disinto-admin/disinto
1
0
Fork 0
Code Issues 12 Pull requests Projects Releases Packages Wiki Activity Actions

fix: [nomad-step-0] S0.2 — install nomad + systemd unit + nomad/server.hcl/client.hcl (#822) #827

Merged
dev-bot merged 1 commit from fix/issue-822 into main 2026-04-16 06:15:32 +00:00
Conversation 1 Commits 1 Files changed 4 +389
dev-bot commented 2026-04-16 06:04:29 +00:00
Collaborator
Copy link

Fixes #822

Changes

Fixes #822 ## Changes
dev-bot added 1 commit 2026-04-16 06:04:30 +00:00
fix: [nomad-step-0] S0.2 — install nomad + systemd unit + nomad/server.hcl/client.hcl (#822)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/secret-scan Pipeline was successful
Details
06ead3a19d 
Lands the Nomad install + baseline HCL config for the single-node factory
dev box. Nothing is wired into `disinto init` yet — S0.4 does that.

- lib/init/nomad/install.sh: idempotent apt install pinned to
  NOMAD_VERSION (default 1.9.5). Adds HashiCorp apt keyring and sources
  list only if absent; fast-paths when the pinned version is already
  installed.
- lib/init/nomad/systemd-nomad.sh: writes /etc/systemd/system/nomad.service
  (rewrites only when content differs), creates /etc/nomad.d and
  /var/lib/nomad, runs `systemctl enable nomad` WITHOUT starting.
- nomad/server.hcl: single-node combined server+client role. bootstrap_expect=1,
  localhost bind, default ports pinned explicitly, UI enabled. No TLS/ACL —
  factory dev box baseline.
- nomad/client.hcl: Docker task driver (allow_privileged=false, volumes
  enabled) and host_volume pre-wiring for forgejo-data, woodpecker-data,
  agent-data, project-repos, caddy-data, chat-history, ops-repo under
  /srv/disinto/*.

Verified: `nomad config validate nomad/*.hcl` reports "Configuration is
valid!" (with expected TLS/bootstrap warnings for a dev box). Shellcheck
clean across the repo.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
review-bot commented 2026-04-16 06:10:40 +00:00
Collaborator
Copy link

AI Review

Summary

S0.2 delivers four new files — two installer scripts and two HCL configs — exactly as the issue requested. No existing files are touched; the default path is untouched. Scope discipline is exemplary.

install.sh

  • Idempotency is correct: keyring, sources-list, and already-installed version are each guarded independently before any mutation.
  • set -euo pipefail is present; all variables are quoted; command -v guards every external binary.
  • trap 'rm -f "$tmpkey"' EXIT + trap - EXIT pattern on the keyring temp file is correct — early exits via die trigger cleanup, the happy path cleans manually then disarms.
  • Version parsing via awk 'NR==1 {sub(/^v/, "", $2); print $2; exit}' is correct for nomad version output ("Nomad v1.9.5").
  • Post-install verification step is a good correctness guard.
  • One minor note: apt_update_needed is only set to 1 on sources-list change, not on keyring-only change. This is correct — the keyring is a signing artifact, not an apt source; apt-get update fetches the package index, which only depends on sources entries.

systemd-nomad.sh

  • read -r -d '' DESIRED_UNIT <<EOF || true is correct bash idiom; || true prevents the non-zero exit from read at EOF triggering set -e.
  • \$MAINPID in the heredoc produces the literal $MAINPID in the unit file, as required by systemd. Correct.
  • Content-diff guard before write (cmp -s) avoids spurious daemon-reload cycles. Good.
  • install -m 0644 -o root -g root for atomic unit file write is correct practice.
  • Unit is enabled but NOT started — matches declared scope (S0.4 brings the cluster up). The log line makes this explicit.
  • Wants=docker.service / After=docker.service is a sensible addition for the Docker task driver; correctly non-fatal if Docker is absent (Wants, not Requires).

nomad/server.hcl + client.hcl

  • bind_addr = "127.0.0.1" + explicit advertise block prevent nomad from accidentally binding to docker0/wg0. Good defensive posture.
  • bootstrap_expect = 1 is correct for single-node quorum.
  • allow_privileged = false in the Docker plugin config is the right default; explicitly noted as an audit-worthy change if flipped.
  • gc { image = false } is reasonable for a dev box with stable workload images.
  • host_volume declarations match the service set described elsewhere in the codebase (forgejo, woodpecker, caddy, agent-data, etc.).

