorship/pluggable-transports/snowflake/-/releases
|
|
notes: >-
|
|
Tor Snowflake proxy on ringtail; pinned via nixpkgs-services overlay in flake.nix.
|
|
Anti-censorship bridge, not an exit node.
|
|
|
|
- name: k3s
|
|
type: nixos
|
|
last-reviewed: 2026-04-01
|
|
current-version: "1.34.5+k3s1"
|
|
upstream-source: https://github.com/k3s-io/k3s/releases
|
|
notes: >-
|
|
Single-node k3s cluster on ringtail; pinned via nixpkgs-services overlay in flake.nix.
|
|
Update nixpkgs-services rev during service reviews.
|
|
|
|
- name: minikube
|
|
type: ansible
|
|
last-reviewed: 2026-04-01
|
|
current-version: "1.38.0"
|
|
upstream-source: https://github.com/kubernetes/minikube/releases
|
|
notes: >-
|
|
Single-node minikube on indri; installed via homebrew (not version-pinned).
|
|
Homebrew may silently upgrade on brew update/upgrade.
|
|
|
|
- name: mealie
|
|
type: argocd
|
|
last-reviewed: 2026-05-11
|
|
current-version: "v3.12.0"
|
|
upstream-source: https://github.com/mealie-recipes/mealie/releases
|
|
notes: >-
|
|
Recipe manager; built from source via forge mirror.
|
|
Upstream is at v3.17.0 as of 2026-05-11 (5 minor versions ahead).
|
|
Container/manifest still pinned to v3.12.0 — upgrade deferred to a
|
|
separate task (build new image, review changelog for breaking changes).
|
|
|
|
- name: paperless
|
|
type: argocd
|
|
last-reviewed: "2026-06-03"
|
|
current-version: "v2.20.15"
|
|
upstream-source: https://github.com/paperless-ngx/paperless-ngx/releases
|
|
notes: >-
|
|
Document management. Container ported from Dockerfile to Nix
|
|
(containers/paperless/default.nix wraps nixpkgs paperless-ngx from a
|
|
pinned nixos-unstable). Runs as web/worker/beat/consumer containers on
|
|
ringtail (multi-process; no s6). Bumped v2.20.13 -> v2.20.15 (the
|
|
unstable package version, same-minor patch) as part of the port.
|
|
|
|
- name: unpoller
|
|
type: argocd
|
|
last-reviewed: 2026-05-28
|
|
current-version: "v3.2.0"
|
|
upstream-source: https://github.com/unpoller/unpoller/releases
|
|
notes: UniFi metrics exporter for Prometheus
|
|
|
|
- name: prowler
|
|
type: argocd
|
|
last-reviewed: 2026-04-14
|
|
current-version: "5.23.0"
|
|
upstream-source: https://github.com/prowler-cloud/prowler/releases
|
|
notes: CIS Kubernetes Benchmark scanner; weekly CronJob on minikube-indri
|
|
|
|
- name: kingfisher
|
|
type: argocd
|
|
last-reviewed: 2026-03-29
|
|
current-version: "165768b"
|
|
upstream-source: https://github.com/mongodb/kingfisher/releases
|
|
notes: Secret scanner; sporked from upstream with --clone-url-base patch. Version is upstream main SHA.
