feat(deploy): use Consul KV for secrets via template stanza

- Remove sed substitution from pipeline (no more __PLACEHOLDER__ pattern) - Nomad template{} reads mmd/* keys from Consul KV at allocation time - Secrets never touch git or pipeline logs - Remove Gitea secrets dependency for app secrets (only HARBOR_ROBOT_TOKEN needed)
2026-05-27 00:07:32 +02:00
parent 1df1bbbd47
commit 044cafecc1
2 changed files with 77 additions and 45 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@@ -44,22 +44,46 @@ jobs:
        docker push $IMAGE:latest
        docker push $IMAGE:${{ github.sha }}

-    - name: Substitute secrets into Nomad job
+    - name: Ensure data directory on int node
      run: |
-        sed \
-          -e "s|__DATABASE_URL__|${{ secrets.DATABASE_URL }}|g" \
-          -e "s|__ANTHROPIC_API_KEY__|${{ secrets.ANTHROPIC_API_KEY }}|g" \
-          -e "s|__SAXO_APP_KEY__|${{ secrets.SAXO_APP_KEY }}|g" \
-          -e "s|__SAXO_APP_SECRET_1__|${{ secrets.SAXO_APP_SECRET_1 }}|g" \
-          mmd.nomad > mmd_deploy.nomad
+        # Run a one-shot batch job on 'int' to create /opt/nomad/volumes/moneymaker-data
+        cat <<'EOF' > mkdir_job.nomad
+        job "mmd-mkdir" {
+          type        = "batch"
+          datacenters = ["dc1"]
+          group "setup" {
+            count = 1
+            constraint {
+              attribute = "${node.unique.name}"
+              value     = "int"
+            }
+            task "mkdir" {
+              driver = "docker"
+              config {
+                image   = "busybox:latest"
+                command = "/bin/sh"
+                args    = ["-c", "mkdir -p /host/moneymaker-data && chmod 777 /host/moneymaker-data && echo 'Created OK'"]
+                volumes = ["/opt/nomad/volumes:/host"]
+              }
+              resources { cpu = 50; memory = 32 }
+            }
+          }
+        }
+        EOF
+        nomad job run mkdir_job.nomad
+        sleep 10
+        nomad job status mmd-mkdir
+        nomad job stop -purge mmd-mkdir || true
+      env:
+        NOMAD_ADDR: "https://nomad.i80.dk:4646"

    - name: Validate Nomad job
-      run: nomad job validate mmd_deploy.nomad
+      run: nomad job validate mmd.nomad
      env:
        NOMAD_ADDR: "https://nomad.i80.dk:4646"

    - name: Deploy to Nomad
-      run: nomad job run mmd_deploy.nomad
+      run: nomad job run mmd.nomad
      env:
        NOMAD_ADDR: "https://nomad.i80.dk:4646"