C2(jobsync): plan — Mikado cards for JobSync deployment

Cards:
- deploy-jobsync (goal): Deploy JobSync to ringtail k3s via ArgoCD
- build-jobsync-container: Nix container build (buildLayeredImage)
- mirror-jobsync: Mirror upstream to forge
- integrate-jobsync-ollama: Wire up existing Ollama for AI features

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/how-to/how-to.md

@@ -88,6 +88,13 @@ tags:
 
 - [[upgrade-dagger]]
 
+## JobSync
+
+- [[deploy-jobsync]]
+- [[build-jobsync-container]]
+- [[mirror-jobsync]]
+- [[integrate-jobsync-ollama]]
+
 ## Forgejo Runner
 
 - [[upgrade-k8s-runner]]

docs/how-to/jobsync/build-jobsync-container.md

@@ -0,0 +1,41 @@
+---
+title: Build JobSync Container
+modified: 2026-03-07
+status: active
+requires:
+  - mirror-jobsync
+tags:
+  - how-to
+  - jobsync
+---
+
+# Build JobSync Container
+
+Build a nix container image for JobSync using `dockerTools.buildLayeredImage`, following the ntfy pattern.
+
+## Context
+
+JobSync is a Next.js standalone app with Prisma (SQLite). The nix build needs to:
+
+1. Fetch source from `forge.ops.eblu.me/mirrors/jobsync` (v1.1.4)
+2. `buildNpmPackage` — install deps, run `prisma generate`, run `next build`
+3. Package the standalone output with `nodejs` runtime into a layered image
+4. Include an entrypoint that runs `prisma migrate deploy` before `node server.js`
+
+## Key Details
+
+- **Runtime dependency:** `nodejs_20` must be in the image (unlike Go apps that compile to static binaries)
+- **Prisma native engine:** `prisma generate` produces a platform-specific query engine binary; the nix build targets `linux-x86_64` for ringtail
+- **`npmDepsHash`:** Will need to be computed on first build (set to empty, let it fail, grab the hash)
+- **Standalone output:** Next.js `output: "standalone"` produces a self-contained `server.js` with minimal `node_modules`
+
+## Files
+
+- `containers/jobsync/default.nix` — nix derivation
+- `containers/jobsync/entrypoint.sh` — startup script (migrations + server)
+
+## Related
+
+- [[mirror-jobsync]]
+- [[deploy-jobsync]]
+- [[build-container-image]]

docs/how-to/jobsync/deploy-jobsync.md

@@ -0,0 +1,49 @@
+---
+title: Deploy JobSync
+modified: 2026-03-07
+status: active
+branch: mikado/jobsync
+requires:
+  - build-jobsync-container
+  - integrate-jobsync-ollama
+tags:
+  - how-to
+  - jobsync
+---
+
+# Deploy JobSync
+
+Deploy [JobSync](https://github.com/Gsync/jobsync) — a self-hosted job application tracker — to ringtail's k3s cluster via ArgoCD.
+
+## Context
+
+JobSync is a Next.js app with SQLite storage that provides job application tracking, resume management, and AI-powered resume review/job matching. It runs as a single container with persistent storage at `/data` (SQLite DB + uploaded files).
+
+## What This Card Covers
+
+With the container built and Ollama integration configured, this card wires up the deployment:
+
+- ArgoCD Application targeting `ringtail.tail8d86e.ts.net:6443`
+- k8s manifests: Deployment, Service, Tailscale Ingress, PVC, ExternalSecret
+- PVC using k3s local-path for `/data` (SQLite + resume uploads)
+- ExternalSecret for `ENCRYPTION_KEY` and `AUTH_SECRET` from 1Password
+- Caddy route: `jobsync.ops.eblu.me` → Tailscale ingress
+- Service documentation
+
+## Environment Variables
+
+| Variable | Source | Purpose |
+|----------|--------|---------|
+| `DATABASE_URL` | Hardcoded | `file:/data/dev.db` |
+| `AUTH_SECRET` | ExternalSecret | NextAuth session signing |
+| `ENCRYPTION_KEY` | ExternalSecret | AES-256-GCM for stored API keys |
+| `NEXTAUTH_URL` | Hardcoded | `https://jobsync.ops.eblu.me` |
+| `AUTH_TRUST_HOST` | Hardcoded | `true` |
+| `TZ` | Hardcoded | `America/Los_Angeles` |
+| `OLLAMA_BASE_URL` | Hardcoded | `http://ollama.ollama.svc.cluster.local:11434` |
+
+## Related
+
+- [[build-jobsync-container]]
+- [[integrate-jobsync-ollama]]
+- [[deploy-k8s-service]]

docs/how-to/jobsync/integrate-jobsync-ollama.md

@@ -0,0 +1,45 @@
+---
+title: Integrate JobSync with Ollama
+modified: 2026-03-07
+status: active
+tags:
+  - how-to
+  - jobsync
+---
+
+# Integrate JobSync with Ollama
+
+Configure JobSync to use the existing Ollama deployment on ringtail for AI features (resume review, job matching).
+
+## Context
+
+Ollama already runs on ringtail's k3s cluster at `ollama.ollama.svc.cluster.local:11434` with several models available (qwen2.5:14b, deepseek-r1:14b, phi4:14b, gemma3:12b, qwen3.5:9b).
+
+JobSync supports Ollama natively via `OLLAMA_BASE_URL`. Since both services run on the same k3s cluster, this is a cluster-internal connection with no auth required.
+
+## Configuration
+
+Set in the JobSync deployment manifest:
+
+```yaml
+env:
+  - name: OLLAMA_BASE_URL
+    value: "http://ollama.ollama.svc.cluster.local:11434"
+```
+
+## Verification
+
+After deployment:
+
+1. Open JobSync settings
+2. Select Ollama as the AI provider
+3. Verify model list populates from the Ollama instance
+4. Test resume review with one of the available models
+
+## Model Recommendations
+
+For resume review and job matching, `qwen2.5:14b` or `gemma3:12b` are good choices — capable enough for structured text analysis without being overly slow on the RTX 4080.
+
+## Related
+
+- [[deploy-jobsync]]

docs/how-to/jobsync/mirror-jobsync.md

@@ -0,0 +1,27 @@
+---
+title: Mirror JobSync
+modified: 2026-03-07
+status: active
+tags:
+  - how-to
+  - jobsync
+---
+
+# Mirror JobSync
+
+Mirror the upstream [JobSync](https://github.com/Gsync/jobsync) repository to `forge.ops.eblu.me/mirrors/jobsync` for supply chain control.
+
+## Context
+
+JobSync is not in nixpkgs. Building a nix container requires fetching source from a controlled mirror on forge, following the same pattern as [[mirror-authentik-build-deps]] and the ntfy mirror.
+
+## Steps
+
+1. Create the mirror: `mise run mirror-create jobsync https://github.com/Gsync/jobsync.git`
+2. Verify the mirror syncs: check `forge.ops.eblu.me/mirrors/jobsync`
+3. Note the tag for v1.1.4 (current upstream release)
+
+## Related
+
+- [[build-jobsync-container]]
+- [[manage-forgejo-mirrors]]