From 8b0b7c1e73236a69ab1cc6635883787272d53843 Mon Sep 17 00:00:00 2001 From: Adrian Cowan Date: Sun, 25 May 2025 22:40:41 +1000 Subject: [PATCH] Fix some networking issues and setup a second nomad host --- 1-nixos-node/0-install-nixos.md | 11 +++++++--- 1-nixos-node/configuration.nix | 22 +++++++++++++------ 1-nixos-node/node.tf | 31 +++++++++++++++++++++------ 1-nixos-node/terraform.tfstate | 18 +++++++++++++--- 1-nixos-node/terraform.tfstate.backup | 18 +++++++++++++--- 2-nomad-config/main.tf | 2 +- 2-nomad-config/secrets.enc.json | 6 +++--- 7 files changed, 81 insertions(+), 27 deletions(-) diff --git a/1-nixos-node/0-install-nixos.md b/1-nixos-node/0-install-nixos.md index 36ce6de..d79d2b6 100644 --- a/1-nixos-node/0-install-nixos.md +++ b/1-nixos-node/0-install-nixos.md @@ -1,8 +1,13 @@ Follow steps at https://nixos.org/manual/nixos/stable/#sec-installation-manual-summary -Ensure that ssh is enabled and the hostname is set +Note: run `lsblk` to determine correct device to install to. + +Set the hostname when editing `/mnt/etc/nixos/configuration.nix` before the installation: +`networking.hostName = "jaglan-beta-mNN";` + +Once `nixos-install` is complete and the root password is set and saved edit the `/etc/nixos/configuration.nix` again to enable ssh and run `nixos-rebuild switch` + ``` services.openssh.enable = true; services.openssh.settings.PermitRootLogin = "yes"; -networking.hostName = "jaglan-beta-m01"; -``` \ No newline at end of file +``` diff --git a/1-nixos-node/configuration.nix b/1-nixos-node/configuration.nix index cd0be14..8d75b72 100644 --- a/1-nixos-node/configuration.nix +++ b/1-nixos-node/configuration.nix @@ -11,7 +11,7 @@ boot.loader.systemd-boot.enable = true; boot.loader.efi.canTouchEfiVariables = true; - networking.hostName = "jaglan-beta-m01"; # Define your hostname. + networking.hostName = "${hostname}"; # Define your hostname. time.timeZone = "Australia/Melbourne"; @@ -40,7 +40,9 @@ datacenter = "jaglan-beta"; server = { enabled = true; +%{if bootstrap ~} bootstrap_expect = 1; +%{endif ~} }; client = { enabled = true; @@ -54,7 +56,7 @@ read_only = false; }; }; - cni_path = "${pkgs.cni-plugins}/bin"; + cni_path = "$${pkgs.cni-plugins}/bin"; }; plugin.docker.config.allow_privileged = true; }; @@ -66,12 +68,17 @@ consul = { enable = true; webUi = true; - interface.bind = "eno1"; - interface.advertise = "eno1"; + interface.bind = "${bind_interface}"; + interface.advertise = "${bind_interface}"; extraConfig = { +%{if bootstrap ~} bootstrap_expect = 1; +%{endif ~} server = true; - client_addr = "127.0.0.1 192.168.1.235"; + retry_join = [ + "jaglan-beta-m01" + "jaglan-beta-m20" + ]; datacenter = "jaglan-beta"; connect.enabled = true; ports.grpc = 8502; @@ -92,8 +99,9 @@ "d /opt/postgres 0755 root root -" ]; - # Open ports in the firewall. 464X are the default ports for Nomad. - networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 ]; + # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul. + networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ]; + networking.firewall.allowedUDPPorts = [ 8301 ]; # Copy the NixOS configuration file and link it from the resulting system # (/run/current-system/configuration.nix). This is useful in case you diff --git a/1-nixos-node/node.tf b/1-nixos-node/node.tf index 3f3fc91..b5f1749 100644 --- a/1-nixos-node/node.tf +++ b/1-nixos-node/node.tf @@ -13,21 +13,38 @@ terraform { provider "template" {} -variable "ssh_password" { - description = "Password for SSH connection" - type = string +variable "nodes" { + description = "Map of nodes