C2(jobsync): close — deploy-jobsync

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

docs/how-to/jobsync/deploy-jobsync.md

@@ -1,7 +1,6 @@
 ---
 title: Deploy JobSync
-modified: 2026-03-07
-status: active
+modified: 2026-03-08
 branch: mikado/jobsync
 requires:
   - build-jobsync-container
@@ -28,7 +27,6 @@ With the container built and Ollama integration configured, this card wires up t
 - PVC using k3s local-path for `/data` (SQLite + resume uploads)
 - ExternalSecret for `ENCRYPTION_KEY` and `AUTH_SECRET` from 1Password
 - Caddy route: `jobsync.ops.eblu.me` → Tailscale ingress
-- Service documentation
 
 ## Environment Variables
 
@@ -42,11 +40,13 @@ With the container built and Ollama integration configured, this card wires up t
 | `TZ` | Hardcoded | `America/Los_Angeles` |
 | `OLLAMA_BASE_URL` | Hardcoded | `http://ollama.ollama.svc.cluster.local:11434` |
 
-## Deployment Notes (learned from first attempt)
+## Deployment Notes
 
 - **`service-versions.yaml`:** Add a `jobsync` entry before committing container changes — the `container-version-check` pre-commit hook rejects commits touching `containers/<name>/` without a matching entry.
 - **Image tag format:** `container-build-and-release` produces tags like `v1.1.4-<sha>-nix`, not bare `v1.1.4`. Set `newTag` in `kustomization.yaml` to the full tag from `mise run container-list`.
 - **1Password item:** "JobSync" in blumeops vault, with `auth_secret` and `encryption_key` fields (already created).
+- **Nix container FHS:** Nix containers lack `/usr/bin/env` — add `ln -s ${pkgs.coreutils}/bin/env usr/bin/env` in `extraCommands`. Also `mkdir -p tmp` for `/tmp`.
+- **Runtime migrations:** Use `npx -y prisma@<version> migrate deploy` — nix sandbox blocks network at build time but runtime has full network access.
 
 ## Related