From 2803f694e8e27c0de1b0fa646eefb8e968612ffb Mon Sep 17 00:00:00 2001 From: Adrian Cowan Date: Thu, 6 Nov 2025 19:30:42 +1100 Subject: [PATCH] Add Unifi Network --- 1-nixos-node/configuration.nix | 44 +++++++++++++++++++ 1-nixos-node/terraform.tfstate | 30 ++++++------- 1-nixos-node/terraform.tfstate.backup | 30 ++++++------- 2-nomad-config/2-ingress/traefik.nomad.hcl | 13 ++++++ 2-nomad-config/unifi.nomad.hcl | 50 ++++++++++++++++++++++ 2-nomad-config/unifi.tf | 32 ++++++++++++++ 6 files changed, 169 insertions(+), 30 deletions(-) create mode 100644 2-nomad-config/unifi.nomad.hcl create mode 100644 2-nomad-config/unifi.tf diff --git a/1-nixos-node/configuration.nix b/1-nixos-node/configuration.nix index 1b024ce..0dacc0e 100644 --- a/1-nixos-node/configuration.nix +++ b/1-nixos-node/configuration.nix @@ -113,6 +113,50 @@ networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ]; networking.firewall.allowedUDPPorts = [ 8301 ]; + # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service) + virtualisation.docker.enable = true; + + # Proper systemd service definition for macvlan network creation + systemd.services.docker-macvlan-network = { + description = "Ensure macvlan Docker network exists"; + after = [ "network-online.target" "docker.service" ]; + wants = [ "network-online.target" "docker.service" ]; + wantedBy = [ "multi-user.target" ]; + serviceConfig = { + Type = "oneshot"; + }; + # Provide required binaries in PATH + path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ]; + script = '' + set -euo pipefail + NET_NAME=macvlan + if docker network inspect "$NET_NAME" >/dev/null 2>&1; then + echo "Docker network $NET_NAME already exists" + exit 0 + fi + echo "Creating Docker macvlan network $NET_NAME on interface ${bind_interface}" + # We intentionally do NOT use --ip-range here to avoid allocating the + # same reserved pool on every host (which could lead to collisions if + # multiple macvlan containers are started across nodes). Instead, we + # give critical services (like UniFi) an explicit static IP via the + # Nomad job (Docker static assignment) and rely on manual DHCP + # reservations to prevent conflicts. + # + # If you later need multiple macvlan-assigned containers per host, + # consider one of these strategies: + # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...) + # 2. Parameterize an ip-range per host in Terraform and template here + # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars + docker network create -d macvlan \ + --subnet=192.168.1.0/24 \ + --gateway=192.168.1.1 \ + -o parent=${bind_interface} \ + "$NET_NAME" + echo "Docker macvlan network $NET_NAME created" + ''; + restartIfChanged = false; # Don't rerun just because comment changed + }; + # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you # accidentally delete configuration.nix. diff --git a/1-nixos-node/terraform.tfstate b/1-nixos-node/terraform.tfstate index 9b98cf5..3ac2110 100644 --- a/1-nixos-node/terraform.tfstate +++ b/1-nixos-node/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.13.0", - "serial": 325, + "serial": 349, "lineage": "db7dcf21-a255-0ec4-c8b8-d4a7559b3768", "outputs": {}, "resources": [ @@ -15,9 +15,9 @@ "index_key": "jaglan-beta-m02", "schema_version": 0, "attributes": { - "id": "4799650720916837801", + "id": "2783769279590369857", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m02\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m02\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -27,9 +27,9 @@ "index_key": "jaglan-beta-m03", "schema_version": 0, "attributes": { - "id": "3940670083197547320", + "id": "3638707624141311812", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m03\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m03\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -39,9 +39,9 @@ "index_key": "jaglan-beta-m04", "schema_version": 0, "attributes": { - "id": "5130090292645542538", + "id": "1323163878905719535", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m04\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m04\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -51,9 +51,9 @@ "index_key": "jaglan-beta-m05", "schema_version": 0, "attributes": { - "id": "1855172426704636197", + "id": "5342315196925353897", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m05\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m05\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -63,9 +63,9 @@ "index_key": "jaglan-beta-m20", "schema_version": 0, "attributes": { - "id": "2979501464234412040", + "id": "3124620801526096462", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n bootstrap_expect = 1;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n bootstrap_expect = 1;\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface ens2\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=ens2 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -75,9 +75,9 @@ "index_key": "jaglan-beta-m21", "schema_version": 0, "attributes": { - "id": "6363236121611066492", + "id": "8470653452997158221", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m21\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for traefik to store its data\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m21\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for traefik to store its data\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface ens2\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=ens2 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -87,9 +87,9 @@ "index_key": "jaglan-beta-m22", "schema_version": 0, "attributes": { - "id": "2272269092899111201", + "id": "8361281837723862876", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m22\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m22\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface ens2\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=ens2 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], diff --git a/1-nixos-node/terraform.tfstate.backup b/1-nixos-node/terraform.tfstate.backup index ffb699d..b39995d 100644 --- a/1-nixos-node/terraform.tfstate.backup +++ b/1-nixos-node/terraform.tfstate.backup @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.13.0", - "serial": 322, + "serial": 346, "lineage": "db7dcf21-a255-0ec4-c8b8-d4a7559b3768", "outputs": {}, "resources": [ @@ -15,9 +15,9 @@ "index_key": "jaglan-beta-m02", "schema_version": 0, "attributes": { - "id": "4799650720916837801", + "id": "2783769279590369857", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m02\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m02\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -27,9 +27,9 @@ "index_key": "jaglan-beta-m03", "schema_version": 0, "attributes": { - "id": "3940670083197547320", + "id": "3638707624141311812", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m03\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m03\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -39,9 +39,9 @@ "index_key": "jaglan-beta-m04", "schema_version": 0, "attributes": { - "id": "5130090292645542538", + "id": "1323163878905719535", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m04\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m04\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -51,9 +51,9 @@ "index_key": "jaglan-beta-m05", "schema_version": 0, "attributes": { - "id": "1855172426704636197", + "id": "5342315196925353897", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m05\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m05\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 7200;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"enp1s0\";\n interface.advertise = \"enp1s0\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface enp1s0\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=enp1s0 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -63,9 +63,9 @@ "index_key": "jaglan-beta-m20", "schema_version": 0, "attributes": { - "id": "2979501464234412040", + "id": "3124620801526096462", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n bootstrap_expect = 1;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n bootstrap_expect = 1;\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface ens2\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=ens2 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -75,9 +75,9 @@ "index_key": "jaglan-beta-m21", "schema_version": 0, "attributes": { - "id": "6363236121611066492", + "id": "8470653452997158221", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m21\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for traefik to store its data\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m21\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for traefik to store its data\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Ensure Docker daemon is available (Nomad enableDocker only configures Nomad, does not guarantee docker service)\n virtualisation.docker.enable = true;\n\n # Proper systemd service definition for macvlan network creation\n systemd.services.docker-macvlan-network = {\n description = \"Ensure macvlan Docker network exists\";\n after = [ \"network-online.target\" \"docker.service\" ];\n wants = [ \"network-online.target\" \"docker.service\" ];\n wantedBy = [ \"multi-user.target\" ];\n serviceConfig = {\n Type = \"oneshot\";\n };\n # Provide required binaries in PATH\n path = [ pkgs.docker pkgs.bash pkgs.coreutils pkgs.iproute2 pkgs.gnugrep ];\n script = ''\n set -euo pipefail\n NET_NAME=macvlan\n if docker network inspect \"$NET_NAME\" \u003e/dev/null 2\u003e\u00261; then\n echo \"Docker network $NET_NAME already exists\"\n exit 0\n fi\n echo \"Creating Docker macvlan network $NET_NAME on interface ens2\"\n # We intentionally do NOT use --ip-range here to avoid allocating the\n # same reserved pool on every host (which could lead to collisions if\n # multiple macvlan containers are started across nodes). Instead, we\n # give critical services (like UniFi) an explicit static IP via the\n # Nomad job (Docker static assignment) and rely on manual DHCP\n # reservations to prevent conflicts.\n #\n # If you later need multiple macvlan-assigned containers per host,\n # consider one of these strategies:\n # 1. Per-host distinct network name + ip-range slice (macvlan-m01, ...)\n # 2. Parameterize an ip-range per host in Terraform and template here\n # 3. Keep a registry of allocated static IPs in Consul KV / Nomad vars\n docker network create -d macvlan \\\n --subnet=192.168.1.0/24 \\\n --gateway=192.168.1.1 \\\n -o parent=ens2 \\\n \"$NET_NAME\"\n echo \"Docker macvlan network $NET_NAME created\"\n '';\n restartIfChanged = false; # Don't rerun just because comment changed\n };\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], @@ -87,9 +87,9 @@ "index_key": "jaglan-beta-m22", "schema_version": 0, "attributes": { - "id": "1381056892788237526", + "id": "2272269092899111201", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m22\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m22\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n preferred_address_family = \"ipv4\";\n cpu_total_compute = 10000;\n host_volume = {\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n forceAddrFamily = \"ipv4\";\n extraConfig = {\n client_addr = \"{{ GetPrivateInterfaces | exclude \\\"type\\\" \\\"ipv6\\\" | join \\\"address\\\" \\\" \\\" }} {{ GetAllInterfaces | include \\\"flags\\\" \\\"loopback\\\" | join \\\"address\\\" \\\" \\\" }}\";\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m02\"\n \"jaglan-beta-m03\"\n \"jaglan-beta-m04\"\n \"jaglan-beta-m05\"\n \"jaglan-beta-m20\"\n \"jaglan-beta-m21\"\n \"jaglan-beta-m22\"\n ];\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 8081 4646 4647 4648 8300 8301 8500 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n \n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [], diff --git a/2-nomad-config/2-ingress/traefik.nomad.hcl b/2-nomad-config/2-ingress/traefik.nomad.hcl index ea32ac4..7de46a1 100644 --- a/2-nomad-config/2-ingress/traefik.nomad.hcl +++ b/2-nomad-config/2-ingress/traefik.nomad.hcl @@ -112,6 +112,9 @@ EOF template { data = <