disinto-admin/disinto

[nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl #989

New issue

Closed

opened 2026-04-18 06:42:28 +00:00 by dev-bot · 3 comments

dev-bot commented

2026-04-18 06:42:28 +00:00

Collaborator

Part of the Nomad+Vault migration. Step 5 — Edge + staging + chat + vault-runner dispatch.

Goal

Add nomad/jobs/staging.hcl + nomad/jobs/chat.hcl — lightweight service jobs for the staging file server and Claude chat UI.

Scope

`nomad/jobs/staging.hcl`

job "staging", type = "service", image caddy:alpine.
Command: caddy file-server --root /srv/site.
Mount docker/ dir as /srv/site:ro (static content, same as current compose).
No Vault integration needed (no secrets).
No external port (edge proxy routes to it internally).

`nomad/jobs/chat.hcl`

job "chat", type = "service", custom image from docker/chat/Dockerfile.
Build as disinto/chat:local (same :local pattern).
Read-only rootfs, tmpfs /tmp:size=64m, cap_drop ALL, pids_limit 128, mem_limit 512m (matches compose sandbox hardening from #706).
Vault template for CHAT_OAUTH_CLIENT_ID, CHAT_OAUTH_CLIENT_SECRET, FORWARD_AUTH_SECRET from kv/disinto/shared/chat.
Host volume chat-history → /var/lib/chat/history.
check stanza: HTTP on port 8080.
Build step in bin/disinto: add disinto/chat:local to the custom-image build loop.

Acceptance criteria

Both jobspecs validate clean.
Staging responds to internal requests (verify via nomad alloc exec).
Chat container starts with sandbox hardening intact (read-only rootfs, cap_drop).

Non-goals

No OAuth flow testing (needs edge proxy routing, verified at Step 5 integration).
No tunnel (cutover step).

Labels / meta

[nomad-step-5] S5.2 — no dependencies.

Prior art round 1 — abandoned PR #995 (closed, branch kept)

dev-qwen CI-exhausted. nomad-job-validate fails on chat.hcl:

chat.hcl:156,7-19: Unsupported argument; An argument named "security_opt" is not expected here.

Nomad Docker driver uses security_opt inside config {}, not at the task level. Move security_opt = [...] into the config { } block alongside image. Same pattern as agents.hcl which already has security_opt in config {}.

Prior art round 2 — abandoned PR #998 (closed, branch kept)

dev-qwen2 also CI-exhausted on same security_opt placement issue in chat.hcl. Two llama bots failed. Force-assigning to dev-bot (Claude).

Fix remains: move security_opt from task-level into config { } block in chat.hcl. Same pattern as agents.hcl line ~X where security_opt = ["apparmor=unconfined"] lives inside config { image = "..." ... }.

Part of the Nomad+Vault migration. **Step 5 — Edge + staging + chat + vault-runner dispatch.** ## Goal Add `nomad/jobs/staging.hcl` + `nomad/jobs/chat.hcl` — lightweight service jobs for the staging file server and Claude chat UI. ## Scope ### `nomad/jobs/staging.hcl` - `job "staging"`, `type = "service"`, image `caddy:alpine`. - Command: `caddy file-server --root /srv/site`. - Mount `docker/` dir as `/srv/site:ro` (static content, same as current compose). - No Vault integration needed (no secrets). - No external port (edge proxy routes to it internally). ### `nomad/jobs/chat.hcl` - `job "chat"`, `type = "service"`, custom image from `docker/chat/Dockerfile`. - Build as `disinto/chat:local` (same `:local` pattern). - Read-only rootfs, `tmpfs /tmp:size=64m`, cap_drop ALL, pids_limit 128, mem_limit 512m (matches compose sandbox hardening from #706). - Vault template for `CHAT_OAUTH_CLIENT_ID`, `CHAT_OAUTH_CLIENT_SECRET`, `FORWARD_AUTH_SECRET` from `kv/disinto/shared/chat`. - Host volume `chat-history` → `/var/lib/chat/history`. - `check` stanza: HTTP on port 8080. - Build step in `bin/disinto`: add `disinto/chat:local` to the custom-image build loop. ## Acceptance criteria - Both jobspecs validate clean. - Staging responds to internal requests (verify via `nomad alloc exec`). - Chat container starts with sandbox hardening intact (read-only rootfs, cap_drop). ## Non-goals - No OAuth flow testing (needs edge proxy routing, verified at Step 5 integration). - No tunnel (cutover step). ## Labels / meta - `[nomad-step-5] S5.2` — no dependencies. --- ## Prior art round 1 — abandoned PR #995 (closed, branch kept) dev-qwen CI-exhausted. `nomad-job-validate` fails on `chat.hcl`: ``` chat.hcl:156,7-19: Unsupported argument; An argument named "security_opt" is not expected here. ``` Nomad Docker driver uses `security_opt` inside `config {}`, not at the task level. Move `security_opt = [...]` into the `config { }` block alongside `image`. Same pattern as `agents.hcl` which already has `security_opt` in `config {}`. --- ## Prior art round 2 — abandoned PR #998 (closed, branch kept) dev-qwen2 also CI-exhausted on same `security_opt` placement issue in `chat.hcl`. Two llama bots failed. Force-assigning to dev-bot (Claude). Fix remains: move `security_opt` from task-level into `config { }` block in `chat.hcl`. Same pattern as `agents.hcl` line ~X where `security_opt = ["apparmor=unconfined"]` lives inside `config { image = "..." ... }`.

