diff --git a/docs/how-to/jobsync/deploy-jobsync.md b/docs/how-to/jobsync/deploy-jobsync.md index f2d9d05..c3596c9 100644 --- a/docs/how-to/jobsync/deploy-jobsync.md +++ b/docs/how-to/jobsync/deploy-jobsync.md @@ -1,7 +1,6 @@ --- title: Deploy JobSync -modified: 2026-03-07 -status: active +modified: 2026-03-08 branch: mikado/jobsync requires: - build-jobsync-container @@ -28,7 +27,6 @@ With the container built and Ollama integration configured, this card wires up t - PVC using k3s local-path for `/data` (SQLite + resume uploads) - ExternalSecret for `ENCRYPTION_KEY` and `AUTH_SECRET` from 1Password - Caddy route: `jobsync.ops.eblu.me` → Tailscale ingress -- Service documentation ## Environment Variables @@ -42,11 +40,13 @@ With the container built and Ollama integration configured, this card wires up t | `TZ` | Hardcoded | `America/Los_Angeles` | | `OLLAMA_BASE_URL` | Hardcoded | `http://ollama.ollama.svc.cluster.local:11434` | -## Deployment Notes (learned from first attempt) +## Deployment Notes - **`service-versions.yaml`:** Add a `jobsync` entry before committing container changes — the `container-version-check` pre-commit hook rejects commits touching `containers//` without a matching entry. - **Image tag format:** `container-build-and-release` produces tags like `v1.1.4--nix`, not bare `v1.1.4`. Set `newTag` in `kustomization.yaml` to the full tag from `mise run container-list`. - **1Password item:** "JobSync" in blumeops vault, with `auth_secret` and `encryption_key` fields (already created). +- **Nix container FHS:** Nix containers lack `/usr/bin/env` — add `ln -s ${pkgs.coreutils}/bin/env usr/bin/env` in `extraCommands`. Also `mkdir -p tmp` for `/tmp`. +- **Runtime migrations:** Use `npx -y prisma@ migrate deploy` — nix sandbox blocks network at build time but runtime has full network access. ## Related