Fix some networking issues and setup a second nomad host

1-nixos-node/0-install-nixos.md

@@ -1,8 +1,13 @@
 Follow steps at https://nixos.org/manual/nixos/stable/#sec-installation-manual-summary
 
-Ensure that ssh is enabled and the hostname is set
+Note: run `lsblk` to determine correct device to install to.
+
+Set the hostname when editing `/mnt/etc/nixos/configuration.nix` before the installation:
+`networking.hostName = "jaglan-beta-mNN";`
+
+Once `nixos-install` is complete and the root password is set and saved edit the `/etc/nixos/configuration.nix` again to enable ssh and run `nixos-rebuild switch`
+
 ```
 services.openssh.enable = true;
 services.openssh.settings.PermitRootLogin = "yes";
-networking.hostName = "jaglan-beta-m01";
 ```

1-nixos-node/configuration.nix

@@ -11,7 +11,7 @@
   boot.loader.systemd-boot.enable = true;
   boot.loader.efi.canTouchEfiVariables = true;
 
-  networking.hostName = "jaglan-beta-m01"; # Define your hostname.
+  networking.hostName = "${hostname}"; # Define your hostname.
 
   time.timeZone = "Australia/Melbourne";
 
@@ -40,7 +40,9 @@
         datacenter = "jaglan-beta";
         server = {
           enabled = true;
+%{if bootstrap ~}
           bootstrap_expect = 1;
+%{endif ~}
         };
         client = {
           enabled = true;
@@ -54,7 +56,7 @@
               read_only = false;
             };
           };
-          cni_path = "${pkgs.cni-plugins}/bin";
+          cni_path = "$${pkgs.cni-plugins}/bin";
         };
         plugin.docker.config.allow_privileged = true;
       };
@@ -66,12 +68,17 @@
     consul = {
       enable = true;
       webUi = true;
-      interface.bind = "eno1";
+      interface.bind = "${bind_interface}";
-      interface.advertise = "eno1";
+      interface.advertise = "${bind_interface}";
       extraConfig  = {
+%{if bootstrap ~}
         bootstrap_expect = 1;
+%{endif ~}
         server = true;
-        client_addr = "127.0.0.1 192.168.1.235";
+        retry_join = [
+          "jaglan-beta-m01"
+          "jaglan-beta-m20"
+        ];
         datacenter = "jaglan-beta";
         connect.enabled = true;
         ports.grpc = 8502;
@@ -92,8 +99,9 @@
     "d /opt/postgres 0755 root root -"
   ];
 
-  # Open ports in the firewall. 464X are the default ports for Nomad.
+  # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.
-  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 ];
+  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];
+  networking.firewall.allowedUDPPorts = [ 8301 ];
 
   # Copy the NixOS configuration file and link it from the resulting system
   # (/run/current-system/configuration.nix). This is useful in case you

1-nixos-node/node.tf

@@ -13,21 +13,38 @@ terraform {
 
 provider "template" {}
 
-variable "ssh_password" {
+variable "nodes" {
-  description = "Password for SSH connection"
+  description = "Map of nodes with host, password, and bind interface"
-  type        = string
+  type = map(object({
+    host           = string
+    password       = string
+    bind_interface = string
+    bootstrap      = optional(bool, false) # Optional field for bootstrap nodes
+  }))
+}
+
+locals {
+  config_files = { for k, v in var.nodes :
+    k => templatefile("${path.module}/configuration.nix", {
+      hostname       = v.host
+      bind_interface = v.bind_interface
+      bootstrap      = v.bootstrap
+    })
+  }
 }
 
 resource "null_resource" "deploy_nixos" {
+  for_each = var.nodes
+
   connection {
     type     = "ssh"
-    host     = "jaglan-beta-m01.othrayte.one"
+    host     = "${each.value.host}.lan"
     user     = "root"
-    password = var.ssh_password
+    password = each.value.password
   }
 
   provisioner "file" {
-    source      = "configuration.nix"
+    content     = local.config_files[each.key]
     destination = "/tmp/configuration.nix"
   }
 
@@ -39,6 +56,6 @@ resource "null_resource" "deploy_nixos" {
   }
 
   triggers = {
-    configuration_content = file("configuration.nix")
+    configuration_content = local.config_files[each.key]
   }
 }

