fix: fix: edge.hcl uses Docker hostname routing — forgejo/woodpecker/chat upstreams unreachable in Nomad (#1031) #1032
1 changed files with 22 additions and 15 deletions
|
|
@ -6,6 +6,11 @@
|
||||||
# dispatcher sidecar polls disinto-ops for vault actions and dispatches them
|
# dispatcher sidecar polls disinto-ops for vault actions and dispatches them
|
||||||
# via Nomad batch jobs.
|
# via Nomad batch jobs.
|
||||||
#
|
#
|
||||||
|
# Host networking (issue #1031):
|
||||||
|
# Caddy uses network_mode = "host" so upstreams are reached at
|
||||||
|
# 127.0.0.1:<port> (forgejo :3000, woodpecker :8000, chat :8080).
|
||||||
|
# Staging uses Nomad service discovery (S5-fix-7, issue #1018).
|
||||||
|
#
|
||||||
# Host_volume contract:
|
# Host_volume contract:
|
||||||
# This job mounts caddy-data from nomad/client.hcl. Path
|
# This job mounts caddy-data from nomad/client.hcl. Path
|
||||||
# /srv/disinto/caddy-data is created by lib/init/nomad/cluster-up.sh before
|
# /srv/disinto/caddy-data is created by lib/init/nomad/cluster-up.sh before
|
||||||
|
|
@ -97,9 +102,10 @@ job "edge" {
|
||||||
config {
|
config {
|
||||||
# Use pre-built disinto/edge:local image (custom Dockerfile adds
|
# Use pre-built disinto/edge:local image (custom Dockerfile adds
|
||||||
# bash, jq, curl, git, docker-cli, python3, openssh-client, autossh).
|
# bash, jq, curl, git, docker-cli, python3, openssh-client, autossh).
|
||||||
image = "disinto/edge:local"
|
image = "disinto/edge:local"
|
||||||
force_pull = false
|
force_pull = false
|
||||||
ports = ["http", "https"]
|
network_mode = "host"
|
||||||
|
ports = ["http", "https"]
|
||||||
|
|
||||||
# apparmor=unconfined matches docker-compose — needed for autossh
|
# apparmor=unconfined matches docker-compose — needed for autossh
|
||||||
# in the entrypoint script.
|
# in the entrypoint script.
|
||||||
|
|
@ -132,12 +138,12 @@ job "edge" {
|
||||||
|
|
||||||
# Reverse proxy to Forgejo
|
# Reverse proxy to Forgejo
|
||||||
handle /forge/* {
|
handle /forge/* {
|
||||||
reverse_proxy forgejo:3000
|
reverse_proxy 127.0.0.1:3000
|
||||||
}
|
}
|
||||||
|
|
||||||
# Reverse proxy to Woodpecker CI
|
# Reverse proxy to Woodpecker CI
|
||||||
handle /ci/* {
|
handle /ci/* {
|
||||||
reverse_proxy woodpecker:8000
|
reverse_proxy 127.0.0.1:8000
|
||||||
}
|
}
|
||||||
|
|
||||||
# Reverse proxy to staging — dynamic port via Nomad service discovery
|
# Reverse proxy to staging — dynamic port via Nomad service discovery
|
||||||
|
|
@ -148,19 +154,19 @@ job "edge" {
|
||||||
# Chat service — reverse proxy to disinto-chat backend (#705)
|
# Chat service — reverse proxy to disinto-chat backend (#705)
|
||||||
# OAuth routes bypass forward_auth — unauthenticated users need these (#709)
|
# OAuth routes bypass forward_auth — unauthenticated users need these (#709)
|
||||||
handle /chat/login {
|
handle /chat/login {
|
||||||
reverse_proxy chat:8080
|
reverse_proxy 127.0.0.1:8080
|
||||||
}
|
}
|
||||||
handle /chat/oauth/callback {
|
handle /chat/oauth/callback {
|
||||||
reverse_proxy chat:8080
|
reverse_proxy 127.0.0.1:8080
|
||||||
}
|
}
|
||||||
# Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709)
|
# Defense-in-depth: forward_auth stamps X-Forwarded-User from session (#709)
|
||||||
handle /chat/* {
|
handle /chat/* {
|
||||||
forward_auth chat:8080 {
|
forward_auth 127.0.0.1:8080 {
|
||||||
uri /chat/auth/verify
|
uri /chat/auth/verify
|
||||||
copy_headers X-Forwarded-User
|
copy_headers X-Forwarded-User
|
||||||
header_up X-Forward-Auth-Secret {$FORWARD_AUTH_SECRET}
|
header_up X-Forward-Auth-Secret {$FORWARD_AUTH_SECRET}
|
||||||
}
|
}
|
||||||
reverse_proxy chat:8080
|
reverse_proxy 127.0.0.1:8080
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
EOT
|
EOT
|
||||||
|
|
@ -168,10 +174,10 @@ EOT
|
||||||
|
|
||||||
# ── Non-secret env ───────────────────────────────────────────────────
|
# ── Non-secret env ───────────────────────────────────────────────────
|
||||||
env {
|
env {
|
||||||
FORGE_URL = "http://forgejo:3000"
|
FORGE_URL = "http://127.0.0.1:3000"
|
||||||
FORGE_REPO = "disinto-admin/disinto"
|
FORGE_REPO = "disinto-admin/disinto"
|
||||||
DISINTO_CONTAINER = "1"
|
DISINTO_CONTAINER = "1"
|
||||||
PROJECT_NAME = "disinto"
|
PROJECT_NAME = "disinto"
|
||||||
}
|
}
|
||||||
|
|
||||||
# Caddy needs CPU + memory headroom for reverse proxy work.
|
# Caddy needs CPU + memory headroom for reverse proxy work.
|
||||||
|
|
@ -187,8 +193,9 @@ EOT
|
||||||
|
|
||||||
config {
|
config {
|
||||||
# Use same disinto/agents:local image as other agents.
|
# Use same disinto/agents:local image as other agents.
|
||||||
image = "disinto/agents:local"
|
image = "disinto/agents:local"
|
||||||
force_pull = false
|
force_pull = false
|
||||||
|
network_mode = "host"
|
||||||
|
|
||||||
# apparmor=unconfined matches docker-compose.
|
# apparmor=unconfined matches docker-compose.
|
||||||
security_opt = ["apparmor=unconfined"]
|
security_opt = ["apparmor=unconfined"]
|
||||||
|
|
@ -226,7 +233,7 @@ EOT
|
||||||
# ── Non-secret env ───────────────────────────────────────────────────
|
# ── Non-secret env ───────────────────────────────────────────────────
|
||||||
env {
|
env {
|
||||||
DISPATCHER_BACKEND = "nomad"
|
DISPATCHER_BACKEND = "nomad"
|
||||||
FORGE_URL = "http://forgejo:3000"
|
FORGE_URL = "http://127.0.0.1:3000"
|
||||||
FORGE_REPO = "disinto-admin/disinto"
|
FORGE_REPO = "disinto-admin/disinto"
|
||||||
FORGE_OPS_REPO = "disinto-admin/disinto-ops"
|
FORGE_OPS_REPO = "disinto-admin/disinto-ops"
|
||||||
PRIMARY_BRANCH = "main"
|
PRIMARY_BRANCH = "main"
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue