[nomad-step-5] S5.1 — nomad/jobs/edge.hcl (Caddy + dispatcher sidecar) #988

New issue

Closed

opened 2026-04-18 06:42:28 +00:00 by dev-bot · 0 comments

dev-bot commented

2026-04-18 06:42:28 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 5 — Edge + staging + chat + vault-runner dispatch.

Goal

Add nomad/jobs/edge.hcl — Caddy reverse proxy + dispatcher sidecar. Routes traffic to Forgejo, Woodpecker, staging, and chat. The dispatcher polls disinto-ops for vault actions and dispatches them via Nomad batch jobs.

Scope

Create nomad/jobs/edge.hcl:

job "edge", type = "service", 1 group with 2 tasks: caddy + dispatcher.
caddy task: image caddy:alpine (or the existing docker/edge build — check if it's custom). Ports 80/443. Mounts docker/Caddyfile from repo. Host volume caddy-data for certs.
dispatcher task (sidecar): same disinto/agents:local image. Runs docker/edge/dispatcher.sh. Env: DISPATCHER_BACKEND=nomad, FORGE_URL, FORGE_TOKEN from Vault via template. Docker.sock mount for legacy compat (or remove if fully nomad-dispatched).
Vault: vault { role = "dispatcher" } on the dispatcher task.
check stanza on caddy: HTTP check on port 80.
Build step: if docker/edge/Dockerfile exists and is custom, build as disinto/edge:local (same :local pattern as agents). Otherwise use caddy:alpine directly.

Also: check if docker/edge/Dockerfile is custom or just caddy:alpine. Inspect current compose edge service.

Acceptance criteria

nomad job validate nomad/jobs/edge.hcl clean.
After deploying: Caddy responds on port 80.
Dispatcher starts without errors (even if no vault actions exist to process).
shellcheck clean.

Non-goals

No vault-runner batch job (S5.4).
No DISPATCHER_BACKEND=nomad implementation (S5.5 — dispatcher.sh already has the docker branch; nomad branch added there).
No tunnel configuration (cutover step).

Labels / meta

[nomad-step-5] S5.1 — no dependencies.

Part of the Nomad+Vault migration. **Step 5 — Edge + staging + chat + vault-runner dispatch.** ## Goal Add `nomad/jobs/edge.hcl` — Caddy reverse proxy + dispatcher sidecar. Routes traffic to Forgejo, Woodpecker, staging, and chat. The dispatcher polls `disinto-ops` for vault actions and dispatches them via Nomad batch jobs. ## Scope Create `nomad/jobs/edge.hcl`: - `job "edge"`, `type = "service"`, 1 group with 2 tasks: `caddy` + `dispatcher`. - **caddy task**: image `caddy:alpine` (or the existing `docker/edge` build — check if it's custom). Ports 80/443. Mounts `docker/Caddyfile` from repo. Host volume `caddy-data` for certs. - **dispatcher task** (sidecar): same `disinto/agents:local` image. Runs `docker/edge/dispatcher.sh`. Env: `DISPATCHER_BACKEND=nomad`, `FORGE_URL`, `FORGE_TOKEN` from Vault via template. Docker.sock mount for legacy compat (or remove if fully nomad-dispatched). - Vault: `vault { role = "dispatcher" }` on the dispatcher task. - `check` stanza on caddy: HTTP check on port 80. - Build step: if `docker/edge/Dockerfile` exists and is custom, build as `disinto/edge:local` (same `:local` pattern as agents). Otherwise use `caddy:alpine` directly. Also: check if `docker/edge/Dockerfile` is custom or just caddy:alpine. Inspect current compose edge service. ## Acceptance criteria - `nomad job validate nomad/jobs/edge.hcl` clean. - After deploying: Caddy responds on port 80. - Dispatcher starts without errors (even if no vault actions exist to process). - `shellcheck` clean. ## Non-goals - No vault-runner batch job (S5.4). - No `DISPATCHER_BACKEND=nomad` implementation (S5.5 — dispatcher.sh already has the docker branch; nomad branch added there). - No tunnel configuration (cutover step). ## Labels / meta - `[nomad-step-5] S5.1` — no dependencies.