|
|
|
|
- name: forgejo
|
|
type: ansible
|
|
last-reviewed: 2026-03-28
|
|
current-version: "14.0.3"
|
|
upstream-source: https://codeberg.org/forgejo/forgejo/releases
|
|
notes: Built from source on indri (~/code/3rd/forgejo)
|
|
|
|
- name: alloy
|
|
type: ansible
|
|
last-reviewed: 2026-04-30
|
|
current-version: "v1.16.0"
|
|
upstream-source: https://github.com/grafana/alloy/releases
|
|
notes: Built from source on indri
|
|
|
|
- name: zot
|
|
type: ansible
|
|
last-reviewed: 2026-05-04
|
|
current-version: "v2.1.16"
|
|
upstream-source: https://github.com/project-zot/zot/releases
|
|
notes: Built from source on indri
|
|
|
|
- name: caddy
|
|
type: ansible
|
|
last-reviewed: 2026-05-06
|
|
current-version: "v2.11.2"
|
|
upstream-source: https://github.com/caddyserver/caddy/releases
|
|
notes: Built from source with Gandi DNS and Layer 4 plugins
|
|
|
|
- name: borgmatic
|
|
type: ansible
|
|
last-reviewed: 2026-04-15
|
|
current-version: "2.1.4"
|
|
upstream-source: https://github.com/borgmatic-collective/borgmatic/releases
|
|
notes: Installed via mise (pipx); version pinned in ansible/roles/borgmatic/defaults/main.yml and mise.toml
|
|
|
|
- name: jellyfin
|
|
type: ansible
|
|
last-reviewed: 2026-03-17
|
|
current-version: "10.11.6"
|
|
upstream-source: https://github.com/jellyfin/jellyfin/releases
|
|
|
|
- name: automounter
|
|
type: ansible
|
|
last-reviewed: 2026-03-17
|
|
current-version: "1.11.0"
|
|
upstream-source: https://www.pixeleyes.co.nz/automounter/
|
|
notes: Mac App Store app, no Ansible role. Updates via App Store.
|
|
|
|
- name: flyio-tailscale
|
|
type: fly
|
|
last-reviewed: "2026-04-10"
|
|
current-version: "v1.94.1"
|
|
upstream-source: https://github.com/tailscale/tailscale/releases
|
|
notes: >-
|
|
Pinned after v1.96.5 broke MagicDNS in containers. Test DNS resolution
|
|
inside Fly container before upgrading. COPY --from in fly/Dockerfile.
|
|
|
|
- name: flyio-nginx
|
|
type: fly
|
|
last-reviewed: "2026-04-10"
|
|
current-version: "1.29.6-alpine"
|
|
upstream-source: https://hub.docker.com/_/nginx
|
|
notes: Base image for Fly proxy (fly/Dockerfile)
|
|
|
|
- name: flyio-alloy
|
|
type: fly
|
|
parent: flyio-nginx
|
|
last-reviewed: "2026-04-10"
|
|
current-version: "v1.14.1"
|
|
upstream-source: https://github.com/grafana/alloy/releases
|
|
notes: COPY --from in fly/Dockerfile for log shipping and metrics
|
|
|
|
- name: dagger
|
|
type: mise
|
|
last-reviewed: 2026-04-21
|
|
current-version: "0.20.6"
|
|
upstream-source: https://github.com/dagger/dagger/releases
|
|
notes: Dagger CI/CD engine; pinned in mise.toml
|
|
|
|
- name: ansible-core
|
|
type: mise
|
|
last-reviewed: 2026-04-12
|
|
current-version: "2.20.1"
|
|
upstream-source: https://github.com/ansible/ansible/releases
|
|
notes: Installed via pipx/uvx with botocore and boto3
|
|
|
|
- name: prek
|
|
type: mise
|
|
last-reviewed: 2026-04-12
|
|
current-version: "0.3.4"
|
|
upstream-source: https://github.com/j178/prek/releases
|
|
notes: Pre-commit hook runner (Rust reimplementation)
|
|
|
|
- name: pulumi-cli
|
|
type: mise
|
|
last-reviewed: 2026-04-12
|
|
current-version: "3.215.0"
|
|
upstream-source: https://github.com/pulumi/pulumi/releases
|
|
notes: IaC CLI for tailscale and gandi stacks
|
|
|
|
- name: ty
|
|
type: mise
|
|
last-reviewed: 2026-04-12
|
|
current-version: "0.0.29"
|
|
upstream-source: https://github.com/astral-sh/ty/releases
|
|
notes: Astral Python typechecker (beta); prek hook
|