From 9f8d627ce8619204cb3acbcc37c57af9a54db5e8 Mon Sep 17 00:00:00 2001
From: Erich Blume <blume.erich@gmail.com>
Date: Wed, 13 May 2026 12:42:59 -0700
Subject: [PATCH] C2(migrate-immich-to-ringtail): impl add ringtail-side NFS
 PV/PVC for immich library

Mirrors argocd/manifests/immich/pv-nfs.yaml + pvc.yaml. PV renamed
to immich-library-nfs-pv-ringtail to avoid confusion with the
minikube side (PVs are cluster-scoped; both can coexist).

Initial kustomization.yaml in argocd/manifests/immich-ringtail/
holds just the storage bits today; deployments/services/ingress
will be added in immich-app-on-ringtail.

Verified: PVC binds to PV on k3s-ringtail; mount test from a
busybox pod read existing photo library dirs, wrote and deleted a
test file. DNS resolves sifaka to 192.168.1.203 so NFS traffic
stays on the LAN, off the tailnet.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../immich-ringtail/kustomization.yaml        | 10 +++++++
 argocd/manifests/immich-ringtail/pv-nfs.yaml  | 29 +++++++++++++++++++
 argocd/manifests/immich-ringtail/pvc.yaml     | 15 ++++++++++
 3 files changed, 54 insertions(+)
 create mode 100644 argocd/manifests/immich-ringtail/kustomization.yaml
 create mode 100644 argocd/manifests/immich-ringtail/pv-nfs.yaml
 create mode 100644 argocd/manifests/immich-ringtail/pvc.yaml

diff --git a/argocd/manifests/immich-ringtail/kustomization.yaml b/argocd/manifests/immich-ringtail/kustomization.yaml
new file mode 100644
index 0000000..583757b
--- /dev/null
+++ b/argocd/manifests/immich-ringtail/kustomization.yaml
@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: immich
+
+# Storage scaffolding for the ringtail-side Immich deployment.
+# The Deployments/Services/Ingress land in immich-app-on-ringtail.
+resources:
+  - pv-nfs.yaml
+  - pvc.yaml
diff --git a/argocd/manifests/immich-ringtail/pv-nfs.yaml b/argocd/manifests/immich-ringtail/pv-nfs.yaml
new file mode 100644
index 0000000..3d5a682
--- /dev/null
+++ b/argocd/manifests/immich-ringtail/pv-nfs.yaml
@@ -0,0 +1,29 @@
+# NFS PersistentVolume for Immich photo library on ringtail k3s.
+#
+# Mirror of argocd/manifests/immich/pv-nfs.yaml (minikube) but with
+# a distinct name (minikube and ringtail are separate clusters, so PV
+# names don't collide cluster-side, but using the same name in two
+# manifests is confusing).
+#
+# The sifaka NFS export for /volume1/photos already permits
+# 192.168.1.0/24 + 100.64.0.0/10. Ringtail's wired IP (192.168.1.21)
+# falls in the first CIDR, so no DSM rule changes are needed.
+#
+# Verified 2026-05-13: ringtail pod can read existing dirs, write
+# new files, and delete them. DNS resolves sifaka to 192.168.1.203
+# (LAN), so NFS traffic stays off the tailnet — avoids the known
+# sifaka-tailscale-userspace bite.
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: immich-library-nfs-pv-ringtail
+spec:
+  capacity:
+    storage: 2Ti
+  accessModes:
+    - ReadWriteMany
+  persistentVolumeReclaimPolicy: Retain
+  storageClassName: ""
+  nfs:
+    server: sifaka
+    path: /volume1/photos
diff --git a/argocd/manifests/immich-ringtail/pvc.yaml b/argocd/manifests/immich-ringtail/pvc.yaml
new file mode 100644
index 0000000..5bfc052
--- /dev/null
+++ b/argocd/manifests/immich-ringtail/pvc.yaml
@@ -0,0 +1,15 @@
+# PersistentVolumeClaim for Immich photo library on ringtail.
+# Binds to immich-library-nfs-pv-ringtail (sifaka:/volume1/photos).
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: immich-library
+  namespace: immich
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: ""
+  volumeName: immich-library-nfs-pv-ringtail
+  resources:
+    requests:
+      storage: 2Ti