1-nixos-node/terraform.tfstate

@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.11.4",
-  "serial": 148,
+  "serial": 231,
   "lineage": "db7dcf21-a255-0ec4-c8b8-d4a7559b3768",
   "outputs": {},
   "resources": [
@@ -12,11 +12,23 @@
       "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
       "instances": [
         {
+          "index_key": "jaglan-beta-m01",
           "schema_version": 0,
           "attributes": {
-            "id": "1694374526903751493",
+            "id": "822625592985314692",
             "triggers": {
-              "configuration_content": "{ config, lib, pkgs, ... }:\n{\n  imports =\n    [ # Include the results of the hardware scan.\n      ./hardware-configuration.nix\n    ];\n\n  nixpkgs.config.allowUnfree = true;\n\n  # Use the systemd-boot EFI boot loader.\n  boot.loader.systemd-boot.enable = true;\n  boot.loader.efi.canTouchEfiVariables = true;\n\n  networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n  time.timeZone = \"Australia/Melbourne\";\n\n  # List packages installed in system profile. To search, run:\n  # $ nix search wget\n  # environment.systemPackages = with pkgs; [\n  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n  #   wget\n  # ];\n\n  # Some programs need SUID wrappers, can be configured further or are\n  # started in user sessions.\n  # programs.mtr.enable = true;\n  # programs.gnupg.agent = {\n  #   enable = true;\n  #   enableSSHSupport = true;\n  # };\n\n  # List services that you want to enable:\n  services = {\n    nomad = {\n      enable = true;\n      enableDocker = true;\n      dropPrivileges = false;\n      settings = {\n        datacenter = \"jaglan-beta\";\n        server = {\n          enabled = true;\n          bootstrap_expect = 1;\n        };\n        client = {\n          enabled = true;\n          host_volume = {\n            traefik = {\n              path = \"/opt/traefik\";\n              read_only = false;\n            };\n            postgres = {\n              path = \"/opt/postgres\";\n              read_only = false;\n            };\n          };\n          cni_path = \"${pkgs.cni-plugins}/bin\";\n        };\n        plugin.docker.config.allow_privileged = true;\n      };\n      extraPackages = with pkgs; [\n        cni-plugins\n        consul\n      ];\n    };\n    consul = {\n      enable = true;\n      webUi = true;\n      interface.bind = \"eno1\";\n      interface.advertise = \"eno1\";\n      extraConfig  = {\n        bootstrap_expect = 1;\n        server = true;\n        client_addr = \"127.0.0.1 192.168.1.235\";\n        datacenter = \"jaglan-beta\";\n        connect.enabled = true;\n        ports.grpc = 8502;\n      };\n    };\n    openssh = {\n      enable = true;\n      settings.PermitRootLogin = \"yes\";\n    };\n  };\n\n  systemd.tmpfiles.rules = [\n    # Fix issue where nomad needs alloc_mounts to be writable\n    \"d /var/lib/alloc_mounts 0755 root root -\"\n    # Create a directory for Traefik to store its data (tls certs, etc.)\n    \"d /opt/traefik 0755 root root -\"\n    # Create a directory for Postgres to store its data\n    \"d /opt/postgres 0755 root root -\"\n  ];\n\n  # Open ports in the firewall. 464X are the default ports for Nomad.\n  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 ];\n\n  # Copy the NixOS configuration file and link it from the resulting system\n  # (/run/current-system/configuration.nix). This is useful in case you\n  # accidentally delete configuration.nix.\n  system.copySystemConfiguration = true;\n\n  # Defines the initial NixOS version for compatibility with older application data.\n  # Do NOT change this value after installation without careful consideration.\n  system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n"
+              "configuration_content": "{ config, lib, pkgs, ... }:\n{\n  imports =\n    [ # Include the results of the hardware scan.\n      ./hardware-configuration.nix\n    ];\n\n  nixpkgs.config.allowUnfree = true;\n\n  # Use the systemd-boot EFI boot loader.\n  boot.loader.systemd-boot.enable = true;\n  boot.loader.efi.canTouchEfiVariables = true;\n\n  networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n  time.timeZone = \"Australia/Melbourne\";\n\n  # List packages installed in system profile. To search, run:\n  # $ nix search wget\n  # environment.systemPackages = with pkgs; [\n  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n  #   wget\n  # ];\n\n  # Some programs need SUID wrappers, can be configured further or are\n  # started in user sessions.