C2(jobsync): impl — deploy-jobsync manifests and routing

ArgoCD app, k8s manifests (deployment, service, PVC, ExternalSecret,
Tailscale ingress), and Caddy route for jobsync.ops.eblu.me.

1Password item "JobSync" created with auth_secret and encryption_key.
Container build v1.1.4 in progress.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

ansible/roles/caddy/defaults/main.yml

@@ -88,6 +88,9 @@ caddy_services:
   - name: ollama
     host: "ollama.{{ caddy_domain }}"
     backend: "https://ollama.tail8d86e.ts.net"
+  - name: jobsync
+    host: "jobsync.{{ caddy_domain }}"
+    backend: "https://jobsync.tail8d86e.ts.net"
   - name: sifaka
     host: "nas.{{ caddy_domain }}"
     backend: "http://sifaka:5000"

argocd/apps/jobsync.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jobsync
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/jobsync
+  destination:
+    server: https://ringtail.tail8d86e.ts.net:6443
+    namespace: jobsync
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true

argocd/manifests/jobsync/deployment.yaml

@@ -0,0 +1,71 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jobsync
+  namespace: jobsync
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: jobsync
+  template:
+    metadata:
+      labels:
+        app: jobsync
+    spec:
+      containers:
+        - name: jobsync
+          image: registry.ops.eblu.me/blumeops/jobsync:kustomized
+          ports:
+            - containerPort: 3000
+              name: http
+          env:
+            - name: DATABASE_URL
+              value: "file:/data/dev.db"
+            - name: NEXTAUTH_URL
+              value: "https://jobsync.ops.eblu.me"
+            - name: AUTH_TRUST_HOST
+              value: "true"
+            - name: TZ
+              value: "America/Los_Angeles"
+            - name: OLLAMA_BASE_URL
+              value: "http://ollama.ollama.svc.cluster.local:11434"
+            - name: AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: jobsync-secrets
+                  key: auth_secret
+            - name: ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: jobsync-secrets
+                  key: encryption_key
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "200m"
+            limits:
+              memory: "1Gi"
+              cpu: "1000m"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 30
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: jobsync-data

argocd/manifests/jobsync/external-secret.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: jobsync-secrets
+  namespace: jobsync
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: jobsync-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: auth_secret
+      remoteRef:
+        key: JobSync
+        property: auth_secret
+    - secretKey: encryption_key
+      remoteRef:
+        key: JobSync
+        property: encryption_key

argocd/manifests/jobsync/ingress-tailscale.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jobsync-tailscale
+  namespace: jobsync
+  annotations:
+    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "JobSync"
+    gethomepage.dev/group: "Productivity"
+    gethomepage.dev/icon: "mdi-briefcase-search"
+    gethomepage.dev/description: "Job application tracker"
+    gethomepage.dev/href: "https://jobsync.ops.eblu.me"
+    gethomepage.dev/pod-selector: "app=jobsync"
+spec:
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: jobsync
+      port:
+        number: 3000
+  tls:
+    - hosts:
+        - jobsync

argocd/manifests/jobsync/kustomization.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jobsync
+resources:
+  - pv-hostpath.yaml
+  - pvc.yaml
+  - external-secret.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress-tailscale.yaml
+
+images:
+  - name: registry.ops.eblu.me/blumeops/jobsync
+    newTag: "v1.1.4"

argocd/manifests/jobsync/pv-hostpath.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: jobsync-data-pv
+spec:
+  capacity:
+    storage: 10Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  hostPath:
+    path: /mnt/storage1/jobsync
+    type: DirectoryOrCreate

argocd/manifests/jobsync/pvc.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jobsync-data
+  namespace: jobsync
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: ""
+  volumeName: jobsync-data-pv
+  resources:
+    requests:
+      storage: 10Gi

argocd/manifests/jobsync/service.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jobsync
+  namespace: jobsync
+spec:
+  selector:
+    app: jobsync
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000