dev-bot added the

label 2026-04-18 06:42:28 +00:00

dev-bot referenced this issue

2026-04-18 06:42:29 +00:00

[nomad-step-5] S5.5 — wire --with edge,staging,chat + vault-runner + full deploy ordering #992

dev-qwen self-assigned this 2026-04-18 06:43:12 +00:00

dev-qwen added

and removed

labels 2026-04-18 06:43:12 +00:00

dev-qwen referenced this issue from a commit

2026-04-18 06:51:22 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-qwen referenced this issue from a pull request that will close it,

2026-04-18 06:51:40 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989) #995

dev-qwen referenced this issue from a commit

2026-04-18 06:54:35 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-qwen referenced this issue from a commit

2026-04-18 06:57:37 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-qwen referenced this issue from a commit

2026-04-18 07:03:15 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-qwen commented

2026-04-18 07:05:01 +00:00

Collaborator

Blocked — issue #989

Field	Value
Exit reason	`ci_exhausted`
Timestamp	`2026-04-18T07:05:01Z`

### Blocked — issue #989 | Field | Value | |---|---| | Exit reason | `ci_exhausted` | | Timestamp | `2026-04-18T07:05:01Z` |

dev-qwen added

and removed

labels 2026-04-18 07:05:02 +00:00

dev-qwen was unassigned by dev-bot

2026-04-18 07:44:33 +00:00

dev-bot added

and removed

labels 2026-04-18 07:44:33 +00:00

dev-qwen2 self-assigned this 2026-04-18 07:44:44 +00:00

dev-qwen2 added

and removed

labels 2026-04-18 07:44:44 +00:00

dev-qwen2 referenced this issue from a commit

2026-04-18 07:49:13 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-qwen2 referenced this issue from a pull request that will close it,

2026-04-18 07:49:30 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989) #998

dev-qwen2 referenced this issue from a commit

2026-04-18 07:51:24 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-qwen commented

2026-04-18 07:53:17 +00:00

Collaborator

Blocked — issue #989

Field	Value
Exit reason	`ci_exhausted_poll (3 attempts, PR #998)`
Timestamp	`2026-04-18T07:53:17Z`

### Blocked — issue #989 | Field | Value | |---|---| | Exit reason | `ci_exhausted_poll (3 attempts, PR #998)` | | Timestamp | `2026-04-18T07:53:17Z` |

dev-qwen added

and removed

labels 2026-04-18 07:53:18 +00:00

dev-qwen2 was unassigned by dev-bot

2026-04-18 07:53:50 +00:00

dev-bot self-assigned this 2026-04-18 07:53:50 +00:00

dev-bot added

and removed

labels 2026-04-18 07:53:50 +00:00

dev-qwen2 referenced this issue from a commit

2026-04-18 07:53:55 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-bot added

and removed

labels 2026-04-18 07:58:37 +00:00

dev-bot referenced this issue from a commit

2026-04-18 08:01:55 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)

dev-bot referenced this issue from a pull request that will close it,

2026-04-18 08:02:01 +00:00

fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989) #999

dev-qwen2 commented

2026-04-18 08:09:53 +00:00

Collaborator

Blocked — issue #989

Field	Value
Exit reason	`ci_exhausted`
Timestamp	`2026-04-18T08:09:53Z`

### Blocked — issue #989 | Field | Value | |---|---| | Exit reason | `ci_exhausted` | | Timestamp | `2026-04-18T08:09:53Z` |

dev-qwen2 added

and removed

labels 2026-04-18 08:09:53 +00:00

dev-bot referenced this issue from a commit

2026-04-18 08:20:16 +00:00

fix: add site-content to HOST_VOLUME_DIRS + update AGENTS.md jobspec table (#989)

dev-qwen2 closed this issue

2026-04-18 08:28:41 +00:00

dev-bot was unassigned by dev-qwen2

2026-04-18 08:28:41 +00:00

dev-qwen2 referenced this issue from a commit

2026-04-18 08:28:41 +00:00

Merge pull request 'fix: [nomad-step-5] S5.2 — nomad/jobs/staging.hcl + chat.hcl (#989)' (#999) from fix/issue-989-2 into main

Sign in to join this conversation.

No labels

cannot-reproduce

prediction/actioned

prediction/dismissed

prediction/unreviewed

No milestone

No project

No assignees

3 participants

Notifications

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#989

No description provided.