\n  # programs.mtr.enable = true;\n  # programs.gnupg.agent = {\n  #   enable = true;\n  #   enableSSHSupport = true;\n  # };\n\n  # List services that you want to enable:\n  services = {\n    nomad = {\n      enable = true;\n      enableDocker = true;\n      dropPrivileges = false;\n      settings = {\n        datacenter = \"jaglan-beta\";\n        server = {\n          enabled = true;\n          bootstrap_expect = 1;\n        };\n        client = {\n          enabled = true;\n          host_volume = {\n            traefik = {\n              path = \"/opt/traefik\";\n              read_only = false;\n            };\n            postgres = {\n              path = \"/opt/postgres\";\n              read_only = false;\n            };\n          };\n          cni_path = \"${pkgs.cni-plugins}/bin\";\n        };\n        plugin.docker.config.allow_privileged = true;\n      };\n      extraPackages = with pkgs; [\n        cni-plugins\n        consul\n      ];\n    };\n    consul = {\n      enable = true;\n      webUi = true;\n      interface.bind = \"eno1\";\n      interface.advertise = \"eno1\";\n      extraConfig  = {\n        bootstrap_expect = 1;\n        server = true;\n        retry_join = [\n          \"jaglan-beta-m01\"\n          \"jaglan-beta-m20\"\n        ];\n        #client_addr = \"127.0.0.1 192.168.1.235\";\n        datacenter = \"jaglan-beta\";\n        connect.enabled = true;\n        ports.grpc = 8502;\n      };\n    };\n    openssh = {\n      enable = true;\n      settings.PermitRootLogin = \"yes\";\n    };\n  };\n\n  systemd.tmpfiles.rules = [\n    # Fix issue where nomad needs alloc_mounts to be writable\n    \"d /var/lib/alloc_mounts 0755 root root -\"\n    # Create a directory for Traefik to store its data (tls certs, etc.)\n    \"d /opt/traefik 0755 root root -\"\n    # Create a directory for Postgres to store its data\n    \"d /opt/postgres 0755 root root -\"\n  ];\n\n  # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n  networking.firewall.allowedUDPPorts = [ 8301 ];\n\n  # Copy the NixOS configuration file and link it from the resulting system\n  # (/run/current-system/configuration.nix). This is useful in case you\n  # accidentally delete configuration.nix.\n  system.copySystemConfiguration = true;\n\n  # Defines the initial NixOS version for compatibility with older application data.\n  # Do NOT change this value after installation without careful consideration.\n  system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n"
+            }
+          },
+          "sensitive_attributes": []
+        },
+        {
+          "index_key": "jaglan-beta-m20",
+          "schema_version": 0,
+          "attributes": {
+            "id": "429768676960285091",
+            "triggers": {
+              "configuration_content": "{ config, lib, pkgs, ... }:\n{\n  imports =\n    [ # Include the results of the hardware scan.\n      ./hardware-configuration.nix\n    ];\n\n  nixpkgs.config.allowUnfree = true;\n\n  # Use the systemd-boot EFI boot loader.\n  boot.loader.systemd-boot.enable = true;\n  boot.loader.efi.canTouchEfiVariables = true;\n\n  networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n  time.timeZone = \"Australia/Melbourne\";\n\n  # List packages installed in system profile. To search, run:\n  # $ nix search wget\n  # environment.systemPackages = with pkgs; [\n  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n  #   wget\n  # ];\n\n  # Some programs need SUID wrappers, can be configured further or are\n  # started in user sessions.\n  # programs.mtr.enable = true;\n  # programs.gnupg.agent = {\n  #   enable = true;\n  #   enableSSHSupport = true;\n  # };\n\n  # List services that you want to enable:\n  services = {\n    nomad = {\n      enable = true;\n      enableDocker = true;\n      dropPrivileges = false;\n      settings = {\n        datacenter = \"jaglan-beta\";\n        server = {\n          enabled = true;\n        };\n        client = {\n          enabled = true;\n          host_volume = {\n            traefik = {\n              path = \"/opt/traefik\";\n              read_only = false;\n            };\n            postgres = {\n              path = \"/opt/postgres\";\n              read_only = false;\n            };\n          };\n          cni_path = \"${pkgs.cni-plugins}/bin\";\n        };\n        plugin.docker.config.allow_privileged = true;\n      };\n      extraPackages = with pkgs; [\n        cni-plugins\n        consul\n      ];\n    };\n    consul = {\n      enable = true;\n      webUi = true;\n      interface.bind = \"ens2\";\n      interface.advertise = \"ens2\";\n      extraConfig  = {\n        server = true;\n        retry_join = [\n          \"jaglan-beta-m01\"\n          \"jaglan-beta-m20\"\n        ];\n        #client_addr = \"127.0.0.1 192.168.1.235\";\n        datacenter = \"jaglan-beta\";\n        connect.enabled = true;\n        ports.grpc = 8502;\n      };\n    };\n    openssh = {\n      enable = true;\n      settings.PermitRootLogin = \"yes\";\n    };\n  };\n\n  systemd.tmpfiles.rules = [\n    # Fix issue where nomad needs alloc_mounts to be writable\n    \"d /var/lib/alloc_mounts 0755 root root -\"\n    # Create a directory for Traefik to store its data (tls certs, etc.)\n    \"d /opt/traefik 0755 root root -\"\n    # Create a directory for Postgres to store its data\n    \"d /opt/postgres 0755 root root -\"\n  ];\n\n  # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n  networking.firewall.allowedUDPPorts = [ 8301 ];\n\n  # Copy the NixOS configuration file and link it from the resulting system\n  # (/run/current-system/configuration.nix). This is useful in case you\n  # accidentally delete configuration.nix.\n  system.copySystemConfiguration = true;\n\n  # Defines the initial NixOS version for compatibility with older application data.\n  # Do NOT change this value after installation without careful consideration.\n  system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n"
             }
           },
           "sensitive_attributes": []

