hjess/mmd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(deploy): use Consul KV for secrets via template stanza
Some checks failed
Build and Deploy MoneyMaker / build-and-deploy (push) Has been cancelled
Details

Browse Source 
- Remove sed substitution from pipeline (no more __PLACEHOLDER__ pattern)
- Nomad template{} reads mmd/* keys from Consul KV at allocation time
- Secrets never touch git or pipeline logs
- Remove Gitea secrets dependency for app secrets (only HARBOR_ROBOT_TOKEN needed)
This commit is contained in:
Henrik Jess Nielsen
2026-05-27 00:07:32 +02:00
parent 1df1bbbd47
commit 044cafecc1
2 changed files with 77 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

80
mmd.nomad
View File

@@ -32,13 +32,7 @@ job "moneymaker" {
constraint {
attribute = "${node.unique.name}"
value = "autobox"
}
volume "moneymaker-data" {
type = "host"
source = "moneymaker-data"
read_only = false
value = "int"
}
service {
@@ -74,16 +68,11 @@ job "moneymaker" {
task "web" {
driver = "docker"
volume_mount {
volume = "moneymaker-data"
destination = "/app/data"
read_only = false
}
config {
image = "registry.i80.dk/gitea/mmd:latest"
ports = ["http"]
force_pull = true
volumes = ["/opt/nomad/volumes/moneymaker-data:/app/data"]
}
restart {
@@ -94,16 +83,28 @@ job "moneymaker" {
}
env {
APP_ENV = "production"
PORT = "${NOMAD_PORT_http}"
HOST = "0.0.0.0"
LOG_DIR = "/app/data/logs"
SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
HF_HOME = "/app/data/hf-cache"
DATABASE_URL = "__DATABASE_URL__"
ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
SAXO_APP_KEY = "__SAXO_APP_KEY__"
SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__"
APP_ENV = "production"
PORT = "${NOMAD_PORT_http}"
HOST = "0.0.0.0"
LOG_DIR = "/app/data/logs"
SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
HF_HOME = "/app/data/hf-cache"
}
template {
data = <<EOF
DATABASE_URL={{ key "mmd/DATABASE_URL" }}
ANTHROPIC_API_KEY={{ key "mmd/anthropic_api_key" }}
SAXO_APP_KEY={{ key "mmd/SAXO_APP_KEY" }}
SAXO_APP_SECRET_1={{ key "mmd/SAXO_APP_SECRET_1" }}
SAXO_APP_SECRET_2={{ key "mmd/SAXO_APP_SECRET_2" }}
SAXO_BASE={{ key "mmd/SAXO_BASE" }}
SAXO_AUTH_URL={{ key "mmd/SAXO_AUTH_URL" }}
SAXO_TOKEN_URL={{ key "mmd/SAXO_TOKEN_URL" }}
SAXO_REDIRECT={{ key "mmd/SAXO_REDIRECT" }}
EOF
destination = "secrets/app.env"
env = true
}
resources {
@@ -116,17 +117,12 @@ job "moneymaker" {
task "worker" {
driver = "docker"
volume_mount {
volume = "moneymaker-data"
destination = "/app/data"
read_only = false
}
config {
image = "registry.i80.dk/gitea/mmd:latest"
command = "python"
args = ["scheduler.py"]
force_pull = true
volumes = ["/opt/nomad/volumes/moneymaker-data:/app/data"]
}
restart {
@@ -137,13 +133,25 @@ job "moneymaker" {
}
env {
LOG_DIR = "/app/data/logs"
SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
HF_HOME = "/app/data/hf-cache"
DATABASE_URL = "__DATABASE_URL__"
ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
SAXO_APP_KEY = "__SAXO_APP_KEY__"
SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__"
LOG_DIR = "/app/data/logs"
SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
HF_HOME = "/app/data/hf-cache"
}
template {
data = <<EOF
DATABASE_URL={{ key "mmd/DATABASE_URL" }}
ANTHROPIC_API_KEY={{ key "mmd/anthropic_api_key" }}
SAXO_APP_KEY={{ key "mmd/SAXO_APP_KEY" }}
SAXO_APP_SECRET_1={{ key "mmd/SAXO_APP_SECRET_1" }}
SAXO_APP_SECRET_2={{ key "mmd/SAXO_APP_SECRET_2" }}
SAXO_BASE={{ key "mmd/SAXO_BASE" }}
SAXO_AUTH_URL={{ key "mmd/SAXO_AUTH_URL" }}
SAXO_TOKEN_URL={{ key "mmd/SAXO_TOKEN_URL" }}
SAXO_REDIRECT={{ key "mmd/SAXO_REDIRECT" }}
EOF
destination = "secrets/app.env"
env = true
}
resources {