[nomad-step-1] S1.1 — add nomad/jobs/forgejo.hcl (service job, host_volume, port 3000) #840

New issue

Closed

opened 2026-04-16 09:52:46 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-16 09:52:46 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 1 — Forgejo as first Nomad job.

Goal

Add nomad/jobs/forgejo.hcl — a single-instance service job running the Forgejo container, with a host_volume for persistence and port 3000 exposed. No Vault integration yet (that's Step 2). Proves the Nomad docker driver + host_volume plumbing from Step 0 by running a real service.

Scope

Create nomad/jobs/forgejo.hcl with:

job "forgejo" → type = "service", datacenters = ["dc1"], 1 group × 1 task.
Task driver docker, image codeberg.org/forgejo/forgejo:11.0 (pinned — matches current docker-compose).
Port stanza: network { port "http" { static = 3000, to = 3000 } }.
volume_mount referencing the forgejo-data host_volume declared in nomad/client.hcl (Step 0). Mount target: /data.
Env vars (inline for now — the same set the docker-compose passes, minus the OAuth bits that need Vault):
- FORGEJO__database__DB_TYPE=sqlite3
- FORGEJO__server__ROOT_URL=http://forgejo:3000/
- FORGEJO__server__HTTP_PORT=3000
- FORGEJO__security__INSTALL_LOCK=true
- FORGEJO__service__DISABLE_REGISTRATION=true
- FORGEJO__webhook__ALLOWED_HOST_LIST=private
check stanza: type="http" path="/api/v1/version" interval="10s" timeout="3s" with initial_status="passing" disabled (let Nomad wait for healthy on first boot).
restart stanza: attempts=3 interval="5m" delay="15s" mode="delay".
resources { cpu = 300, memory = 512 } — conservative baseline, tune later.

Acceptance criteria

nomad job validate nomad/jobs/forgejo.hcl clean (once Nomad is installed; validates offline HCL parse).
Once deployed (by S1.3): curl http://localhost:3000/api/v1/version returns 200 from the nomad-box.
Data persists across nomad job stop forgejo && nomad job run forgejo.hcl.
No changes to docker-compose.yml — the docker stack remains the factory's runtime until cutover.

Non-goals

No Vault-templated secrets (Step 2).
No OAuth app registration (that's per-service work, lands when woodpecker needs it in Step 3).
No mirror registration (separate cutover-day step using lib/mirrors.sh).

Labels / meta

[nomad-step-1] S1.1 — no dependencies.

Part of the Nomad+Vault migration. **Step 1 — Forgejo as first Nomad job.** ## Goal Add `nomad/jobs/forgejo.hcl` — a single-instance service job running the Forgejo container, with a host_volume for persistence and port 3000 exposed. No Vault integration yet (that's Step 2). Proves the Nomad docker driver + host_volume plumbing from Step 0 by running a real service. ## Scope Create `nomad/jobs/forgejo.hcl` with: - `job "forgejo"` → `type = "service"`, `datacenters = ["dc1"]`, 1 group × 1 task. - Task driver `docker`, image `codeberg.org/forgejo/forgejo:11.0` (pinned — matches current docker-compose). - Port stanza: `network { port "http" { static = 3000, to = 3000 } }`. - `volume_mount` referencing the `forgejo-data` host_volume declared in `nomad/client.hcl` (Step 0). Mount target: `/data`. - Env vars (inline for now — the same set the docker-compose passes, minus the OAuth bits that need Vault): - `FORGEJO__database__DB_TYPE=sqlite3` - `FORGEJO__server__ROOT_URL=http://forgejo:3000/` - `FORGEJO__server__HTTP_PORT=3000` - `FORGEJO__security__INSTALL_LOCK=true` - `FORGEJO__service__DISABLE_REGISTRATION=true` - `FORGEJO__webhook__ALLOWED_HOST_LIST=private` - `check` stanza: `type="http" path="/api/v1/version" interval="10s" timeout="3s"` with `initial_status="passing"` disabled (let Nomad wait for healthy on first boot). - `restart` stanza: `attempts=3 interval="5m" delay="15s" mode="delay"`. - `resources { cpu = 300, memory = 512 }` — conservative baseline, tune later. ## Acceptance criteria - `nomad job validate nomad/jobs/forgejo.hcl` clean (once Nomad is installed; validates offline HCL parse). - Once deployed (by S1.3): `curl http://localhost:3000/api/v1/version` returns 200 from the nomad-box. - Data persists across `nomad job stop forgejo && nomad job run forgejo.hcl`. - No changes to `docker-compose.yml` — the docker stack remains the factory's runtime until cutover. ## Non-goals - No Vault-templated secrets (Step 2). - No OAuth app registration (that's per-service work, lands when woodpecker needs it in Step 3). - No mirror registration (separate cutover-day step using `lib/mirrors.sh`). ## Labels / meta - `[nomad-step-1] S1.1` — no dependencies.