1-nixos-node/terraform.tfstate.backup

@@ -1,7 +1,7 @@
 {
   "version": 4,
   "terraform_version": "1.11.4",
-  "serial": 145,
+  "serial": 228,
   "lineage": "db7dcf21-a255-0ec4-c8b8-d4a7559b3768",
   "outputs": {},
   "resources": [
@@ -12,11 +12,23 @@
       "provider": "provider[\"registry.terraform.io/hashicorp/null\"]",
       "instances": [
         {
+          "index_key": "jaglan-beta-m01",
           "schema_version": 0,
           "attributes": {
-            "id": "7695263169387917500",
+            "id": "8713155845042122574",
             "triggers": {
-              "configuration_content": "{ config, lib, pkgs, ... }:\n{\n  imports =\n    [ # Include the results of the hardware scan.\n      ./hardware-configuration.nix\n    ];\n\n  nixpkgs.config.allowUnfree = true;\n\n  # Use the systemd-boot EFI boot loader.\n  boot.loader.systemd-boot.enable = true;\n  boot.loader.efi.canTouchEfiVariables = true;\n\n  networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n  time.timeZone = \"Australia/Melbourne\";\n\n  # List packages installed in system profile. To search, run:\n  # $ nix search wget\n  # environment.systemPackages = with pkgs; [\n  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n  #   wget\n  # ];\n\n  # Some programs need SUID wrappers, can be configured further or are\n  # started in user sessions.\n  # programs.mtr.enable = true;\n  # programs.gnupg.agent = {\n  #   enable = true;\n  #   enableSSHSupport = true;\n  # };\n\n  # List services that you want to enable:\n  services = {\n    tailscale.enable = false;\n    nomad = {\n      enable = true;\n      enableDocker = true;\n      dropPrivileges = false;\n      settings = {\n        datacenter = \"jaglan-beta\";\n        server = {\n          enabled = true;\n          bootstrap_expect = 1;\n        };\n        client = {\n          enabled = true;\n          host_volume = {\n            traefik = {\n              path = \"/opt/traefik\";\n              read_only = false;\n            };\n            postgres = {\n              path = \"/opt/postgres\";\n              read_only = false;\n            };\n          };\n          cni_path = \"${pkgs.cni-plugins}/bin\";\n        };\n        plugin.docker.config.allow_privileged = true;\n      };\n      extraPackages = with pkgs; [\n        cni-plugins\n        consul\n      ];\n    };\n    consul = {\n      enable = true;\n      webUi = true;\n      #interface.bind = \"tailscale0\"; # Bind to the Tailscale interface\n      #interface.advertise = \"tailscale0\"; # Advertise the Tailscale interface\n      interface.bind = \"eno1\";\n      interface.advertise = \"eno1\";\n      extraConfig  = {\n        bootstrap_expect = 1;\n        server = true;\n        client_addr = \"127.0.0.1 192.168.1.235\";\n        datacenter = \"jaglan-beta\";\n        connect.enabled = true;\n        ports.grpc = 8502;\n      };\n    };\n    openssh = {\n      enable = true;\n      settings.PermitRootLogin = \"yes\";\n    };\n  };\n\n  systemd.tmpfiles.rules = [\n    # Fix issue where nomad needs alloc_mounts to be writable\n    \"d /var/lib/alloc_mounts 0755 root root -\"\n    # Create a directory for Traefik to store its data (tls certs, etc.)\n    \"d /opt/traefik 0755 root root -\"\n    # Create a directory for Postgres to store its data\n    \"d /opt/postgres 0755 root root -\"\n  ];\n\n  # Open ports in the firewall. 464X are the default ports for Nomad.\n  networking.firewall.allowedTCPPorts = [ 80 443 2222 4646 4647 4648 ];\n\n  # Copy the NixOS configuration file and link it from the resulting system\n  # (/run/current-system/configuration.nix). This is useful in case you\n  # accidentally delete configuration.nix.\n  system.copySystemConfiguration = true;\n\n  # Defines the initial NixOS version for compatibility with older application data.\n  # Do NOT change this value after installation without careful consideration.\n  system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n"
