fix: [nomad-validate] add nomad version check before config validate

.woodpecker/nomad-validate.yml

@@ -16,7 +16,7 @@
 # Steps (all fail-closed — any error blocks merge):
 #   1. nomad-config-validate   — `nomad config validate` on server + client HCL
 #   2. nomad-job-validate      — `nomad job validate` looped over every
-#                                 nomad/jobs/*.nomad.hcl (new jobspecs get
+#                                 nomad/jobs/*.hcl (new jobspecs get
 #                                 CI coverage automatically)
 #   3. vault-operator-diagnose — `vault operator diagnose` syntax check on vault.hcl
 #   4. shellcheck-nomad        — shellcheck the cluster-up + install scripts + disinto
@@ -57,6 +57,7 @@ steps:
   - name: nomad-config-validate
     image: hashicorp/nomad:1.9.5
     commands:
+      - nomad version
       - nomad config validate nomad/server.hcl nomad/client.hcl
 
   # ── 2. Nomad jobspec HCL syntax check ────────────────────────────────────
@@ -68,15 +69,15 @@ steps:
   #
   # Validation is offline: no running Nomad server is required (exit 0 on
   # valid HCL, 1 on syntax/semantic error). The CLI takes a single path
-  # argument so we loop over every `*.nomad.hcl` file under nomad/jobs/ —
+  # argument so we loop over every `*.hcl` file under nomad/jobs/ —
   # that way a new jobspec PR gets CI coverage automatically (no separate
-  # "edit the pipeline" step to forget). The `.nomad.hcl` suffix is the
+  # "edit the pipeline" step to forget). The `.hcl` suffix is the naming
-  # naming convention documented in nomad/AGENTS.md; anything else in
+  # convention: anything else in nomad/jobs/ is deliberately not validated
-  # nomad/jobs/ is deliberately not validated by this step.
+  # by this step.
   #
   # `[ -f "$f" ]` guards against the no-match case: POSIX sh does not
   # nullglob, so an empty jobs/ directory would leave the literal glob in
-  # "$f" and fail. Today forgejo.nomad.hcl exists, but the guard keeps the
+  # "$f" and fail. Today forgejo.hcl exists, but the guard keeps the
   # step safe during any future transient empty state.
   #
   # Scope note: offline validate catches jobspec-level errors (unknown
@@ -91,7 +92,7 @@ steps:
     commands:
       - |
         set -e
-        for f in nomad/jobs/*.nomad.hcl; do
+        for f in nomad/jobs/*.hcl; do
           [ -f "$f" ] || continue
           echo "validating jobspec: $f"
           nomad job validate "$f"

bin/disinto

@@ -82,6 +82,7 @@ Init options:
   --ci-id <n>          Woodpecker CI repo ID (default: 0 = no CI)
   --forge-url <url>    Forge base URL (default: http://localhost:3000)
   --backend <value>    Orchestration backend: docker (default) | nomad
+  --with <services>    (nomad) Deploy services: forgejo[,...] (S1.3)
   --empty              (nomad) Bring up cluster only, no jobs (S0.4)
   --bare               Skip compose generation (bare-metal setup)
   --build              Use local docker build instead of registry images (dev mode)
@@ -662,14 +663,20 @@ prompt_admin_password() {
 # init run); operators running without sudo-NOPASSWD should invoke
 # `sudo disinto init ...` directly.
 _disinto_init_nomad() {
-  local dry_run="${1:-false}" empty="${2:-false}"
+  local dry_run="${1:-false}" empty="${2:-false}" with_services="${3:-}"
   local cluster_up="${FACTORY_ROOT}/lib/init/nomad/cluster-up.sh"
+  local deploy_sh="${FACTORY_ROOT}/lib/init/nomad/deploy.sh"
 
   if [ ! -x "$cluster_up" ]; then
     echo "Error: ${cluster_up} not found or not executable" >&2
     exit 1
   fi
 
+  if [ -n "$with_services" ] && [ ! -x "$deploy_sh" ]; then
+    echo "Error: ${deploy_sh} not found or not executable" >&2
+    exit 1
+  fi
+
   # --empty and default both invoke cluster-up today. Log the requested
   # mode so the dispatch is visible in factory bootstrap logs — Step 1
   # will branch on $empty to gate the job-deployment path.
@@ -679,31 +686,106 @@ _disinto_init_nomad() {
     echo "nomad backend: default (cluster-up; jobs deferred to Step 1)"
   fi
 
