viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks
History
Viktor Barzin e5f6d16b2e enrolled-patch stacks: ignore image drift from Keel auto-update 
For Deployments enrolled in Keel with policy=patch, the image tag is
updated by Keel as new patches release upstream. Without
ignore_changes on the image field, terragrunt apply would fight Keel
in an endless loop (TF reverts → Keel re-rolls → repeat — same shape
as the calico/tigera-operator fight from earlier).

Adding KEEL_IGNORE_IMAGE marker to the lifecycle of these stacks.
Image string in TF becomes the initial seed; Keel rolls it forward.

Stacks: actualbudget, broker-sync, changedetection, city-guesser,
coturn, dashy, dawarich, diun, ebook2audiobook, ebooks, echo,
excalidraw, foolery, forgejo, freedify.

CI-driven self-hosted stacks (fire-planner, job-hunter, payslip-ingest,
recruiter-responder, claude-agent-service, claude-memory) keep TF
ownership of image and policy=never — their image_tag is set by CI
via terragrunt.hcl inputs, not by Keel. Adding image to ignore_changes
on those would break the CI deploy flow.

Caveat: only container[0].image is added. Multi-container Deployments
(immich, beads, etc.) will need additional container[N].image lines
for any container Keel rolls. Those stacks are not currently enrolled.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-22 14:16:51 +00:00
..
_template ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks 2026-05-22 14:16:42 +00:00
actualbudget recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
affine recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
authentik infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
beads-server infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
blog recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
broker-sync recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
calico calico: unenroll from Keel — tigera-operator owns DaemonSet spec 2026-05-22 14:16:50 +00:00
changedetection enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
chrome-service recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
city-guesser enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
claude-agent-service recruiter-triage: AI culture & tooling section + warm-engage AI ask 2026-05-22 14:16:50 +00:00
claude-memory recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
cloudflared cloudflare: disable AI bot edge-block so x402 can issue payment offers 2026-05-22 14:16:42 +00:00
cnpg [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
coturn enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
crowdsec ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks 2026-05-22 14:16:42 +00:00
cyberchef recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
dashy enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
dawarich enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
dbaas kured + cnpg: drain-safe defaults ahead of Monday reboot wave 2026-05-22 14:16:48 +00:00
descheduler recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
diun enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
ebook2audiobook enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
ebooks enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
echo enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
excalidraw enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
external-secrets recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
f1-stream recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
fire-planner Phase 1a: enroll 4 self-hosted services in Keel auto-update 2026-05-22 14:16:48 +00:00
foolery recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
forgejo enrolled-patch stacks: ignore image drift from Keel auto-update 2026-05-22 14:16:51 +00:00
freedify recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
freshrss recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
frigate recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
grampsweb recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
hackmd recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
headscale infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
health recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
hermes-agent recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
homepage recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
immich infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
infra [forgejo] Phases 3+4+5: cutover, decommission, docs sweep 2026-05-07 23:29:34 +00:00
infra-maintenance [infra] Sweep dns_config ignore_changes across all pod-owning resources [ci skip] 2026-04-18 21:19:48 +00:00
insta2spotify recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
instagram-poster payslip-ingest, instagram-poster: suspend two chronic-failure cronjobs 2026-05-22 14:16:45 +00:00
isponsorblocktv recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
job-hunter Phase 1a: enroll 4 self-hosted services in Keel auto-update 2026-05-22 14:16:48 +00:00
jsoncrack recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
k8s-dashboard recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
k8s-portal infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
k8s-version-upgrade recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
keel keel: enable Slack notifications on every upgrade 2026-05-22 14:16:50 +00:00
kms recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
kured recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
kyverno keel: default policy → patch (semver-bounded opt-out auto-update) 2026-05-22 14:16:50 +00:00
linkwarden recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
llama-cpp recruiter-responder: deploy stack + llama-cpp qwen3-8b + openclaw plugin mount 2026-05-22 14:16:46 +00:00
local-path recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
mailserver fix: pvc-autoresizer + TF drift safety — bulk add ignore_changes 2026-05-22 14:16:43 +00:00
matrix recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
meshcentral recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
metallb [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
metrics-server [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
monitoring aiostreams: 1h stream cache + canary stream-count probe + 3 alerts 2026-05-22 14:16:46 +00:00
n8n recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
navidrome recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
netbox recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
networking-toolbox recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
nextcloud recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
nfs-csi [infra] TrueNAS decommission — remove active references from Terraform + configs 2026-04-19 16:57:05 +00:00
nodelocal-dns [dns] NodeLocal DNSCache — deploy DaemonSet to all nodes (WS C) 2026-04-19 15:46:41 +00:00
novelapp infra/ingress_factory: add auth = "app" mode for self-authed backends 2026-05-22 14:16:44 +00:00
ntfy recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
nvidia infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
onlyoffice recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
openclaw recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
osm_routing recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
owntracks recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
paperless-ngx recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
payslip-ingest Phase 1a: enroll 4 self-hosted services in Keel auto-update 2026-05-22 14:16:48 +00:00
phpipam recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
platform [infra] Add Cloudflare provider to all stack lock files and generated providers 2026-04-16 16:31:36 +00:00
plotting-book fix: pvc-autoresizer + TF drift safety — bulk add ignore_changes 2026-05-22 14:16:43 +00:00
poison-fountain recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
postiz infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
priority-pass recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
privatebin recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
proxmox-csi proxmox-csi: opt SCs into pvc-autoresizer (resize.topolvm.io/enabled=true) 2026-05-22 14:16:41 +00:00
pvc-autoresizer [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
rbac [infra] Migrate Terraform state from local SOPS to PostgreSQL backend 2026-04-16 19:33:12 +00:00
real-estate-crawler recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
recruiter-responder recruiter-triage: AI culture & tooling section + warm-engage AI ask 2026-05-22 14:16:50 +00:00
redis fix: pvc-autoresizer threshold should be 10%, not 80% 2026-05-22 14:16:43 +00:00
reloader recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
resume recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
reverse-proxy chore: remove decommissioned registry.viktorbarzin.me ingress 2026-05-10 11:12:37 +00:00
rybbit recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
sealed-secrets [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
send recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
servarr recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
shadowsocks recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
speedtest recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
status-page [infra] Establish KYVERNO_LIFECYCLE_V1 drift-suppression convention [ci skip] 2026-04-18 14:15:51 +00:00
stirling-pdf recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
tandoor recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
technitium fix: pvc-autoresizer + TF drift safety — bulk add ignore_changes 2026-05-22 14:16:43 +00:00
terminal recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
tor-proxy recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
trading-bot ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks 2026-05-22 14:16:42 +00:00
traefik ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks 2026-05-22 14:16:42 +00:00
travel_blog recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
tuya-bridge recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
uptime-kuma fix: pvc-autoresizer + TF drift safety — bulk add ignore_changes 2026-05-22 14:16:43 +00:00
url recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
vault recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
vaultwarden infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
vpa ingress_factory: replace protected bool with auth enum + audit pass across 100 stacks 2026-05-22 14:16:42 +00:00
wealthfolio recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
webhook_handler recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
whisper recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
wireguard [infra] Suppress Goldilocks vpa-update-mode label drift on all namespaces [ci skip] 2026-04-18 21:15:27 +00:00
woodpecker recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00
xray infra: document auth = "app|none" tier on every legacy ingress 2026-05-22 14:16:44 +00:00
ytdlp recruiter-responder: bump image_tag to 189ef901 2026-05-22 14:16:49 +00:00