From 2220944a15bf0abd96caddf89a6287f0b1ca6e91 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Sun, 8 Mar 2026 08:33:13 -0700
Subject: [PATCH] =?UTF-8?q?C2(jobsync):=20impl=20=E2=80=94=20ArgoCD=20app,?=
 =?UTF-8?q?=20k8s=20manifests,=20Caddy=20route?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

ArgoCD Application targeting ringtail k3s cluster.
Manifests: Deployment, Service, Tailscale Ingress, PVC (local-path),
ExternalSecret (1Password auth_secret + encryption_key).
Caddy route: jobsync.ops.eblu.me -> jobsync.tail8d86e.ts.net.
Ollama integration via OLLAMA_BASE_URL env var in deployment.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 ansible/roles/caddy/defaults/main.yml         |  3 +
 argocd/apps/jobsync.yaml                      | 18 +++++
 argocd/manifests/jobsync/deployment.yaml      | 73 +++++++++++++++++++
 argocd/manifests/jobsync/external-secret.yaml | 23 ++++++
 .../manifests/jobsync/ingress-tailscale.yaml  | 26 +++++++
 argocd/manifests/jobsync/kustomization.yaml   | 15 ++++
 argocd/manifests/jobsync/pvc.yaml             | 13 ++++
 argocd/manifests/jobsync/service.yaml         | 13 ++++
 8 files changed, 184 insertions(+)
 create mode 100644 argocd/apps/jobsync.yaml
 create mode 100644 argocd/manifests/jobsync/deployment.yaml
 create mode 100644 argocd/manifests/jobsync/external-secret.yaml
 create mode 100644 argocd/manifests/jobsync/ingress-tailscale.yaml
 create mode 100644 argocd/manifests/jobsync/kustomization.yaml
 create mode 100644 argocd/manifests/jobsync/pvc.yaml
 create mode 100644 argocd/manifests/jobsync/service.yaml

diff --git a/ansible/roles/caddy/defaults/main.yml b/ansible/roles/caddy/defaults/main.yml
index 464d331..931e2a0 100644
--- a/ansible/roles/caddy/defaults/main.yml
+++ b/ansible/roles/caddy/defaults/main.yml
@@ -85,6 +85,9 @@ caddy_services:
   - name: ntfy
     host: "ntfy.{{ caddy_domain }}"
     backend: "https://ntfy.tail8d86e.ts.net"
+  - name: jobsync
+    host: "jobsync.{{ caddy_domain }}"
+    backend: "https://jobsync.tail8d86e.ts.net"
   - name: ollama
     host: "ollama.{{ caddy_domain }}"
     backend: "https://ollama.tail8d86e.ts.net"
diff --git a/argocd/apps/jobsync.yaml b/argocd/apps/jobsync.yaml
new file mode 100644
index 0000000..11d8beb
--- /dev/null
+++ b/argocd/apps/jobsync.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: jobsync
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: ssh://forgejo@forge.ops.eblu.me:2222/eblume/blumeops.git
+    targetRevision: main
+    path: argocd/manifests/jobsync
+  destination:
+    server: https://ringtail.tail8d86e.ts.net:6443
+    namespace: jobsync
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
diff --git a/argocd/manifests/jobsync/deployment.yaml b/argocd/manifests/jobsync/deployment.yaml
new file mode 100644
index 0000000..833a9b8
--- /dev/null
+++ b/argocd/manifests/jobsync/deployment.yaml
@@ -0,0 +1,73 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jobsync
+  namespace: jobsync
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: jobsync
+  template:
+    metadata:
+      labels:
+        app: jobsync
+    spec:
+      containers:
+        - name: jobsync
+          image: blumeops/jobsync:kustomized
+          ports:
+            - containerPort: 3000
+              name: http
+          env:
+            - name: DATABASE_URL
+              value: "file:/data/dev.db"
+            - name: NEXTAUTH_URL
+              value: "https://jobsync.ops.eblu.me"
+            - name: AUTH_TRUST_HOST
+              value: "true"
+            - name: NEXT_TELEMETRY_DISABLED
+              value: "1"
+            - name: TZ
+              value: "America/Los_Angeles"
+            - name: OLLAMA_BASE_URL
+              value: "http://ollama.ollama.svc.cluster.local:11434"
+            - name: AUTH_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: jobsync-secrets
+                  key: auth_secret
+            - name: ENCRYPTION_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: jobsync-secrets
+                  key: encryption_key
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "100m"
+            limits:
+              memory: "512Mi"
+              cpu: "500m"
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 30
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 3000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: jobsync-data
diff --git a/argocd/manifests/jobsync/external-secret.yaml b/argocd/manifests/jobsync/external-secret.yaml
new file mode 100644
index 0000000..e4ef3a2
--- /dev/null
+++ b/argocd/manifests/jobsync/external-secret.yaml
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: jobsync-secrets
+  namespace: jobsync
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-blumeops
+  target:
+    name: jobsync-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: auth_secret
+      remoteRef:
+        key: JobSync
+        property: auth_secret
+    - secretKey: encryption_key
+      remoteRef:
+        key: JobSync
+        property: encryption_key
diff --git a/argocd/manifests/jobsync/ingress-tailscale.yaml b/argocd/manifests/jobsync/ingress-tailscale.yaml
new file mode 100644
index 0000000..a8e24c8
--- /dev/null
+++ b/argocd/manifests/jobsync/ingress-tailscale.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jobsync-tailscale
+  namespace: jobsync
+  annotations:
+    tailscale.com/proxy-class: "default"
+    tailscale.com/proxy-group: "ingress"
+    gethomepage.dev/enabled: "true"
+    gethomepage.dev/name: "JobSync"
+    gethomepage.dev/group: "Apps"
+    gethomepage.dev/icon: "mdi-briefcase-search"
+    gethomepage.dev/description: "Job application tracker"
+    gethomepage.dev/href: "https://jobsync.ops.eblu.me"
+    gethomepage.dev/pod-selector: "app=jobsync"
+spec:
+  ingressClassName: tailscale
+  defaultBackend:
+    service:
+      name: jobsync
+      port:
+        number: 3000
+  tls:
+    - hosts:
+        - jobsync
diff --git a/argocd/manifests/jobsync/kustomization.yaml b/argocd/manifests/jobsync/kustomization.yaml
new file mode 100644
index 0000000..00b26af
--- /dev/null
+++ b/argocd/manifests/jobsync/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: jobsync
+resources:
+  - pvc.yaml
+  - external-secret.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress-tailscale.yaml
+
+images:
+  - name: blumeops/jobsync
+    newName: registry.ops.eblu.me/blumeops/jobsync
+    newTag: "v1.1.4-b1616bc-nix"
diff --git a/argocd/manifests/jobsync/pvc.yaml b/argocd/manifests/jobsync/pvc.yaml
new file mode 100644
index 0000000..01ab796
--- /dev/null
+++ b/argocd/manifests/jobsync/pvc.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jobsync-data
+  namespace: jobsync
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 5Gi
diff --git a/argocd/manifests/jobsync/service.yaml b/argocd/manifests/jobsync/service.yaml
new file mode 100644
index 0000000..dc2d73a
--- /dev/null
+++ b/argocd/manifests/jobsync/service.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jobsync
+  namespace: jobsync
+spec:
+  selector:
+    app: jobsync
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000