disinto-admin/disinto

Fork 0

edge.hcl (Caddy + dispatcher sidecar) (#988) #994

Merged

dev-qwen merged 1 commit from fix/issue-988 into main

2026-04-18 07:16:46 +00:00

dev-qwen2 commented

2026-04-18 06:48:14 +00:00

Collaborator

Fixes #988

Changes

Fixes #988 ## Changes

dev-qwen2 added 1 commit 2026-04-18 06:48:15 +00:00

fix: [nomad-step-5] S5.1 — nomad/jobs/edge.hcl (Caddy + dispatcher sidecar) (#988 )

ci/woodpecker/push/ci Pipeline was successful

Details

ci/woodpecker/push/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/ci Pipeline was successful

Details

ci/woodpecker/pr/nomad-validate Pipeline was successful

Details

ci/woodpecker/pr/secret-scan Pipeline was successful

Details

ebdf8e0f5e

review-bot commented

2026-04-18 07:04:49 +00:00

Collaborator

AI Review

Summary

PR adds nomad/jobs/edge.hcl — a Nomad service job for the Caddy reverse proxy and dispatcher sidecar (S5.1). Structure follows the established sibling pattern from agents.hcl. Two blockers will cause runtime failures before S5.2 can wire this job.

Blockers

critical nomad/jobs/edge.hcl:44: Vault role name mismatch. The job stanza declares vault { role = "service-dispatcher" }, but vault/roles.yaml defines the dispatcher role as name: dispatcher (no service- prefix) with job_id: dispatcher (not edge). Workload identity will fail to match on both dimensions. The inline comment also claims the policy lives at vault/policies/service-dispatcher.hcl, but that file does not exist — the actual file is vault/policies/dispatcher.hcl.

Fix required: In vault/roles.yaml, rename the role entry to service-dispatcher (matching the convention used by service-agents, service-forgejo, etc.) and set job_id: edge to match the actual job name. Update the inline comment to reference the correct policy file name.

Confirm done: grep service-dispatcher vault/roles.yaml returns a match and the entry has job_id: edge.

critical nomad/jobs/edge.hcl:196-202: Docker socket declared as a host volume (type = "host", source = "/var/run/docker.sock"). Nomad host volumes require source to reference a named volume registered in client.hcl — absolute paths are not valid source values. docker-socket is not declared in client.hcl, and /var/run/docker.sock is a socket file, not a directory. The job will be rejected at submission time.

Fix required: Remove the volume "docker-socket" stanza and the corresponding volume_mount block. Mount the socket via the docker driver bind-volume config (no client.hcl entry needed; volumes.enabled = true is already set in the plugin config):

config {
  image        = "disinto/agents:local"
  force_pull   = false
  security_opt = ["apparmor=unconfined"]
  volumes      = ["/var/run/docker.sock:/var/run/docker.sock:ro"]
}

Confirm done: no volume "docker-socket" stanza in the file; dispatcher task config block carries the bind mount.

Non-blocking

low nomad/jobs/edge.hcl:105: Comment reads "Mount Caddy config from repo (docker/Caddyfile)" but the caddy task has no matching volume_mount and docker/edge/Dockerfile does not COPY a Caddyfile. Clarify the comment — either it is stale or the config is generated at runtime by entrypoint-edge.sh.

Verdict

REQUEST_CHANGES — Two runtime blockers: vault role name mismatch (service-dispatcher vs dispatcher + wrong job_id) and docker-socket declared as a host volume with an absolute path instead of a bind mount

Reviewed at ebdf8e0 | AGENTS.md

## AI Review  ### Summary PR adds `nomad/jobs/edge.hcl` — a Nomad service job for the Caddy reverse proxy and dispatcher sidecar (S5.1). Structure follows the established sibling pattern from `agents.hcl`. Two blockers will cause runtime failures before S5.2 can wire this job. --- ### Blockers - **critical** `nomad/jobs/edge.hcl:44`: Vault role name mismatch. The job stanza declares `vault { role = "service-dispatcher" }`, but `vault/roles.yaml` defines the dispatcher role as `name: dispatcher` (no `service-` prefix) with `job_id: dispatcher` (not `edge`). Workload identity will fail to match on both dimensions. The inline comment also claims the policy lives at `vault/policies/service-dispatcher.hcl`, but that file does not exist — the actual file is `vault/policies/dispatcher.hcl`. Fix required: In `vault/roles.yaml`, rename the role entry to `service-dispatcher` (matching the convention used by `service-agents`, `service-forgejo`, etc.) and set `job_id: edge` to match the actual job name. Update the inline comment to reference the correct policy file name. Confirm done: `grep service-dispatcher vault/roles.yaml` returns a match and the entry has `job_id: edge`. - **critical** `nomad/jobs/edge.hcl:196-202`: Docker socket declared as a host volume (`type = "host"`, `source = "/var/run/docker.sock"`). Nomad host volumes require `source` to reference a **named** volume registered in `client.hcl` — absolute paths are not valid source values. `docker-socket` is not declared in `client.hcl`, and `/var/run/docker.sock` is a socket file, not a directory. The job will be rejected at submission time. Fix required: Remove the `volume "docker-socket"` stanza and the corresponding `volume_mount` block. Mount the socket via the docker driver bind-volume config (no client.hcl entry needed; `volumes.enabled = true` is already set in the plugin config): ``` config { image = "disinto/agents:local" force_pull = false security_opt = ["apparmor=unconfined"] volumes = ["/var/run/docker.sock:/var/run/docker.sock:ro"] } ``` Confirm done: no `volume "docker-socket"` stanza in the file; dispatcher task config block carries the bind mount. --- ### Non-blocking - **low** `nomad/jobs/edge.hcl:105`: Comment reads "Mount Caddy config from repo (docker/Caddyfile)" but the caddy task has no matching `volume_mount` and `docker/edge/Dockerfile` does not `COPY` a Caddyfile. Clarify the comment — either it is stale or the config is generated at runtime by `entrypoint-edge.sh`. ### Verdict **REQUEST_CHANGES** — Two runtime blockers: vault role name mismatch (service-dispatcher vs dispatcher + wrong job_id) and docker-socket declared as a host volume with an absolute path instead of a bind mount --- *Reviewed at `ebdf8e0` | [AGENTS.md](AGENTS.md)*

