From 7fd8a0cbba6e6a36354b67efcb052e6ba04095f1 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 19 Apr 2026 04:36:32 +0000
Subject: [PATCH 1/2] =?UTF-8?q?fix:=20edge.hcl=20uses=20Docker=20hostname?=
 =?UTF-8?q?=20routing=20=E2=80=94=20forgejo/woodpecker/chat=20upstreams=20?=
 =?UTF-8?q?unreachable=20in=20Nomad=20(#1031)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Add network_mode = "host" to the caddy task docker config (matching
woodpecker-agent.hcl pattern) and replace all bare Docker hostnames
with 127.0.0.1:<port>:
- forgejo:3000  → 127.0.0.1:3000
- woodpecker:8000 → 127.0.0.1:8000
- chat:8080 → 127.0.0.1:8080
- FORGE_URL env in both caddy and dispatcher tasks

Staging route already uses nomadService discovery (S5-fix-7, #1018).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nomad/jobs/edge.hcl | 32 +++++++++++++++++++-------------
 1 file changed, 19 insertions(+), 13 deletions(-)

diff --git a/nomad/jobs/edge.hcl b/nomad/jobs/edge.hcl
index 779b53b..e88ae22 100644
--- a/nomad/jobs/edge.hcl
+++ b/nomad/jobs/edge.hcl
@@ -6,6 +6,11 @@
 # dispatcher sidecar polls disinto-ops for vault actions and dispatches them
 # via Nomad batch jobs.
 #
+# Host networking (issue #1031):
+#   Caddy uses network_mode = "host" so upstreams are reached at
+#   127.0.0.1:<port> (forgejo :3000, woodpecker :8000, chat :8080).
+#   Staging uses Nomad service discovery (S5-fix-7, issue #1018).
+#
 # Host_volume contract:
 #   This job mounts caddy-data from nomad/client.hcl. Path
 #   /srv/disinto/caddy-data is created by lib/init/nomad/cluster-up.sh before
@@ -97,9 +102,10 @@ job "edge" {
       config {
         # Use pre-built disinto/edge:local image (custom Dockerfile adds
         # bash, jq, curl, git, docker-cli, python3, openssh-client, autossh).
-        image      = "disinto/edge:local"
-        force_pull = false
-        ports      = ["http", "https"]
+        image        = "disinto/edge:local"
+        force_pull   = false
+        network_mode = "host"
+        ports        = ["http", "https"]
 
         # apparmor=unconfined matches docker-compose — needed for autossh
         # in the entrypoint script.
@@ -132,12 +138,12 @@ job "edge" {
 
     # Reverse proxy to Forgejo
     handle /forge/* {
-        reverse_proxy forgejo:3000
+        reverse_proxy 127.0.0.1:3000
     }
 
     # Reverse proxy to Woodpecker CI
     handle /ci/* {
-        reverse_proxy woodpecker:8000
+        reverse_proxy 127.0.0.1:8000
     }
 
     # Reverse proxy to staging — dynamic port via Nomad service discovery
@@ -148,19 +154,19 @@ job "edge" {
     # Chat service — reverse proxy to disinto-chat backend (#705)
     # OAuth routes bypass forward_auth — unauthenticated users need these (#709)
     handle /chat/login {
-        reverse_proxy chat:8080
+        reverse_proxy 127.0.0.1:8080
     }
     handle /chat/oauth/callback {
-        reverse_proxy chat:8080
+        reverse_proxy 127.0.0.1:8080
     }
     # Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709)
     handle /chat/* {
-        forward_auth chat:8080 {
+        forward_auth 127.0.0.1:8080 {
             uri /chat/auth/verify
             copy_headers X-Forwarded-User
             header_up X-Forward-Auth-Secret {$FORWARD_AUTH_SECRET}
         }
-        reverse_proxy chat:8080
+        reverse_proxy 127.0.0.1:8080
     }
 }
 EOT
@@ -168,10 +174,10 @@ EOT
 
       # ── Non-secret env ───────────────────────────────────────────────────
       env {
-        FORGE_URL       = "http://forgejo:3000"
-        FORGE_REPO      = "disinto-admin/disinto"
+        FORGE_URL         = "http://127.0.0.1:3000"
+        FORGE_REPO        = "disinto-admin/disinto"
         DISINTO_CONTAINER = "1"
-        PROJECT_NAME    = "disinto"
+        PROJECT_NAME      = "disinto"
       }
 
       # Caddy needs CPU + memory headroom for reverse proxy work.
@@ -226,7 +232,7 @@ EOT
       # ── Non-secret env ───────────────────────────────────────────────────
       env {
         DISPATCHER_BACKEND   = "nomad"
-        FORGE_URL            = "http://forgejo:3000"
+        FORGE_URL            = "http://127.0.0.1:3000"
         FORGE_REPO           = "disinto-admin/disinto"
         FORGE_OPS_REPO       = "disinto-admin/disinto-ops"
         PRIMARY_BRANCH       = "main"
-- 
2.49.1


From 47046ead2e5b7f3b117132d4584a178795ed6d57 Mon Sep 17 00:00:00 2001
From: Claude <noreply@anthropic.com>
Date: Sun, 19 Apr 2026 04:44:10 +0000
Subject: [PATCH 2/2] =?UTF-8?q?fix:=20add=20network=5Fmode=3Dhost=20to=20d?=
 =?UTF-8?q?ispatcher=20task=20=E2=80=94=20FORGE=5FURL=20unreachable=20from?=
 =?UTF-8?q?=20bridge=20namespace?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The dispatcher task's FORGE_URL was changed to 127.0.0.1:3000 but the
task was still in bridge networking mode, making the host's loopback
unreachable. Add network_mode = "host" to match the caddy task.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 nomad/jobs/edge.hcl | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/nomad/jobs/edge.hcl b/nomad/jobs/edge.hcl
index e88ae22..4a495d9 100644
--- a/nomad/jobs/edge.hcl
+++ b/nomad/jobs/edge.hcl
@@ -193,8 +193,9 @@ EOT
 
       config {
         # Use same disinto/agents:local image as other agents.
-        image      = "disinto/agents:local"
-        force_pull = false
+        image        = "disinto/agents:local"
+        force_pull   = false
+        network_mode = "host"
 
         # apparmor=unconfined matches docker-compose.
         security_opt = ["apparmor=unconfined"]
-- 
2.49.1