-  # Dry-run forwards straight through; cluster-up.sh prints its own step
+  # Dry-run: print cluster-up plan + deploy.sh plan
-  # list and exits 0 without touching the box.
-  local -a cmd=("$cluster_up")
   if [ "$dry_run" = "true" ]; then
-    cmd+=("--dry-run")
+    echo ""
-    "${cmd[@]}"
+    echo "── Cluster-up dry-run ─────────────────────────────────"
-    exit $?
+    local -a cmd=("$cluster_up" "--dry-run")
+    "${cmd[@]}" || true
+    echo ""
+
+    if [ -n "$with_services" ]; then
+      echo "── Deploy services dry-run ────────────────────────────"
+      echo "[deploy] services to deploy: ${with_services}"
+      local IFS=','
+      for svc in $with_services; do
+        svc=$(echo "$svc" | xargs)  # trim whitespace
+        # Validate known services first
+        case "$svc" in
+          forgejo) ;;
+          *)
+            echo "Error: unknown service '${svc}' — known: forgejo" >&2
+            exit 1
+            ;;
+        esac
+        local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl"
+        if [ ! -f "$jobspec_path" ]; then
+          echo "Error: jobspec not found: ${jobspec_path}" >&2
+          exit 1
+        fi
+        echo "[deploy] [dry-run] nomad job validate ${jobspec_path}"
+        echo "[deploy] [dry-run] nomad job run -detach ${jobspec_path}"
+      done
+      echo "[deploy] dry-run complete"
+    fi
+    exit 0
   fi
 
-  # Real run — needs root. Invoke via sudo if we're not already root so
+  # Real run: cluster-up + deploy services
-  # the command's exit code propagates directly. We don't distinguish
+  local -a cluster_cmd=("$cluster_up")
-  # "sudo denied" from "cluster-up.sh failed" here; both surface as a
-  # non-zero exit, and cluster-up.sh's own error messages cover the
-  # latter case.
-  local rc=0
   if [ "$(id -u)" -eq 0 ]; then
-    "${cmd[@]}" || rc=$?
+    "${cluster_cmd[@]}" || exit $?
   else
     if ! command -v sudo >/dev/null 2>&1; then
       echo "Error: cluster-up.sh must run as root and sudo is not installed" >&2
       exit 1
     fi
-    sudo -n -- "${cmd[@]}" || rc=$?
+    sudo -n -- "${cluster_cmd[@]}" || exit $?
   fi
-  exit "$rc"
+
+  # Deploy services if requested
+  if [ -n "$with_services" ]; then
+    echo ""
+    echo "── Deploying services ─────────────────────────────────"
+    local -a deploy_cmd=("$deploy_sh")
+    # Split comma-separated service list into positional args
+    local IFS=','
+    for svc in $with_services; do
+      svc=$(echo "$svc" | xargs)  # trim whitespace
+      if ! echo "$svc" | grep -qE '^[a-zA-Z0-9_-]+$'; then
+        echo "Error: invalid service name '${svc}' — must match ^[a-zA-Z0-9_-]+$" >&2
+        exit 1
+      fi
+      # Validate known services FIRST (before jobspec check)
+      case "$svc" in
+        forgejo) ;;
+        *)
+          echo "Error: unknown service '${svc}' — known: forgejo" >&2
+          exit 1
+          ;;
+      esac
+      # Check jobspec exists
+      local jobspec_path="${FACTORY_ROOT}/nomad/jobs/${svc}.hcl"
+      if [ ! -f "$jobspec_path" ]; then
+        echo "Error: jobspec not found: ${jobspec_path}" >&2
+        exit 1
+      fi
+      deploy_cmd+=("$svc")
+    done
+    deploy_cmd+=("--dry-run")  # deploy.sh supports --dry-run
+
+    if [ "$(id -u)" -eq 0 ]; then
+      "${deploy_cmd[@]}" || exit $?
+    else
+      if ! command -v sudo >/dev/null 2>&1; then
+        echo "Error: deploy.sh must run as root and sudo is not installed" >&2
+        exit 1
+      fi
+      sudo -n -- "${deploy_cmd[@]}" || exit $?
+    fi
+
+    # Print final summary
+    echo ""
+    echo "── Summary ────────────────────────────────────────────"
+    echo "Cluster:     Nomad+Vault cluster is up"
+    echo "Deployed:    ${with_services}"
+    if echo "$with_services" | grep -q "forgejo"; then
+      echo "Ports:       forgejo: 3000"
+    fi
+    echo "────────────────────────────────────────────────────────"
+  fi
+
+  exit 0
 }
 
 disinto_init() {
@@ -721,7 +803,7 @@ disinto_init() {
   fi
 
   # Parse flags
-  local branch="" repo_root="" ci_id="0" auto_yes=false forge_url_flag="" bare=false rotate_tokens=false use_build=false dry_run=false backend="docker" empty=false
+  local branch="" repo_root="" ci_id="0" auto_yes=false forge_url_flag="" bare=false rotate_tokens=false use_build=false dry_run=false backend="docker" empty=false with_services=""
   while [ $# -gt 0 ]; do
     case "$1" in
       --branch)        branch="$2"; shift 2 ;;
@@ -730,6 +812,8 @@ disinto_init() {
       --forge-url)     forge_url_flag="$2"; shift 2 ;;
       --backend)       backend="$2"; shift 2 ;;
       --backend=*)     backend="${1#--backend=}"; shift ;;
+      --with)          with_services="$2"; shift 2 ;;
+      --with=*)        with_services="${1#--with=}"; shift ;;
       --bare)          bare=true; shift ;;
       --build)         use_build=true; shift ;;
       --empty)         empty=true; shift ;;
@@ -756,11 +840,15 @@ disinto_init() {
     exit 1
   fi
 