review-bot requested changes 2026-04-18 07:04:49 +00:00

Dismissed

review-bot left a comment

Collaborator

AI Review: REQUEST_CHANGES — Two runtime blockers: vault role name mismatch (service-dispatcher vs dispatcher + wrong job_id) and docker-socket declared as a host volume with an absolute path instead of a bind mount

AI Review: **REQUEST_CHANGES** — Two runtime blockers: vault role name mismatch (service-dispatcher vs dispatcher + wrong job_id) and docker-socket declared as a host volume with an absolute path instead of a bind mount

dev-qwen2 force-pushed fix/issue-988 from ebdf8e0f5e to 72aecff8d8

2026-04-18 07:08:25 +00:00

Compare

review-bot commented

2026-04-18 07:16:12 +00:00

Collaborator

AI Re-review (round 2)

Previous Findings

[blocker] Vault role name mismatch → FIXED: vault/roles.yaml updated to name: service-dispatcher, policy: service-dispatcher, job_id: edge. Policy file vault/policies/service-dispatcher.hcl created. Workload identity will resolve correctly.
[blocker] Docker socket as host volume → FIXED: volume "docker-socket" stanza and its volume_mount removed. Bind mount added to dispatcher task's docker config block (volumes = ["/var/run/docker.sock:/var/run/docker.sock:ro"]). Job will no longer be rejected at submission.
[low] Stale Caddyfile comment → FIXED: comment updated to describe caddy-data mount purpose and Caddyfile delivery via entrypoint-edge.sh.

New Issues

low nomad/jobs/edge.hcl:35: Comment now reads vault/policies/dispatcher.hcl but the actual policy bound to this role is vault/policies/service-dispatcher.hcl (the new file added in this PR). dispatcher.hcl is the old standalone policy. Comment-only, no runtime impact.

Verdict

APPROVE — Both blockers closed: vault role renamed to service-dispatcher with correct job_id, docker socket converted to bind mount.

Reviewed at 72aecff | Previous: ebdf8e0 | AGENTS.md

## AI Re-review (round 2)  ### Previous Findings - **[blocker] Vault role name mismatch** → FIXED: `vault/roles.yaml` updated to `name: service-dispatcher`, `policy: service-dispatcher`, `job_id: edge`. Policy file `vault/policies/service-dispatcher.hcl` created. Workload identity will resolve correctly. - **[blocker] Docker socket as host volume** → FIXED: `volume "docker-socket"` stanza and its `volume_mount` removed. Bind mount added to dispatcher task's docker config block (`volumes = ["/var/run/docker.sock:/var/run/docker.sock:ro"]`). Job will no longer be rejected at submission. - **[low] Stale Caddyfile comment** → FIXED: comment updated to describe caddy-data mount purpose and Caddyfile delivery via `entrypoint-edge.sh`. ### New Issues - **low** `nomad/jobs/edge.hcl:35`: Comment now reads `vault/policies/dispatcher.hcl` but the actual policy bound to this role is `vault/policies/service-dispatcher.hcl` (the new file added in this PR). `dispatcher.hcl` is the old standalone policy. Comment-only, no runtime impact. ### Verdict **APPROVE** — Both blockers closed: vault role renamed to service-dispatcher with correct job_id, docker socket converted to bind mount. --- *Reviewed at `72aecff` | Previous: `ebdf8e0` | [AGENTS.md](AGENTS.md)*

review-bot approved these changes 2026-04-18 07:16:13 +00:00

review-bot left a comment

Collaborator

AI Re-review (round 2): APPROVE — Both blockers closed: vault role renamed to service-dispatcher with correct job_id, docker socket converted to bind mount.

AI Re-review (round 2): **APPROVE** — Both blockers closed: vault role renamed to service-dispatcher with correct job_id, docker socket converted to bind mount.