Deploy Mealie recipe manager (#299)

## Summary

- Deploy Mealie (self-hosted recipe manager) on minikube-indri via ArgoCD
- Build container from source via forge mirror (`mirrors/mealie`) — multi-stage Dockerfile with Node.js frontend + Python/uv backend
- Add Caddy proxy entry for `meals.ops.eblu.me`
- Part of a larger meal planning pipeline: Mealie stores categorized recipes, a planner script selects balanced meals, and Ollama generates unified cooking timelines

## Status

- [x] Mirror mealie repo on forge
- [x] Dockerfile (from-source build)
- [x] ArgoCD app + k8s manifests
- [x] Caddy proxy entry
- [x] Service docs, routing table, app registry
- [ ] Local Dagger build test
- [ ] Container build + push to registry
- [ ] Update kustomization.yaml with real image tag
- [ ] Deploy and verify
- [ ] Provision Caddy

## Test plan

- Build container locally via `dagger call build --src=. --container-name=mealie`
- Trigger CI build via `mise run container-build-and-release mealie`
- Deploy from branch: `argocd app set mealie --revision deploy-mealie && argocd app sync mealie`
- Verify Mealie UI at `https://meals.ops.eblu.me`
- Verify API docs at `https://meals.ops.eblu.me/docs`

Reviewed-on: #299

ansible/roles/borgmatic/defaults/main.yml

@@ -16,6 +16,7 @@ borgmatic_source_directories:
   - /opt/homebrew/var/forgejo
   - /Users/erichblume/.config/borgmatic
   - /Users/erichblume/Documents
+  - /Users/erichblume/.local/share/borgmatic/k8s-dumps
 
 # Backup repositories
 borgmatic_repositories:
@@ -31,6 +32,19 @@ borgmatic_repositories:
 # BorgBase SSH key (fetched from 1Password in playbook pre_tasks)
 borgmatic_borgbase_ssh_key_path: /Users/erichblume/.ssh/borgbase_ed25519
 
+# Directory for pre-backup database dumps from k8s pods
+borgmatic_k8s_dump_dir: /Users/erichblume/.local/share/borgmatic/k8s-dumps
+
+# K8s SQLite databases to dump before backup via kubectl exec
+# Each entry runs: kubectl exec <pod-selector> -- sqlite3 <path> ".backup /tmp/backup.db"
+# then copies the dump to borgmatic_k8s_dump_dir/<name>.db
+borgmatic_k8s_sqlite_dumps:
+  - name: mealie
+    namespace: mealie
+    label_selector: app=mealie
+    db_path: /app/data/mealie.db
+    context: minikube-indri
+
 # Exclude patterns
 borgmatic_exclude_patterns: []
 

ansible/roles/borgmatic/tasks/main.yml

@@ -33,6 +33,13 @@
     key: "u3ugi1x1.repo.borgbase.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGU0mISTyHBw9tBs6SuhSq8tvNM8m9eifQxM+88TowPO"
     state: present
 
+- name: Ensure k8s dump directory exists
+  ansible.builtin.file:
+    path: "{{ borgmatic_k8s_dump_dir }}"
+    state: directory
+    mode: '0700'
+  when: borgmatic_k8s_sqlite_dumps | length > 0
+
 - name: Deploy borgmatic configuration
   ansible.builtin.template:
     src: config.yaml.j2

ansible/roles/borgmatic/templates/config.yaml.j2

@@ -31,6 +31,16 @@ exclude_patterns:
 
 encryption_passcommand: {{ borgmatic_encryption_passcommand }}
 
+{% if borgmatic_k8s_sqlite_dumps %}
+# Pre-backup: dump SQLite databases from k8s pods
+# Uses sqlite3 .backup for a safe, consistent copy (no corruption from concurrent writes)
+before_backup:
+    - mkdir -p {{ borgmatic_k8s_dump_dir }}
+{% for db in borgmatic_k8s_sqlite_dumps %}
+    - /opt/homebrew/bin/kubectl --context={{ db.context }} exec -n {{ db.namespace }} deploy/{{ db.name }} -- python3 -c "import sqlite3; sqlite3.connect('{{ db.db_path }}').backup(sqlite3.connect('/tmp/{{ db.name }}-backup.db'))" && /opt/homebrew/bin/kubectl --context={{ db.context }} cp {{ db.namespace }}/$(/opt/homebrew/bin/kubectl --context={{ db.context }} get pod -n {{ db.namespace }} -l {{ db.label_selector }} -o jsonpath='{.items[0].metadata.name}'):/tmp/{{ db.name }}-backup.db {{ borgmatic_k8s_dump_dir }}/{{ db.name }}.db
+{% endfor %}
+{% endif %}
+
 ssh_command: ssh -o IdentitiesOnly=yes -i {{ borgmatic_borgbase_ssh_key_path }}
 
 # Retention policy