fix: use versioned image tag via var.image_tag, align Traefik tags with DevOpsMCP pattern

- Add service_name and image_tag variables to nomad job
- Use ${var.image_tag} in image ref instead of hardcoded 'latest'
- CI now passes git SHA as -var='image_tag=<sha>' to nomad job run
- Align Traefik tags with DevOpsMCP pattern (service_name var, rate limiting)
- Add canary update strategy and reschedule block
- Move service block to group level (nomad best practice)

.gitea/workflows/ci.yml

@@ -47,8 +47,9 @@ jobs:
 
       - name: Deploy to Nomad
         run: |
+          SHA=$(git rev-parse --short HEAD)
           nomad job validate ${SERVICE_NAME}.nomad
-          nomad job run ${SERVICE_NAME}.nomad
+          nomad job run -var="image_tag=${SHA}" ${SERVICE_NAME}.nomad
         env:
           NOMAD_ADDR: "https://nomad.i80.dk:4646"
 

devops-dash.nomad

@@ -1,19 +1,61 @@
+variable "service_name" {
+  description = "Service name for consistent naming"
+  type        = string
+  default     = "devops-dash"
+}
+
+variable "image_tag" {
+  description = "Docker image tag to deploy"
+  type        = string
+  default     = "latest"
+}
+
 job "devops-dash" {
   datacenters = ["dc1"]
   type        = "service"
 
+  meta {
+    uuid         = uuidv4()
+    service_name = var.service_name
+  }
+
+  update {
+    stagger           = "30s"
+    max_parallel      = 1
+    auto_revert       = true
+    progress_deadline = "15m"
+  }
+
+  group "devops-dash" {
+    count = 1
+
     constraint {
       attribute = "${node.unique.name}"
       value     = "autobox.i80.dk"
     }
 
-  group "devops-dash" {
+    update {
-    count = 1
+      canary           = 1
+      auto_promote     = true
+      min_healthy_time = "15s"
+      healthy_deadline = "10m"
+      progress_deadline = "15m"
+      auto_revert      = true
+    }
 
     network {
       port "http" {}
     }
 
+    reschedule {
+      attempts       = 5
+      interval       = "10m"
+      delay          = "30s"
+      delay_function = "exponential"
+      max_delay      = "120s"
+      unlimited      = false
+    }
+
     # host volume disabled until autobox is configured.
     # To enable: add to /etc/nomad.d/client.hcl on autobox:
     #   host_volume "devops-mcp-data" {
@@ -28,6 +70,30 @@ job "devops-dash" {
     #   source    = "devops-mcp-data"
     # }
 
+    service {
+      provider = "consul"
+      name     = var.service_name
+      port     = "http"
+
+      tags = [
+        "traefik.enable=true",
+        "traefik.http.routers.${var.service_name}.rule=Host(`dash.i80.dk`)",
+        "traefik.http.routers.${var.service_name}.tls=true",
+        "traefik.http.middlewares.${var.service_name}-limit.ratelimit.burst=20",
+        "traefik.http.middlewares.${var.service_name}-limit.ratelimit.period=1m",
+        "traefik.http.routers.${var.service_name}.middlewares=${var.service_name}-limit"
+      ]
+
+      check {
+        name     = "http_health_check"
+        type     = "http"
+        port     = "http"
+        path     = "/health"
+        interval = "10s"
+        timeout  = "5s"
+      }
+    }
+
     task "devops-dash" {
       driver = "docker"
 
@@ -38,7 +104,7 @@ job "devops-dash" {
       # }
 
       config {
-        image      = "registry.i80.dk/gitea/devops-dash:latest"
+        image      = "registry.i80.dk/gitea/devops-dash:${var.image_tag}"
         ports      = ["http"]
         force_pull = true
 
@@ -69,26 +135,6 @@ EOH
         cpu    = 200
         memory = 256
       }
-
-      service {
-        provider = "consul"
-        name     = "devops-dash"
-        port     = "http"
-
-        tags = [
-          "traefik.enable=true",
-          "traefik.http.routers.devops-dash.rule=Host(`dash.i80.dk`)",
-          "traefik.http.routers.devops-dash.tls=true",
-          "traefik.http.routers.devops-dash.tls.certresolver=letsencrypt",
-        ]
-
-        check {
-          type     = "http"
-          path     = "/health"
-          interval = "15s"
-          timeout  = "3s"
-        }
-      }
     }
   }
 }