fix: [nomad-step-5] S5-fix-7 — staging port 80 collides with edge; staging should use dynamic port (#1018)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/edge/entrypoint-edge.sh

@@ -234,6 +234,13 @@ fi
   rm -f "$_fetch_log"
 done) &
 
+# Nomad template renders Caddyfile to /local/Caddyfile via service discovery;
+# copy it into the expected location if present (compose uses the mounted path).
+if [ -f /local/Caddyfile ]; then
+  cp /local/Caddyfile /etc/caddy/Caddyfile
+  echo "edge: using Nomad-rendered Caddyfile from /local/Caddyfile" >&2
+fi
+
 # Caddy as main process — run in foreground via wait so background jobs survive
 # (exec replaces the shell, which can orphan backgrounded subshells)
 caddy run --config /etc/caddy/Caddyfile --adapter caddyfile &

nomad/jobs/edge.hcl

@@ -114,6 +114,58 @@ job "edge" {
         read_only   = false
       }
 
+      # ── Caddyfile via Nomad service discovery (S5-fix-7, issue #1018) ────
+      # Renders staging upstream from Nomad service registration instead of
+      # hardcoded staging:80. Caddy picks up /local/Caddyfile via entrypoint.
+      template {
+        destination = "local/Caddyfile"
+        change_mode = "restart"
+        data        = <<EOT
+# Caddyfile — edge proxy configuration (Nomad-rendered)
+# Staging upstream discovered via Nomad service registration.
+
+:80 {
+    # Redirect root to Forgejo
+    handle / {
+        redir /forge/ 302
+    }
+
+    # Reverse proxy to Forgejo
+    handle /forge/* {
+        reverse_proxy forgejo:3000
+    }
+
+    # Reverse proxy to Woodpecker CI
+    handle /ci/* {
+        reverse_proxy woodpecker:8000
+    }
+
+    # Reverse proxy to staging — dynamic port via Nomad service discovery
+    handle /staging/* {
+{{ range nomadService "staging" }}        reverse_proxy {{ .Address }}:{{ .Port }}
+{{ end }}    }
+
+    # Chat service — reverse proxy to disinto-chat backend (#705)
+    # OAuth routes bypass forward_auth — unauthenticated users need these (#709)
+    handle /chat/login {
+        reverse_proxy chat:8080
+    }
+    handle /chat/oauth/callback {
+        reverse_proxy chat:8080
+    }
+    # Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709)
+    handle /chat/* {
+        forward_auth chat:8080 {
+            uri /chat/auth/verify
+            copy_headers X-Forwarded-User
+            header_up X-Forward-Auth-Secret {$FORWARD_AUTH_SECRET}
+        }
+        reverse_proxy chat:8080
+    }
+}
+EOT
+      }
+
       # ── Non-secret env ───────────────────────────────────────────────────
       env {
         FORGE_URL       = "http://forgejo:3000"

nomad/jobs/staging.hcl

@@ -10,8 +10,8 @@
 #   served to staging environment users.
 #
 # Network:
-#   No external port exposed — edge proxy routes to it internally.
-#   Service discovery via Nomad native provider for internal routing.
+#   Dynamic host port — edge discovers via Nomad service registration.
+#   No static port to avoid collisions with edge (which owns 80/443).
 #
 # Not the runtime yet: docker-compose.yml is still the factory's live stack
 # until cutover. This file exists so CI can validate it and S5.2 can wire
@@ -27,11 +27,10 @@ job "staging" {
 
     # No Vault integration needed — no secrets required (static file server)
 
-    # Internal service — no external port. Edge proxy routes internally.
+    # Internal service — dynamic host port. Edge discovers via Nomad service.
     network {
       port "http" {
-        static = 80
-        to     = 80
+        to = 80
       }
     }