From b07ca31c8ba7d4e133fb1e0e9cd9913f7c88a54d Mon Sep 17 00:00:00 2001
From: dev-qwen2 <dev-qwen2@disinto.local>
Date: Sat, 18 Apr 2026 08:06:40 +0000
Subject: [PATCH] fix: [nomad-step-5] Reorder HCL blocks in staging.hcl and
 chat.hcl to match edge.hcl pattern
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Align block ordering (vault → network → volumes → restart → service → task)
across all Nomad jobspecs for consistency.
---
 nomad/jobs/chat.hcl    | 18 +++++++++---------
 nomad/jobs/staging.hcl | 22 ++++++++++++----------
 2 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/nomad/jobs/chat.hcl b/nomad/jobs/chat.hcl
index 7c26c6e..8fdb764 100644
--- a/nomad/jobs/chat.hcl
+++ b/nomad/jobs/chat.hcl
@@ -42,15 +42,6 @@ job "chat" {
       role = "service-chat"
     }
 
-    # ── Host volumes ─────────────────────────────────────────────────────────
-    # chat-history volume: declared in nomad/client.hcl, path
-    # /srv/disinto/chat-history on the factory box.
-    volume "chat-history" {
-      type      = "host"
-      source    = "chat-history"
-      read_only = false
-    }
-
     # ── Network ──────────────────────────────────────────────────────────────
     # External port 8080 for chat UI access (via edge proxy or direct).
     network {
@@ -60,6 +51,15 @@ job "chat" {
       }
     }
 
+    # ── Host volumes ────────────────────────────────────────────────────────
+    # chat-history volume: declared in nomad/client.hcl, path
+    # /srv/disinto/chat-history on the factory box.
+    volume "chat-history" {
+      type      = "host"
+      source    = "chat-history"
+      read_only = false
+    }
+
     # ── Restart policy ───────────────────────────────────────────────────────
     restart {
       attempts = 3
diff --git a/nomad/jobs/staging.hcl b/nomad/jobs/staging.hcl
index 27be0f7..a70d73b 100644
--- a/nomad/jobs/staging.hcl
+++ b/nomad/jobs/staging.hcl
@@ -25,17 +25,10 @@ job "staging" {
   group "staging" {
     count = 1
 
-    # ── Host volumes ─────────────────────────────────────────────────────────
-    # site-content volume: declared in nomad/client.hcl, path
-    # /srv/disinto/docker on the factory box.
-    volume "site-content" {
-      type      = "host"
-      source    = "site-content"
-      read_only = true
-    }
-
-    # No Vault integration needed — no secrets required (static file server)
+    # ── Vault workload identity (S5.2, issue #989) ──────────────────────────
+    # No Vault integration needed — static file server with no secrets.
 
+    # ── Network ─────────────────────────────────────────────────────────────
     # Internal service — no external port. Edge proxy routes internally.
     network {
       port "http" {
@@ -44,6 +37,15 @@ job "staging" {
       }
     }
 
+    # ── Host volumes ────────────────────────────────────────────────────────
+    # site-content volume: declared in nomad/client.hcl, path
+    # /srv/disinto/docker on the factory box.
+    volume "site-content" {
+      type      = "host"
+      source    = "site-content"
+      read_only = true
+    }
+
     restart {
       attempts = 3
       interval = "5m"