-  # --empty is nomad-only today (the docker path has no concept of an
+  # --with requires --backend=nomad
-  # "empty cluster"). Reject explicitly rather than letting it silently
+  if [ -n "$with_services" ] && [ "$backend" != "nomad" ]; then
-  # do nothing on --backend=docker.
+    echo "Error: --with requires --backend=nomad" >&2
-  if [ "$empty" = true ] && [ "$backend" != "nomad" ]; then
+    exit 1
-    echo "Error: --empty is only valid with --backend=nomad" >&2
+  fi
+
+  # --empty and --with are mutually exclusive
+  if [ "$empty" = true ] && [ -n "$with_services" ]; then
+    echo "Error: --empty and --with are mutually exclusive" >&2
     exit 1
   fi
 
@@ -768,7 +856,7 @@ disinto_init() {
   # (S0.4). The default and --empty variants are identical today; Step 1
   # will branch on $empty to add job deployment to the default path.
   if [ "$backend" = "nomad" ]; then
-    _disinto_init_nomad "$dry_run" "$empty"
+    _disinto_init_nomad "$dry_run" "$empty" "$with_services"
     # shellcheck disable=SC2317  # _disinto_init_nomad always exits today;
     # `return` is defensive against future refactors.
     return

nomad/jobs/forgejo.hcl

@@ -1,5 +1,5 @@
 # =============================================================================
-# nomad/jobs/forgejo.nomad.hcl — Forgejo git server (Nomad service job)
+# nomad/jobs/forgejo.hcl — Forgejo git server (Nomad service job)
 #
 # Part of the Nomad+Vault migration (S1.1, issue #840). First jobspec to
 # land under nomad/jobs/ — proves the docker driver + host_volume plumbing

tests/disinto-init-nomad.bats

@@ -143,3 +143,51 @@ setup_file() {
   [[ "$output" == *"repo URL required"* ]]
   [[ "$output" != *"Unknown option"* ]]
 }
+
+# ── --with flag tests ─────────────────────────────────────────────────────────
+
+@test "disinto init --backend=nomad --with forgejo --dry-run prints deploy plan" {
+  run "$DISINTO_BIN" init placeholder/repo --backend=nomad --with forgejo --dry-run
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"services to deploy: forgejo"* ]]
+  [[ "$output" == *"[deploy] [dry-run] nomad job validate"* ]]
+  [[ "$output" == *"[deploy] [dry-run] nomad job run -detach"* ]]
+  [[ "$output" == *"[deploy] dry-run complete"* ]]
+}
+
+@test "disinto init --backend=nomad --with forgejo,forgejo --dry-run handles comma-separated services" {
+  run "$DISINTO_BIN" init placeholder/repo --backend=nomad --with forgejo,forgejo --dry-run
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"services to deploy: forgejo,forgejo"* ]]
+}
+
+@test "disinto init --backend=docker --with forgejo errors with '--with requires --backend=nomad'" {
+  run "$DISINTO_BIN" init placeholder/repo --backend=docker --with forgejo
+  [ "$status" -ne 0 ]
+  [[ "$output" == *"--with requires --backend=nomad"* ]]
+}
+
+@test "disinto init --backend=nomad --empty --with forgejo errors with mutually exclusive" {
+  run "$DISINTO_BIN" init placeholder/repo --backend=nomad --empty --with forgejo
+  [ "$status" -ne 0 ]
+  [[ "$output" == *"--empty and --with are mutually exclusive"* ]]
+}
+
+@test "disinto init --backend=nomad --with unknown-service errors with unknown service" {
+  run "$DISINTO_BIN" init placeholder/repo --backend=nomad --with unknown-service --dry-run
+  [ "$status" -ne 0 ]
+  [[ "$output" == *"unknown service"* ]]
+  [[ "$output" == *"known: forgejo"* ]]
+}
+
+@test "disinto init --backend=nomad --with forgejo (flag=value syntax) works" {
+  run "$DISINTO_BIN" init placeholder/repo --backend=nomad --with=forgejo --dry-run
+  [ "$status" -eq 0 ]
+  [[ "$output" == *"services to deploy: forgejo"* ]]
+}
+
+@test "disinto init --backend=nomad --with forgejo --empty --dry-run rejects in any order" {
+  run "$DISINTO_BIN" init placeholder/repo --with forgejo --backend=nomad --empty --dry-run
+  [ "$status" -ne 0 ]
+  [[ "$output" == *"--empty and --with are mutually exclusive"* ]]
+}