feat(argocd): allow per-app syncPolicy override in values.yaml

The apps template hardcoded automated{prune,selfHeal} for every app. Some
apps (e.g. tools, where Vault unseal is manual) need a custom syncPolicy
without selfHeal. Read $app_attr.syncPolicy when set, fall back to the
existing automated default otherwise. Use the override on `tools` to keep
the existing behavior explicit.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

argocd/templates/apps.yaml

@@ -21,9 +21,13 @@ spec:
     server: https://kubernetes.default.svc
     namespace: {{ $app_name }}
   syncPolicy:
+    {{- if $app_attr.syncPolicy }}
+    {{- toYaml $app_attr.syncPolicy | nindent 4 }}
+    {{- else }}
     automated:
       prune: true
       selfHeal: true
+    {{- end }}
     syncOptions:
       - CreateNamespace=true
 {{ end }}

argocd/values.yaml

@@ -6,6 +6,10 @@ gitea_applications:
     annotations: {}
   tools:
     annotations: {}
+    syncPolicy:
+      automated:
+        prune: true
+        selfHeal: true
   webapp:
     annotations:
       argocd-image-updater.argoproj.io/image-list: webapp=gitea.arcodange.lab/arcodange-org/webapp:latest