hjess/mmd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(deploy): use Consul KV for secrets via template stanza
Some checks failed
Build and Deploy MoneyMaker / build-and-deploy (push) Has been cancelled
Details

Browse Source 
- Remove sed substitution from pipeline (no more __PLACEHOLDER__ pattern)
- Nomad template{} reads mmd/* keys from Consul KV at allocation time
- Secrets never touch git or pipeline logs
- Remove Gitea secrets dependency for app secrets (only HARBOR_ROBOT_TOKEN needed)
This commit is contained in:
Henrik Jess Nielsen
2026-05-27 00:07:32 +02:00
parent 1df1bbbd47
commit 044cafecc1
2 changed files with 77 additions and 45 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
.gitea/workflows/deploy.yml
View File

@@ -44,22 +44,46 @@ jobs:
docker push $IMAGE:latest docker push $IMAGE:latest
docker push $IMAGE:${{ github.sha }} docker push $IMAGE:${{ github.sha }}
- name: Substitute secrets into Nomad job - name: Ensure data directory on int node
run: | run: |
sed \ # Run a one-shot batch job on 'int' to create /opt/nomad/volumes/moneymaker-data
-e "s|__DATABASE_URL__|${{ secrets.DATABASE_URL }}|g" \ cat <<'EOF' > mkdir_job.nomad
-e "s|__ANTHROPIC_API_KEY__|${{ secrets.ANTHROPIC_API_KEY }}|g" \ job "mmd-mkdir" {
-e "s|__SAXO_APP_KEY__|${{ secrets.SAXO_APP_KEY }}|g" \ type = "batch"
-e "s|__SAXO_APP_SECRET_1__|${{ secrets.SAXO_APP_SECRET_1 }}|g" \ datacenters = ["dc1"]
mmd.nomad > mmd_deploy.nomad group "setup" {
count = 1
constraint {
attribute = "${node.unique.name}"
value = "int"
}
task "mkdir" {
driver = "docker"
config {
image = "busybox:latest"
command = "/bin/sh"
args = ["-c", "mkdir -p /host/moneymaker-data && chmod 777 /host/moneymaker-data && echo 'Created OK'"]
volumes = ["/opt/nomad/volumes:/host"]
}
resources { cpu = 50; memory = 32 }
}
}
}
EOF
nomad job run mkdir_job.nomad
sleep 10
nomad job status mmd-mkdir
nomad job stop -purge mmd-mkdir || true
env:
NOMAD_ADDR: "https://nomad.i80.dk:4646"
- name: Validate Nomad job - name: Validate Nomad job
run: nomad job validate mmd_deploy.nomad run: nomad job validate mmd.nomad
env: env:
NOMAD_ADDR: "https://nomad.i80.dk:4646" NOMAD_ADDR: "https://nomad.i80.dk:4646"
- name: Deploy to Nomad - name: Deploy to Nomad
run: nomad job run mmd_deploy.nomad run: nomad job run mmd.nomad
env: env:
NOMAD_ADDR: "https://nomad.i80.dk:4646" NOMAD_ADDR: "https://nomad.i80.dk:4646"

62
mmd.nomad
View File

@@ -32,13 +32,7 @@ job "moneymaker" {
constraint { constraint {
attribute = "${node.unique.name}" attribute = "${node.unique.name}"
value = "autobox" value = "int"
}
volume "moneymaker-data" {
type = "host"
source = "moneymaker-data"
read_only = false
} }
service { service {
@@ -74,16 +68,11 @@ job "moneymaker" {
task "web" { task "web" {
driver = "docker" driver = "docker"
volume_mount {
volume = "moneymaker-data"
destination = "/app/data"
read_only = false
}
config { config {
image = "registry.i80.dk/gitea/mmd:latest" image = "registry.i80.dk/gitea/mmd:latest"
ports = ["http"] ports = ["http"]
force_pull = true force_pull = true
volumes = ["/opt/nomad/volumes/moneymaker-data:/app/data"]
} }
restart { restart {
@@ -100,10 +89,22 @@ job "moneymaker" {
LOG_DIR = "/app/data/logs" LOG_DIR = "/app/data/logs"
SAXO_TOKEN_FILE = "/app/data/.saxo_token.json" SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
HF_HOME = "/app/data/hf-cache" HF_HOME = "/app/data/hf-cache"
DATABASE_URL = "__DATABASE_URL__" }
ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
SAXO_APP_KEY = "__SAXO_APP_KEY__" template {
SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__" data = <<EOF
DATABASE_URL={{ key "mmd/DATABASE_URL" }}
ANTHROPIC_API_KEY={{ key "mmd/anthropic_api_key" }}
SAXO_APP_KEY={{ key "mmd/SAXO_APP_KEY" }}
SAXO_APP_SECRET_1={{ key "mmd/SAXO_APP_SECRET_1" }}
SAXO_APP_SECRET_2={{ key "mmd/SAXO_APP_SECRET_2" }}
SAXO_BASE={{ key "mmd/SAXO_BASE" }}
SAXO_AUTH_URL={{ key "mmd/SAXO_AUTH_URL" }}
SAXO_TOKEN_URL={{ key "mmd/SAXO_TOKEN_URL" }}
SAXO_REDIRECT={{ key "mmd/SAXO_REDIRECT" }}
EOF
destination = "secrets/app.env"
env = true
} }
resources { resources {
@@ -116,17 +117,12 @@ job "moneymaker" {
task "worker" { task "worker" {
driver = "docker" driver = "docker"
volume_mount {
volume = "moneymaker-data"
destination = "/app/data"
read_only = false
}
config { config {
image = "registry.i80.dk/gitea/mmd:latest" image = "registry.i80.dk/gitea/mmd:latest"
command = "python" command = "python"
args = ["scheduler.py"] args = ["scheduler.py"]
force_pull = true force_pull = true
volumes = ["/opt/nomad/volumes/moneymaker-data:/app/data"]
} }
restart { restart {
@@ -140,10 +136,22 @@ job "moneymaker" {
LOG_DIR = "/app/data/logs" LOG_DIR = "/app/data/logs"
SAXO_TOKEN_FILE = "/app/data/.saxo_token.json" SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
HF_HOME = "/app/data/hf-cache" HF_HOME = "/app/data/hf-cache"
DATABASE_URL = "__DATABASE_URL__" }
ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
SAXO_APP_KEY = "__SAXO_APP_KEY__" template {
SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__" data = <<EOF
DATABASE_URL={{ key "mmd/DATABASE_URL" }}
ANTHROPIC_API_KEY={{ key "mmd/anthropic_api_key" }}
SAXO_APP_KEY={{ key "mmd/SAXO_APP_KEY" }}
SAXO_APP_SECRET_1={{ key "mmd/SAXO_APP_SECRET_1" }}
SAXO_APP_SECRET_2={{ key "mmd/SAXO_APP_SECRET_2" }}
SAXO_BASE={{ key "mmd/SAXO_BASE" }}
SAXO_AUTH_URL={{ key "mmd/SAXO_AUTH_URL" }}
SAXO_TOKEN_URL={{ key "mmd/SAXO_TOKEN_URL" }}
SAXO_REDIRECT={{ key "mmd/SAXO_REDIRECT" }}
EOF
destination = "secrets/app.env"
env = true
} }
resources { resources {