with host, password, and bind interface" + type = map(object({ + host = string + password = string + bind_interface = string + bootstrap = optional(bool, false) # Optional field for bootstrap nodes + })) +} + +locals { + config_files = { for k, v in var.nodes : + k => templatefile("${path.module}/configuration.nix", { + hostname = v.host + bind_interface = v.bind_interface + bootstrap = v.bootstrap + }) + } } resource "null_resource" "deploy_nixos" { + for_each = var.nodes + connection { type = "ssh" - host = "jaglan-beta-m01.othrayte.one" + host = "${each.value.host}.lan" user = "root" - password = var.ssh_password + password = each.value.password } provisioner "file" { - source = "configuration.nix" + content = local.config_files[each.key] destination = "/tmp/configuration.nix" } @@ -39,6 +56,6 @@ resource "null_resource" "deploy_nixos" { } triggers = { - configuration_content = file("configuration.nix") + configuration_content = local.config_files[each.key] } } diff --git a/1-nixos-node/terraform.tfstate b/1-nixos-node/terraform.tfstate index 03fb5ab..241ba09 100644 --- a/1-nixos-node/terraform.tfstate +++ b/1-nixos-node/terraform.tfstate @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.11.4", - "serial": 148, + "serial": 231, "lineage": "db7dcf21-a255-0ec4-c8b8-d4a7559b3768", "outputs": {}, "resources": [ @@ -12,11 +12,23 @@ "provider": "provider[\"registry.terraform.io/hashicorp/null\"]", "instances": [ { + "index_key": "jaglan-beta-m01", "schema_version": 0, "attributes": { - "id": "1694374526903751493", + "id": "822625592985314692", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n bootstrap_expect = 1;\n };\n client = {\n enabled = true;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"eno1\";\n interface.advertise = \"eno1\";\n extraConfig = {\n bootstrap_expect = 1;\n server = true;\n client_addr = \"127.0.0.1 192.168.1.235\";\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for Traefik to store its data (tls certs, etc.)\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for Postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 464X are the default ports for Nomad.\n networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n\n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n bootstrap_expect = 1;\n };\n client = {\n enabled = true;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"eno1\";\n interface.advertise = \"eno1\";\n extraConfig = {\n bootstrap_expect = 1;\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m20\"\n ];\n #client_addr = \"127.0.0.1 192.168.1.235\";\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for Traefik to store its data (tls certs, etc.)\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for Postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n\n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + } + }, + "sensitive_attributes": [] + }, + { + "index_key": "jaglan-beta-m20", + "schema_version": 0, + "attributes": { + "id": "429768676960285091", + "triggers": { + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n extraConfig = {\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m20\"\n ];\n #client_addr = \"127.0.0.1 192.168.1.235\";\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for Traefik to store its data (tls certs, etc.)