[nomad-step-4] S4.1 — nomad/jobs/agents.hcl (7 roles, llama, vault-templated bot tokens) #955

New issue

Closed

opened 2026-04-17 09:48:23 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-17 09:48:23 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 4 — Agents (all 7 roles, llama backend).

Goal

Add nomad/jobs/agents.hcl — the main bot polling loop running all 7 agent roles (review, dev, gardener, architect, planner, predictor, supervisor) against the local llama server at http://10.10.10.1:8081.

Scope

Create nomad/jobs/agents.hcl:

job "agents", type = "service", 1 group × 1 task.
Image: same as current docker/agents/Dockerfile build. Use build: context or a pre-built image tag if one exists. Check current docker-compose.yml agents service for the image source.
Host volumes: agent-data → /home/agent/data, project-repos → /home/agent/repos, ops-repo → /home/agent/repos/_factory/disinto-ops (read-only).
Vault integration: vault { role = "bot-dev" } (or a composite role covering all 7 bot identities — check if vault/roles.yaml has a combined role, or use the primary bot-dev and extend later).

Template stanza renders per-bot FORGE_TOKENs from Vault:

template {
  destination = "secrets/bots.env"
  env         = true
  data        = <<EOT
FORGE_TOKEN={{ with secret "kv/data/disinto/bots/dev" }}{{ .Data.data.token }}{{ end }}
FORGE_PASS={{ with secret "kv/data/disinto/bots/dev" }}{{ .Data.data.pass }}{{ end }}
...repeat for review, gardener, architect, planner, predictor, supervisor, vault...
EOT
}

Inline env (non-secret): FORGE_URL=http://forgejo:3000 (or use Nomad service discovery address), ANTHROPIC_BASE_URL=http://10.10.10.1:8081, ANTHROPIC_API_KEY=sk-no-key-required, CLAUDE_MODEL=unsloth/Qwen3.5-35B-A3B, AGENT_ROLES=review,dev,gardener,architect,planner,predictor,supervisor, POLL_INTERVAL=300, DISINTO_CONTAINER=1.
check stanza: process-based or heartbeat file check (match what P5 prep added to docker-compose healthcheck).
resources { cpu = 500, memory = 1024 } — agents run Claude/llama sessions that need headroom.

Also create tools/vault-seed-agents.sh:

Idempotent no-op if all bot KV paths already exist (they would from vault-import.sh).
If any bot path is missing, generate a random token + password and seed it.
This handles the "fresh factory, no .env import" case.

Acceptance criteria

nomad job validate nomad/jobs/agents.hcl clean.
After deploying on a cluster with forgejo running: agent container starts, polling loop runs, nomad alloc logs <agents> shows review-poll + dev-poll iterations.
shellcheck clean on seed script.

Non-goals

No separate dev-qwen job (that's a later overlay once the base agents work).
No Claude auth — llama only per migration plan.
No --with agents wiring (S4.2).

Labels / meta

[nomad-step-4] S4.1 — no hard dependencies. Blocked by #953 (S3-fix-perms) for host-volume write perms.

Part of the Nomad+Vault migration. **Step 4 — Agents (all 7 roles, llama backend).** ## Goal Add `nomad/jobs/agents.hcl` — the main bot polling loop running all 7 agent roles (review, dev, gardener, architect, planner, predictor, supervisor) against the local llama server at `http://10.10.10.1:8081`. ## Scope Create `nomad/jobs/agents.hcl`: - `job "agents"`, `type = "service"`, 1 group × 1 task. - Image: same as current `docker/agents/Dockerfile` build. Use `build:` context or a pre-built image tag if one exists. Check current `docker-compose.yml` agents service for the image source. - Host volumes: `agent-data` → `/home/agent/data`, `project-repos` → `/home/agent/repos`, `ops-repo` → `/home/agent/repos/_factory/disinto-ops` (read-only). - Vault integration: `vault { role = "bot-dev" }` (or a composite role covering all 7 bot identities — check if `vault/roles.yaml` has a combined role, or use the primary `bot-dev` and extend later). - Template stanza renders per-bot FORGE_TOKENs from Vault: ``` template { destination = "secrets/bots.env" env = true data = <<EOT FORGE_TOKEN={{ with secret "kv/data/disinto/bots/dev" }}{{ .Data.data.token }}{{ end }} FORGE_PASS={{ with secret "kv/data/disinto/bots/dev" }}{{ .Data.data.pass }}{{ end }} ...repeat for review, gardener, architect, planner, predictor, supervisor, vault... EOT } ``` - Inline env (non-secret): `FORGE_URL=http://forgejo:3000` (or use Nomad service discovery address), `ANTHROPIC_BASE_URL=http://10.10.10.1:8081`, `ANTHROPIC_API_KEY=sk-no-key-required`, `CLAUDE_MODEL=unsloth/Qwen3.5-35B-A3B`, `AGENT_ROLES=review,dev,gardener,architect,planner,predictor,supervisor`, `POLL_INTERVAL=300`, `DISINTO_CONTAINER=1`. - `check` stanza: process-based or heartbeat file check (match what P5 prep added to docker-compose healthcheck). - `resources { cpu = 500, memory = 1024 }` — agents run Claude/llama sessions that need headroom. Also create `tools/vault-seed-agents.sh`: - Idempotent no-op if all bot KV paths already exist (they would from `vault-import.sh`). - If any bot path is missing, generate a random token + password and seed it. - This handles the "fresh factory, no .env import" case. ## Acceptance criteria - `nomad job validate nomad/jobs/agents.hcl` clean. - After deploying on a cluster with forgejo running: agent container starts, polling loop runs, `nomad alloc logs <agents>` shows review-poll + dev-poll iterations. - `shellcheck` clean on seed script. ## Non-goals - No separate dev-qwen job (that's a later overlay once the base agents work). - No Claude auth — llama only per migration plan. - No `--with agents` wiring (S4.2). ## Labels / meta - `[nomad-step-4] S4.1` — no hard dependencies. Blocked by #953 (S3-fix-perms) for host-volume write perms.