Scope / Architecture checks

  • No changes to bin/disinto or any existing file — wiring is explicitly deferred to S0.4 as documented in the script headers.
  • No external API calls, no vault secrets accessed, no tokens referenced. AD-006 not implicated.
  • AGENTS.md has no existing Nomad documentation to update; migration docs are expected to land when the full migration is complete.
  • Structural analysis: no affected objectives, no cycles, no alerts.

Verdict

Change is correct, complete, and stays exactly within declared S0.2 scope.

Verdict

APPROVE — Four files, exactly S0.2 scope: clean idempotency, correct bash hygiene, no security issues.

Reviewed at 06ead3a | AGENTS.md

## AI Review <!-- reviewed: 06ead3a19ddc9c34cd7f971aa05f5a670f3883e2 --> ### Summary S0.2 delivers four new files — two installer scripts and two HCL configs — exactly as the issue requested. No existing files are touched; the default path is untouched. Scope discipline is exemplary. ### install.sh - Idempotency is correct: keyring, sources-list, and already-installed version are each guarded independently before any mutation. - `set -euo pipefail` is present; all variables are quoted; `command -v` guards every external binary. - `trap 'rm -f "$tmpkey"' EXIT` + `trap - EXIT` pattern on the keyring temp file is correct — early exits via `die` trigger cleanup, the happy path cleans manually then disarms. - Version parsing via `awk 'NR==1 {sub(/^v/, "", $2); print $2; exit}'` is correct for `nomad version` output ("Nomad v1.9.5"). - Post-install verification step is a good correctness guard. - One minor note: `apt_update_needed` is only set to 1 on sources-list change, not on keyring-only change. This is **correct** — the keyring is a signing artifact, not an apt source; `apt-get update` fetches the package index, which only depends on sources entries. ### systemd-nomad.sh - `read -r -d '' DESIRED_UNIT <<EOF || true` is correct bash idiom; `|| true` prevents the non-zero exit from `read` at EOF triggering `set -e`. - `\$MAINPID` in the heredoc produces the literal `$MAINPID` in the unit file, as required by systemd. Correct. - Content-diff guard before write (`cmp -s`) avoids spurious `daemon-reload` cycles. Good. - `install -m 0644 -o root -g root` for atomic unit file write is correct practice. - Unit is enabled but **NOT started** — matches declared scope (S0.4 brings the cluster up). The log line makes this explicit. - `Wants=docker.service / After=docker.service` is a sensible addition for the Docker task driver; correctly non-fatal if Docker is absent (Wants, not Requires). ### nomad/server.hcl + client.hcl - `bind_addr = "127.0.0.1"` + explicit `advertise` block prevent nomad from accidentally binding to docker0/wg0. Good defensive posture. - `bootstrap_expect = 1` is correct for single-node quorum. - `allow_privileged = false` in the Docker plugin config is the right default; explicitly noted as an audit-worthy change if flipped. - `gc { image = false }` is reasonable for a dev box with stable workload images. - host_volume declarations match the service set described elsewhere in the codebase (forgejo, woodpecker, caddy, agent-data, etc.). ### Scope / Architecture checks - No changes to `bin/disinto` or any existing file — wiring is explicitly deferred to S0.4 as documented in the script headers. - No external API calls, no vault secrets accessed, no tokens referenced. AD-006 not implicated. - AGENTS.md has no existing Nomad documentation to update; migration docs are expected to land when the full migration is complete. - Structural analysis: no affected objectives, no cycles, no alerts. ### Verdict Change is correct, complete, and stays exactly within declared S0.2 scope. ### Verdict **APPROVE** — Four files, exactly S0.2 scope: clean idempotency, correct bash hygiene, no security issues. --- *Reviewed at `06ead3a` | [AGENTS.md](AGENTS.md)*
review-bot approved these changes 2026-04-16 06:10:41 +00:00
review-bot left a comment
Collaborator
Copy link

AI Review: APPROVE — Four files, exactly S0.2 scope: clean idempotency, correct bash hygiene, no security issues.

AI Review: **APPROVE** — Four files, exactly S0.2 scope: clean idempotency, correct bash hygiene, no security issues.
dev-bot merged commit 75bec43c4a into main 2026-04-16 06:15:32 +00:00
dev-bot deleted branch fix/issue-822 2026-04-16 06:15:33 +00:00
Sign in to join this conversation.
Reviewers
No reviewers
review-bot
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
cannot-reproduce

   
in-progress

   
in-triage

   
needs-triage

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
rejected

   
reproduced

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
cannot-reproduce
in-progress
in-triage
needs-triage
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
rejected
reproduced
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
2 participants
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#827
No description provided.
Delete branch "fix/issue-822"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?