[nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh #934

New issue

Closed

opened 2026-04-17 05:13:15 +00:00 by dev-bot · 1 comment

dev-bot commented

2026-04-17 05:13:15 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 3 — Woodpecker server + agent.

Goal

Add nomad/jobs/woodpecker-server.hcl — Woodpecker CI server running as a Nomad service job, reading its Forgejo OAuth + agent secret from Vault.

Scope

Create nomad/jobs/woodpecker-server.hcl:

job "woodpecker-server", type = "service", datacenters = ["dc1"], 1 group × 1 task.
Image: woodpeckerci/woodpecker-server:v3 (matches current compose).
Ports: 8000 (HTTP UI) + 9000 (gRPC agent).
volume_mount: woodpecker-data host_volume → /var/lib/woodpecker.

Vault integration: vault { role = "service-woodpecker" } + template stanza:

template {
  destination = "secrets/wp.env"
  env         = true
  data        = <<EOT
WOODPECKER_AGENT_SECRET={{ with secret "kv/data/disinto/shared/woodpecker" }}{{ .Data.data.agent_secret }}{{ end }}
WOODPECKER_FORGEJO_CLIENT={{ with secret "kv/data/disinto/shared/woodpecker" }}{{ .Data.data.forgejo_client }}{{ end }}
WOODPECKER_FORGEJO_SECRET={{ with secret "kv/data/disinto/shared/woodpecker" }}{{ .Data.data.forgejo_secret }}{{ end }}
EOT
}

Inline env (non-secret): WOODPECKER_FORGEJO=true, WOODPECKER_FORGEJO_URL=http://forgejo:3000, WOODPECKER_HOST=http://woodpecker:8000, WOODPECKER_OPEN=true, WOODPECKER_DATABASE_DRIVER=sqlite3, WOODPECKER_DATABASE_DATASOURCE=/var/lib/woodpecker/woodpecker.sqlite.
Note: Nomad service discovery means Woodpecker finds Forgejo by the Nomad service name registered in forgejo.hcl, not Docker DNS. Verify Nomad service registration in forgejo.hcl exposes a service { name = "forgejo" } block; if absent, add it in this PR.
check stanza: HTTP check on port 8000 /healthz, interval 10s.
resources { cpu = 300, memory = 512 }.

Also create tools/vault-seed-woodpecker.sh:

Generates agent_secret (random hex) and writes to kv/disinto/shared/woodpecker/agent_secret.
Idempotent — does not overwrite if the key already exists.
Does NOT generate OAuth client/secret (that's S3.3's job via Forgejo API).

Acceptance criteria

nomad job validate nomad/jobs/woodpecker-server.hcl clean.
After seeding + deploying: Woodpecker UI loads at :8000, healthcheck passes.
shellcheck clean on seed script.

Non-goals

No Woodpecker agent (S3.2).
No OAuth app registration (S3.3).
No --with woodpecker wiring (S3.4).

Labels / meta

[nomad-step-3] S3.1 — no dependencies.

Part of the Nomad+Vault migration. **Step 3 — Woodpecker server + agent.** ## Goal Add `nomad/jobs/woodpecker-server.hcl` — Woodpecker CI server running as a Nomad service job, reading its Forgejo OAuth + agent secret from Vault. ## Scope Create `nomad/jobs/woodpecker-server.hcl`: - `job "woodpecker-server"`, `type = "service"`, `datacenters = ["dc1"]`, 1 group × 1 task. - Image: `woodpeckerci/woodpecker-server:v3` (matches current compose). - Ports: `8000` (HTTP UI) + `9000` (gRPC agent). - `volume_mount`: `woodpecker-data` host_volume → `/var/lib/woodpecker`. - Vault integration: `vault { role = "service-woodpecker" }` + template stanza: ``` template { destination = "secrets/wp.env" env = true data = <<EOT WOODPECKER_AGENT_SECRET={{ with secret "kv/data/disinto/shared/woodpecker" }}{{ .Data.data.agent_secret }}{{ end }} WOODPECKER_FORGEJO_CLIENT={{ with secret "kv/data/disinto/shared/woodpecker" }}{{ .Data.data.forgejo_client }}{{ end }} WOODPECKER_FORGEJO_SECRET={{ with secret "kv/data/disinto/shared/woodpecker" }}{{ .Data.data.forgejo_secret }}{{ end }} EOT } ``` - Inline env (non-secret): `WOODPECKER_FORGEJO=true`, `WOODPECKER_FORGEJO_URL=http://forgejo:3000`, `WOODPECKER_HOST=http://woodpecker:8000`, `WOODPECKER_OPEN=true`, `WOODPECKER_DATABASE_DRIVER=sqlite3`, `WOODPECKER_DATABASE_DATASOURCE=/var/lib/woodpecker/woodpecker.sqlite`. - Note: Nomad service discovery means Woodpecker finds Forgejo by the Nomad service name registered in forgejo.hcl, not Docker DNS. Verify Nomad service registration in forgejo.hcl exposes a `service { name = "forgejo" }` block; if absent, add it in this PR. - `check` stanza: HTTP check on port 8000 `/healthz`, interval 10s. - `resources { cpu = 300, memory = 512 }`. Also create `tools/vault-seed-woodpecker.sh`: - Generates `agent_secret` (random hex) and writes to `kv/disinto/shared/woodpecker/agent_secret`. - Idempotent — does not overwrite if the key already exists. - Does NOT generate OAuth client/secret (that's S3.3's job via Forgejo API). ## Acceptance criteria - `nomad job validate nomad/jobs/woodpecker-server.hcl` clean. - After seeding + deploying: Woodpecker UI loads at `:8000`, healthcheck passes. - `shellcheck` clean on seed script. ## Non-goals - No Woodpecker agent (S3.2). - No OAuth app registration (S3.3). - No `--with woodpecker` wiring (S3.4). ## Labels / meta - `[nomad-step-3] S3.1` — no dependencies.

dev-bot added the

backlog

label 2026-04-17 05:13:15 +00:00

dev-bot referenced this issue

2026-04-17 05:13:16 +00:00

[nomad-step-3] S3.3 — wp-oauth-register.sh (Forgejo OAuth app + Vault KV) #936

dev-bot referenced this issue

2026-04-17 05:13:16 +00:00

[nomad-step-3] S3.4 — wire --with woodpecker + deploy ordering + OAuth seed #937

dev-bot self-assigned this 2026-04-17 05:13:19 +00:00

dev-bot added

in-progress

and removed

backlog

labels 2026-04-17 05:13:19 +00:00

dev-bot referenced this issue from a commit

2026-04-17 05:16:08 +00:00

fix: [nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh (#934)

dev-bot referenced this issue from a pull request that will close it,

2026-04-17 05:16:22 +00:00

fix: [nomad-step-3] S3.1 — nomad/jobs/woodpecker-server.hcl + vault-seed-woodpecker.sh (#934) #938

dev-qwen2 commented

2026-04-17 05:21:27 +00:00

Collaborator

Blocked — issue #934

Field	Value
Exit reason	`ci_exhausted_poll (3 attempts, PR #938)`
Timestamp	`2026-04-17T05:21:27Z`

### Blocked — issue #934 | Field | Value | |---|---| | Exit reason | `ci_exhausted_poll (3 attempts, PR #938)` | | Timestamp | `2026-04-17T05:21:27Z` |