+              "configuration_content": "{ config, lib, pkgs, ... }:\n{\n  imports =\n    [ # Include the results of the hardware scan.\n      ./hardware-configuration.nix\n    ];\n\n  nixpkgs.config.allowUnfree = true;\n\n  # Use the systemd-boot EFI boot loader.\n  boot.loader.systemd-boot.enable = true;\n  boot.loader.efi.canTouchEfiVariables = true;\n\n  networking.hostName = \"jaglan-beta-m01\"; # Define your hostname.\n\n  time.timeZone = \"Australia/Melbourne\";\n\n  # List packages installed in system profile. To search, run:\n  # $ nix search wget\n  # environment.systemPackages = with pkgs; [\n  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n  #   wget\n  # ];\n\n  # Some programs need SUID wrappers, can be configured further or are\n  # started in user sessions.\n  # programs.mtr.enable = true;\n  # programs.gnupg.agent = {\n  #   enable = true;\n  #   enableSSHSupport = true;\n  # };\n\n  # List services that you want to enable:\n  services = {\n    nomad = {\n      enable = true;\n      enableDocker = true;\n      dropPrivileges = false;\n      settings = {\n        datacenter = \"jaglan-beta\";\n        server = {\n          enabled = true;\n          bootstrap_expect = 2;\n        };\n        client = {\n          enabled = true;\n          host_volume = {\n            traefik = {\n              path = \"/opt/traefik\";\n              read_only = false;\n            };\n            postgres = {\n              path = \"/opt/postgres\";\n              read_only = false;\n            };\n          };\n          cni_path = \"${pkgs.cni-plugins}/bin\";\n        };\n        plugin.docker.config.allow_privileged = true;\n      };\n      extraPackages = with pkgs; [\n        cni-plugins\n        consul\n      ];\n    };\n    consul = {\n      enable = true;\n      webUi = true;\n      interface.bind = \"eno1\";\n      interface.advertise = \"eno1\";\n      extraConfig  = {\n        bootstrap_expect = 1;\n        server = true;\n        retry_join = [\n          \"jaglan-beta-m01\"\n          \"jaglan-beta-m20\"\n        ];\n        #client_addr = \"127.0.0.1 192.168.1.235\";\n        datacenter = \"jaglan-beta\";\n        connect.enabled = true;\n        ports.grpc = 8502;\n      };\n    };\n    openssh = {\n      enable = true;\n      settings.PermitRootLogin = \"yes\";\n    };\n  };\n\n  systemd.tmpfiles.rules = [\n    # Fix issue where nomad needs alloc_mounts to be writable\n    \"d /var/lib/alloc_mounts 0755 root root -\"\n    # Create a directory for Traefik to store its data (tls certs, etc.)\n    \"d /opt/traefik 0755 root root -\"\n    # Create a directory for Postgres to store its data\n    \"d /opt/postgres 0755 root root -\"\n  ];\n\n  # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n  networking.firewall.allowedUDPPorts = [ 8301 ];\n\n  # Copy the NixOS configuration file and link it from the resulting system\n  # (/run/current-system/configuration.nix). This is useful in case you\n  # accidentally delete configuration.nix.\n  system.copySystemConfiguration = true;\n\n  # Defines the initial NixOS version for compatibility with older application data.\n  # Do NOT change this value after installation without careful consideration.\n  system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n"
+            }
+          },
+          "sensitive_attributes": []
+        },
+        {