\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for Postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n\n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [] diff --git a/1-nixos-node/terraform.tfstate.backup b/1-nixos-node/terraform.tfstate.backup index 89e0890..8cba6a7 100644 --- a/1-nixos-node/terraform.tfstate.backup +++ b/1-nixos-node/terraform.tfstate.backup @@ -1,7 +1,7 @@ { "version": 4, "terraform_version": "1.11.4", - "serial": 145, + "serial": 228, "lineage": "db7dcf21-a255-0ec4-c8b8-d4a7559b3768", "outputs": {}, "resources": [ @@ -12,11 +12,23 @@ "provider": "provider[\"registry.terraform.io/hashicorp/null\"]", "instances": [ { + "index_key": "jaglan-beta-m01", "schema_version": 0, "attributes": { - "id": "7695263169387917500", + "id": "8713155845042122574", "triggers": { - "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n tailscale.enable = false;\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n bootstrap_expect = 1;\n };\n client = {\n enabled = true;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n #interface.bind = \"tailscale0\"; # Bind to the Tailscale interface\n #interface.advertise = \"tailscale0\"; # Advertise the Tailscale interface\n interface.bind = \"eno1\";\n interface.advertise = \"eno1\";\n extraConfig = {\n bootstrap_expect = 1;\n server = true;\n client_addr = \"127.0.0.1 192.168.1.235\";\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for Traefik to store its data (tls certs, etc.)\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for Postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 464X are the default ports for Nomad.\n networking.firewall.allowedTCPPorts = [ 80 443 2222 4646 4647 4648 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n\n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n bootstrap_expect = 2;\n };\n client = {\n enabled = true;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"eno1\";\n interface.advertise = \"eno1\";\n extraConfig = {\n bootstrap_expect = 1;\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m20\"\n ];\n #client_addr = \"127.0.0.1 192.168.1.235\";\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for Traefik to store its data (tls certs, etc.)\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for Postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n\n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" + } + }, + "sensitive_attributes": [] + }, + { + "index_key": "jaglan-beta-m20", + "schema_version": 0, + "attributes": { + "id": "429768676960285091", + "triggers": { + "configuration_content": "{ config, lib, pkgs, ... }:\n{\n imports =\n [ # Include the results of the hardware scan.\n ./hardware-configuration.nix\n ];\n\n nixpkgs.config.allowUnfree = true;\n\n # Use the systemd-boot EFI boot loader.\n boot.loader.systemd-boot.enable = true;\n boot.loader.efi.canTouchEfiVariables = true;\n\n networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n time.timeZone = \"Australia/Melbourne\";\n\n # List packages installed in system profile. To search, run:\n # $ nix search wget\n # environment.systemPackages = with pkgs; [\n # vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n # wget\n # ];\n\n # Some programs need SUID wrappers, can be configured further or are\n # started in user sessions.\n # programs.mtr.enable = true;\n # programs.gnupg.agent = {\n # enable = true;\n # enableSSHSupport = true;\n # };\n\n # List services that you want to enable:\n services = {\n nomad = {\n enable = true;\n enableDocker = true;\n dropPrivileges = false;\n settings = {\n datacenter = \"jaglan-beta\";\n server = {\n enabled = true;\n };\n client = {\n enabled = true;\n host_volume = {\n traefik = {\n path = \"/opt/traefik\";\n read_only = false;\n };\n postgres = {\n path = \"/opt/postgres\";\n read_only = false;\n };\n };\n cni_path = \"${pkgs.cni-plugins}/bin\";\n };\n plugin.docker.config.allow_privileged = true;\n };\n extraPackages = with pkgs; [\n cni-plugins\n consul\n ];\n };\n consul = {\n enable = true;\n webUi = true;\n interface.bind = \"ens2\";\n interface.advertise = \"ens2\";\n extraConfig = {\n server = true;\n retry_join = [\n \"jaglan-beta-m01\"\n \"jaglan-beta-m20\"\n ];\n #client_addr = \"127.0.0.1 192.168.1.235\";\n datacenter = \"jaglan-beta\";\n connect.enabled = true;\n ports.grpc = 8502;\n };\n };\n openssh = {\n enable = true;\n settings.PermitRootLogin = \"yes\";\n };\n };\n\n systemd.tmpfiles.rules = [\n # Fix issue where nomad needs alloc_mounts to be writable\n \"d /var/lib/alloc_mounts 0755 root root -\"\n # Create a directory for Traefik to store its data (tls certs, etc.)\n \"d /opt/traefik 0755 root root -\"\n # Create a directory for Postgres to store its data\n \"d /opt/postgres 0755 root root -\"\n ];\n\n # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n networking.firewall.allowedUDPPorts = [ 8301 ];\n\n # Copy the NixOS configuration file and link it from the resulting system\n # (/run/current-system/configuration.nix). This is useful in case you\n # accidentally delete configuration.nix.\n system.copySystemConfiguration = true;\n\n # Defines the initial NixOS version for compatibility with older application data.\n # Do NOT change this value after installation without careful consideration.\n system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n" } }, "sensitive_attributes": [] diff --git a/2-nomad-config/main.tf b/2-nomad-config/main.tf index c50fc69..fd6efec 100644 --- a/2-nomad-config/main.tf +++ b/2-nomad-config/main.tf @@ -21,7 +21,7 @@ terraform { } provider "nomad" { - address = "http://jaglan-beta-m01.othrayte.one:4646" + address = "http://jaglan-beta-m01.lan:4646" } data "sops_file" "secrets" { diff --git a/2-nomad-config/secrets.enc.json b/2-nomad-config/secrets.enc.json index 0c8824b..438cc52 100644 --- a/2-nomad-config/secrets.enc.json +++ b/2-nomad-config/secrets.enc.json @@ -4,7 +4,7 @@ }, "cloudflare": { "api_token": "ENC[AES256_GCM,data:445wM+3yHRnMfiAHuBg3dWzLA3jB0dpNBaHrxl1bb036sFZnzN+gOg==,iv:g8tMdxY8XFTPA2W8/RtMtDhnyCzNLY6dJDWWC2ZeIZQ=,tag:04uf/y3DWY3HIXOJ2HenJw==,type:str]", - "direct_ip6": "ENC[AES256_GCM,data:/yDwQJHmcwD6nULnRFdn9aSVY1rQUic+,iv:5YBevwSrZzsqdoo5K8Wv6R4nxmWoCFa9NLP35Y+wtLw=,tag:+5F0SlVo5D4ZoMcKzaODRQ==,type:str]" + "direct_ip6": "ENC[AES256_GCM,data:E/V1pFjBp7c0PRhUa4cxqAVl8xZKsZzn,iv:Gw0qz2x1pMaieZaCcp4dD9sEVtQfcuEqRP3UpA2Bj/0=,tag:LpsPH3cJAlPCFX6EPabWnQ==,type:str]" }, "tailscale": { "auth_key": "ENC[AES256_GCM,data:gzh4nqEOQLijp5DTGHHSn0aO1mFQUB3sVSdAVDLG+a2H6XJ0BtJJGU55oLJURy7E/um7gzwDofP5mwZGTA==,iv:yl8lHqnNLB2AXlBfMyw/0CAR7+KmyKKDFc7kxbo9S6c=,tag:CunYd62x3omji6ozqmhgOg==,type:str]" @@ -30,8 +30,8 @@ "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n" } ], - "lastmodified": "2025-05-25T07:55:17Z", - "mac": "ENC[AES256_GCM,data:+R6CiOUxUKVJrCULbVPHzx1jI7z7RBwnWxbX2oBDh9gveNWz/e0ZLyRtoJJho7kRb8XugTPn5TOeKFdeecyJzjcL8fOkcwBQsUjywR0FhY/i1kWaPFmOskwl7iIQJUdtFz3etOAEjQlFTxuwxi3PtGcyZJn9kSMPff23tTKfRxY=,iv:2iVkNSaItt/bbWaR9/fIpv55FUyYMyFFD/SDNX467f0=,tag:76R72x9t4gw1G1nLheEniw==,type:str]", + "lastmodified": "2025-05-25T11:33:40Z", + "mac": "ENC[AES256_GCM,data:HvNkVDm3HOcYSAvDNFs0/w/QmiKFTTy0d+Onl/pFXEgdH/bBLqbeOwZV0tsaZYwNJluOH8EiU4gSBZ5EaCh4JrUTpHiiug4p5UXgRSva9sZ5D+9vzvfncqTdQVXKL6gdLMRVJQjz8lZVx0jV1czFES+4AECNgSq7lNRUHhau3eU=,iv:K33uicZwQyscLr1DUEAKLWPkFSH+aIntyceKB1KTu+M=,tag:mrTSWWlv5ZkN4K4HuIE/zw==,type:str]", "encrypted_regex": "^(.*)$", "version": "3.10.2" }