da93748fee
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
ci/woodpecker/push/nomad-validate Pipeline was successful
ci/woodpecker/pr/ci Pipeline was successful
ci/woodpecker/pr/nomad-validate Pipeline was successful
ci/woodpecker/pr/secret-scan Pipeline was successful
ci/woodpecker/pr/smoke-init Pipeline was successful
Add lightweight Nomad service jobs for the staging file server and Claude chat UI. Key changes: - nomad/jobs/staging.hcl: caddy:alpine file-server mounting docker/ as /srv/site (read-only), no Vault integration needed - nomad/jobs/chat.hcl: custom disinto/chat:local image with sandbox hardening (cap_drop ALL, tmpfs, pids_limit 128, security_opt), Vault-templated OAuth secrets from kv/disinto/shared/chat - nomad/client.hcl: add site-content host volume for staging - vault/policies/service-chat.hcl + vault/roles.yaml: read-only access to chat secrets via workload identity - bin/disinto: wire staging+chat into build, deploy order, seed mapping, summary, and service validation - tests/disinto-init-nomad.bats: update known-services assertion Fixes prior art issue where security_opt and pids_limit were placed at task level instead of inside docker driver config block. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
15 lines
451 B
HCL
15 lines
451 B
HCL
# vault/policies/service-chat.hcl
|
|
#
|
|
# Read-only access to shared Chat secrets (OAuth client config, forward auth
|
|
# secret). Attached to the Chat Nomad job via workload identity (S5.2).
|
|
#
|
|
# Scope: kv/disinto/shared/chat — entries owned by the operator and
|
|
# shared between the chat service and edge proxy.
|
|
|
|
path "kv/data/disinto/shared/chat" {
|
|
capabilities = ["read"]
|
|
}
|
|
|
|
path "kv/metadata/disinto/shared/chat" {
|
|
capabilities = ["list", "read"]
|
|
}
|