fix: switch to Consul KV template for secrets injection

- Consul now running on int node (joined cluster)
- provider=consul re-enabled (int has consul.version=1.22.7)
- Removed sed placeholder approach + Gitea secrets requirement
- Added template{} stanzas reading from consul kv mmd/* keys
- Cleaned up deploy.yml (removed sed substitution step)

.gitea/workflows/deploy.yml

@@ -80,23 +80,13 @@ jobs:
       env:
         NOMAD_ADDR: "https://nomad.i80.dk:4646"
 
-    - name: Substitute secrets into Nomad job
-      run: |
-        sed \
-          -e "s|__DATABASE_URL__|${{ secrets.DATABASE_URL }}|g" \
-          -e "s|__ANTHROPIC_API_KEY__|${{ secrets.ANTHROPIC_API_KEY }}|g" \
-          -e "s|__SAXO_APP_KEY__|${{ secrets.SAXO_APP_KEY }}|g" \
-          -e "s|__SAXO_APP_SECRET_1__|${{ secrets.SAXO_APP_SECRET_1 }}|g" \
-          -e "s|__SAXO_BASE__|${{ secrets.SAXO_BASE }}|g" \
-          mmd.nomad > mmd_deploy.nomad
-
     - name: Validate Nomad job
-      run: nomad job validate mmd_deploy.nomad
+      run: nomad job validate mmd.nomad
       env:
         NOMAD_ADDR: "https://nomad.i80.dk:4646"
 
     - name: Deploy to Nomad
-      run: nomad job run mmd_deploy.nomad
+      run: nomad job run mmd.nomad
       env:
         NOMAD_ADDR: "https://nomad.i80.dk:4646"
 

mmd.nomad

@@ -36,7 +36,7 @@ job "moneymaker" {
     }
 
     service {
-      provider = "nomad"
+      provider = "consul"
       name     = "moneymaker"
       port     = "http"
 
@@ -78,18 +78,26 @@ job "moneymaker" {
         mode     = "fail"
       }
 
+      template {
+        data = <<EOH
+DATABASE_URL="{{ key "mmd/DATABASE_URL" }}"
+ANTHROPIC_API_KEY="{{ key "mmd/anthropic_api_key" }}"
+SAXO_APP_KEY="{{ key "mmd/SAXO_APP_KEY" }}"
+SAXO_APP_SECRET_1="{{ key "mmd/SAXO_APP_SECRET_1" }}"
+SAXO_BASE="{{ key "mmd/SAXO_BASE" }}"
+HARBOR_ROBOT_TOKEN="{{ key "harbor/robot/token" }}"
+EOH
+        destination = "secrets/app.env"
+        env         = true
+      }
+
       env {
-        APP_ENV           = "production"
+        APP_ENV         = "production"
-        PORT              = "${NOMAD_PORT_http}"
+        PORT            = "${NOMAD_PORT_http}"
-        HOST              = "0.0.0.0"
+        HOST            = "0.0.0.0"
-        LOG_DIR           = "/app/data/logs"
+        LOG_DIR         = "/app/data/logs"
-        SAXO_TOKEN_FILE   = "/app/data/.saxo_token.json"
+        SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
-        HF_HOME           = "/app/data/hf-cache"
+        HF_HOME         = "/app/data/hf-cache"
-        DATABASE_URL      = "__DATABASE_URL__"
-        ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
-        SAXO_APP_KEY      = "__SAXO_APP_KEY__"
-        SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__"
-        SAXO_BASE         = "__SAXO_BASE__"
       }
 
       resources {
@@ -117,15 +125,22 @@ job "moneymaker" {
         mode     = "fail"
       }
 
+      template {
+        data = <<EOH
+DATABASE_URL="{{ key "mmd/DATABASE_URL" }}"
+ANTHROPIC_API_KEY="{{ key "mmd/anthropic_api_key" }}"
+SAXO_APP_KEY="{{ key "mmd/SAXO_APP_KEY" }}"
+SAXO_APP_SECRET_1="{{ key "mmd/SAXO_APP_SECRET_1" }}"
+SAXO_BASE="{{ key "mmd/SAXO_BASE" }}"
+EOH
+        destination = "secrets/worker.env"
+        env         = true
+      }
+
       env {
-        LOG_DIR           = "/app/data/logs"
+        LOG_DIR         = "/app/data/logs"
-        SAXO_TOKEN_FILE   = "/app/data/.saxo_token.json"
+        SAXO_TOKEN_FILE = "/app/data/.saxo_token.json"
-        HF_HOME           = "/app/data/hf-cache"
+        HF_HOME         = "/app/data/hf-cache"
-        DATABASE_URL      = "__DATABASE_URL__"
-        ANTHROPIC_API_KEY = "__ANTHROPIC_API_KEY__"
-        SAXO_APP_KEY      = "__SAXO_APP_KEY__"
-        SAXO_APP_SECRET_1 = "__SAXO_APP_SECRET_1__"
-        SAXO_BASE         = "__SAXO_BASE__"
       }
 
       resources {