+          "index_key": "jaglan-beta-m20",
+          "schema_version": 0,
+          "attributes": {
+            "id": "429768676960285091",
+            "triggers": {
+              "configuration_content": "{ config, lib, pkgs, ... }:\n{\n  imports =\n    [ # Include the results of the hardware scan.\n      ./hardware-configuration.nix\n    ];\n\n  nixpkgs.config.allowUnfree = true;\n\n  # Use the systemd-boot EFI boot loader.\n  boot.loader.systemd-boot.enable = true;\n  boot.loader.efi.canTouchEfiVariables = true;\n\n  networking.hostName = \"jaglan-beta-m20\"; # Define your hostname.\n\n  time.timeZone = \"Australia/Melbourne\";\n\n  # List packages installed in system profile. To search, run:\n  # $ nix search wget\n  # environment.systemPackages = with pkgs; [\n  #   vim # Do not forget to add an editor to edit configuration.nix! The Nano editor is also installed by default.\n  #   wget\n  # ];\n\n  # Some programs need SUID wrappers, can be configured further or are\n  # started in user sessions.\n  # programs.mtr.enable = true;\n  # programs.gnupg.agent = {\n  #   enable = true;\n  #   enableSSHSupport = true;\n  # };\n\n  # List services that you want to enable:\n  services = {\n    nomad = {\n      enable = true;\n      enableDocker = true;\n      dropPrivileges = false;\n      settings = {\n        datacenter = \"jaglan-beta\";\n        server = {\n          enabled = true;\n        };\n        client = {\n          enabled = true;\n          host_volume = {\n            traefik = {\n              path = \"/opt/traefik\";\n              read_only = false;\n            };\n            postgres = {\n              path = \"/opt/postgres\";\n              read_only = false;\n            };\n          };\n          cni_path = \"${pkgs.cni-plugins}/bin\";\n        };\n        plugin.docker.config.allow_privileged = true;\n      };\n      extraPackages = with pkgs; [\n        cni-plugins\n        consul\n      ];\n    };\n    consul = {\n      enable = true;\n      webUi = true;\n      interface.bind = \"ens2\";\n      interface.advertise = \"ens2\";\n      extraConfig  = {\n        server = true;\n        retry_join = [\n          \"jaglan-beta-m01\"\n          \"jaglan-beta-m20\"\n        ];\n        #client_addr = \"127.0.0.1 192.168.1.235\";\n        datacenter = \"jaglan-beta\";\n        connect.enabled = true;\n        ports.grpc = 8502;\n      };\n    };\n    openssh = {\n      enable = true;\n      settings.PermitRootLogin = \"yes\";\n    };\n  };\n\n  systemd.tmpfiles.rules = [\n    # Fix issue where nomad needs alloc_mounts to be writable\n    \"d /var/lib/alloc_mounts 0755 root root -\"\n    # Create a directory for Traefik to store its data (tls certs, etc.)\n    \"d /opt/traefik 0755 root root -\"\n    # Create a directory for Postgres to store its data\n    \"d /opt/postgres 0755 root root -\"\n  ];\n\n  # Open ports in the firewall. 80/443 are for HTTP/HTTPS (terraform), 464X are the default ports for Nomad, 830X are the default ports for Consul.\n  networking.firewall.allowedTCPPorts = [ 80 443 4646 4647 4648 8300 8301 ];\n  networking.firewall.allowedUDPPorts = [ 8301 ];\n\n  # Copy the NixOS configuration file and link it from the resulting system\n  # (/run/current-system/configuration.nix). This is useful in case you\n  # accidentally delete configuration.nix.\n  system.copySystemConfiguration = true;\n\n  # Defines the initial NixOS version for compatibility with older application data.\n  # Do NOT change this value after installation without careful consideration.\n  system.stateVersion = \"24.11\"; # Did you read the comment?\n}\n"
             }
           },
           "sensitive_attributes": []

