Deployable Service Images for
WordPress · Pingora · Rust Operators · Cluster Agents

solera curates the runtime side of the ecosystem — what lamina is to build, solera is to run.

View Repository →Image Catalog Delta Model Deploying Images

Axioms

Images

Spiral Tensions

ARM64-only Build

Foundations · .ontology/core.ncl

Three Axioms

The complement of lamina's catalog-not-runtime: lamina = build, solera = run.

A1 · upstream-first

Upstream First

Every image extends an official upstream. solera only adds the justified delta.

A2 · runtime-not-buildtime

Runtime Not Buildtime

solera images are k8s-consumed runtime services, not build-stage donors.

A3 · delta-only

Delta Only

Each image adds exactly what the upstream lacks. Zero-delta layers are inadmissible.

4 Images · 2 Classes

Image Catalog

Two classes: upstream-extension and from-source (missing-platform builds).

Image	Upstream / base	Delta	Capabilities	Platform
wordpress-fpm	`wordpress:6.9.4-php8.3-fpm`	gmp + wordpress-media.ini (uploads/memory/time tuned for media).	`php-fpm` · `wordpress` · `media-optimized`	`linux/amd64` · `linux/arm64`
aralez	`rust:1.88-slim-bookworm` → `debian:bookworm-slim`	ARM64-only build of upstream sadoyan/aralez. LTO disabled to fit BuildKit runner memory.	`reverse-proxy` · `tls-termination` · `pingora-0.8`	`linux/arm64`
fip-controller	`rust:1.88-slim-bookworm` → `debian:bookworm-slim`	In-tree FIP controller binary, lean runtime.	`floating-ip` · `k8s-operator`	`linux/arm64` · `linux/amd64`
fip-alias-agent	`debian:bookworm-slim`	iproute2 only. DaemonSet companion to fip-controller (bind FIP aliases per node).	`cluster-agent` · `floating-ip-bind`	`linux/arm64` · `linux/amd64`

Why-this-image-exists

Delta Model

Three columns gate admission: what upstream provides, what we add, what we refuse to add.

Upstream provides

Inherited · Maintained by upstream

Base-layer responsibilities. Patches and capabilities tracked from upstream's release cadence.

wordpress-fpm: gd+avif+webp+freetype, imagick, bcmath, exif, intl, mysqli, zip, opcache.
aralez: cargo + rustup (build) → debian:slim libssl3 (runtime).
fip-alias-agent: full debian:slim base (CVE patching, libc).

solera adds

The justified delta

Minimum diff that turns an upstream into an ecosystem-ready service.

wordpress-fpm: gmp extension + wordpress-media.ini tuning.
aralez: linux/arm64 compile + LTO-off profile override.
fip-controller: in-tree controller binary, lean runtime.
fip-alias-agent: iproute2 only — minimal companion DaemonSet.

solera refuses

Out of scope · Inadmissible

Held out to preserve operator override and prevent application-state leakage.

Plugins, themes, content (operator's ConfigMap/PVC, not the image).
cargo-chef pre-cooked deps (that's lamina's job).
Application-logic settings (session, error reporting — operator ConfigMap).

Spiral Tensions · core.ncl

Two Tensions

A Spiral tension is a polarity to navigate, not a problem to solve.

T1 · upstream-lag-vs-control

Upstream Lag vs Control

Auto CVE patching vs the risk of upstream breaking changes.

SynthesisPin explicitly, bump on security releases, smoke-test the delta.

T2 · baked-defaults-vs-runtime-config

Baked Defaults vs Runtime Config

Operator tunability vs baked-in operational defaults.

SynthesisBake capability-bound limits; leave logic settings to the operator.

Deployment · k8s manifest snippets

Deploying Images

Pinned tags only. Bump deliberately. Never :latest in cluster manifests.

# Build & push the full catalog
just build-all
just push-all

# Single-image build via lian-build (the same orchestrator lamina uses)
just build wordpress-fpm

# Deployment snippet — wordpress-fpm
image: reg.librecloud.online/solera/wordpress-fpm:6.9.4-php8.3
env:
  - name: WORDPRESS_DB_HOST
    value: mariadb.svc.cluster.local:3306

# DaemonSet snippet — fip-alias-agent
image: reg.librecloud.online/solera/fip-alias-agent:0.1.0
securityContext:
  capabilities:
    add: ["NET_ADMIN"]
hostNetwork: true