2-nomad-config/main.tf

@@ -21,7 +21,7 @@ terraform {
 }
 
 provider "nomad" {
-  address = "http://jaglan-beta-m01.othrayte.one:4646"
+  address = "http://jaglan-beta-m01.lan:4646"
 }
 
 data "sops_file" "secrets" {

2-nomad-config/secrets.enc.json

@@ -4,7 +4,7 @@
 	},
 	"cloudflare": {
 		"api_token": "ENC[AES256_GCM,data:445wM+3yHRnMfiAHuBg3dWzLA3jB0dpNBaHrxl1bb036sFZnzN+gOg==,iv:g8tMdxY8XFTPA2W8/RtMtDhnyCzNLY6dJDWWC2ZeIZQ=,tag:04uf/y3DWY3HIXOJ2HenJw==,type:str]",
-		"direct_ip6": "ENC[AES256_GCM,data:/yDwQJHmcwD6nULnRFdn9aSVY1rQUic+,iv:5YBevwSrZzsqdoo5K8Wv6R4nxmWoCFa9NLP35Y+wtLw=,tag:+5F0SlVo5D4ZoMcKzaODRQ==,type:str]"
+		"direct_ip6": "ENC[AES256_GCM,data:E/V1pFjBp7c0PRhUa4cxqAVl8xZKsZzn,iv:Gw0qz2x1pMaieZaCcp4dD9sEVtQfcuEqRP3UpA2Bj/0=,tag:LpsPH3cJAlPCFX6EPabWnQ==,type:str]"
 	},
 	"tailscale": {
 		"auth_key": "ENC[AES256_GCM,data:gzh4nqEOQLijp5DTGHHSn0aO1mFQUB3sVSdAVDLG+a2H6XJ0BtJJGU55oLJURy7E/um7gzwDofP5mwZGTA==,iv:yl8lHqnNLB2AXlBfMyw/0CAR7+KmyKKDFc7kxbo9S6c=,tag:CunYd62x3omji6ozqmhgOg==,type:str]"
@@ -30,8 +30,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-05-25T07:55:17Z",
+		"lastmodified": "2025-05-25T11:33:40Z",
-		"mac": "ENC[AES256_GCM,data:+R6CiOUxUKVJrCULbVPHzx1jI7z7RBwnWxbX2oBDh9gveNWz/e0ZLyRtoJJho7kRb8XugTPn5TOeKFdeecyJzjcL8fOkcwBQsUjywR0FhY/i1kWaPFmOskwl7iIQJUdtFz3etOAEjQlFTxuwxi3PtGcyZJn9kSMPff23tTKfRxY=,iv:2iVkNSaItt/bbWaR9/fIpv55FUyYMyFFD/SDNX467f0=,tag:76R72x9t4gw1G1nLheEniw==,type:str]",
+		"mac": "ENC[AES256_GCM,data:HvNkVDm3HOcYSAvDNFs0/w/QmiKFTTy0d+Onl/pFXEgdH/bBLqbeOwZV0tsaZYwNJluOH8EiU4gSBZ5EaCh4JrUTpHiiug4p5UXgRSva9sZ5D+9vzvfncqTdQVXKL6gdLMRVJQjz8lZVx0jV1czFES+4AECNgSq7lNRUHhau3eU=,iv:K33uicZwQyscLr1DUEAKLWPkFSH+aIntyceKB1KTu+M=,tag:mrTSWWlv5ZkN4K4HuIE/zw==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}