Improve resilience by changing routing to traefik and setting up more servers.

Some changes were required to set 3 VMs as the cluster since the NUC failed and we are waiting for new hardware to arrive.
The ingest routing from the internet was changed to use cloudflared tunnel to traefik instead of via a specific host.

2-nomad-config/main.tf

@@ -21,7 +21,7 @@ terraform {
 }
 
 provider "nomad" {
-  address = "http://jaglan-beta-m01.lan:4646"
+  address = "http://jaglan-beta-m20.lan:4646"
 }
 
 data "sops_file" "secrets" {

2-nomad-config/postgres.tf

@@ -19,7 +19,7 @@ resource "nomad_variable" "postgres" {
 }
 
 provider "postgresql" {
-  host            = "jaglan-beta-m01.lan"
+  host            = "jaglan-beta-m21.lan"
   port            = 5432
   database        = "postgres"
   username        = "postgres"

2-nomad-config/readme.md

@@ -16,3 +16,16 @@ Put the age keys in /home/<user>/.config/sops/age/keys.txt
 ## Adding Secrets
 
 Edit the secrets using `sops secrets.enc.json`
+
+# Bootstrapping (starting without PostgreSQL running)
+
+terraform apply -target=nomad_job.postgres
+
+## Restoring PostgreSQL DBs
+
+`psql -h jaglan-beta-m21 -p 5432 -U postgres -f ~/Downloads/all_databases.sql postgres`
+
+# Deploying and testing changes
+
+Sometimes the nomad job fails but the solution is to fix another job and so we need to tell nomad to retry the unchanged job.
+`nomad job eval -force-reschedule glance`

2-nomad-config/secrets.enc.json

@@ -26,6 +26,9 @@
 	"hass": {
 		"magic-token": "ENC[AES256_GCM,data:3mKbPFgvtX+hWYEZ0q4jBjnR8KM+E/1DqmkVzoV6ROY=,iv:9L748apqK1TcsW0Y0HvU9QHVD/eSh56c/uN/K4KNct4=,tag:ZmXiaPz7MEvaQ0yu3byiKQ==,type:str]"
 	},
+	"traefik": {
+		"cf_tunnel_token": "ENC[AES256_GCM,data:IgrmKwdeipix1dIXNuXnTWN5rCZjClbKZQJfgr5c2IP/n8bcc/nG5Wb42WL2C4hTeVqhG5p62ZXoz0j4dNAjxvuzcW/P0XeSYaiDRXMNWKhNIcK7jOexgswio0sUC+F7f3fa6HH4C02Mx8dWoFZChYtM5EhGdcEwVwspyBlMhTSHTz+/w5T9OqH18o132ZTM6kMQY85sgH36azWoSw73N+aC4ANhgybuok06z6R5D2jMdDX47Bo5bg==,iv:yOcUDTYHh58iejbl0wxNJO1hcDypcBq6KlHKyqnMSVk=,tag:CMyHKgahkIGdXItMJ1/hOg==,type:str]"
+	},
 	"sops": {
 		"age": [
 			{
@@ -33,8 +36,8 @@
 				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByUWM4ZDVVbGFrUGdMRHBX\nUFBmU3Nlc0RBSzhFK0tHNHpkQXUvUVdiZUZJCmpRN1lFdENpWW0rcThjVlVQNUl6\nWnlLU0RnQ3FZby81Ly8xTFBrek9nMncKLS0tIFQ4UTRNOC9CRmx4OFJWem1wckZz\nUDFTSzdWZldFK3FqcTNWTWRyNDhHQ2MKS811mR5xn7qiC/aVgPFYJ5c6Q3zxRfcr\nHcvxUvB01vNJKZpRg92vvKPkV6lQO3DXCT98OdfwiymlEOvYxg71Pg==\n-----END AGE ENCRYPTED FILE-----\n"
 			}
 		],
-		"lastmodified": "2025-10-04T04:09:12Z",
-		"mac": "ENC[AES256_GCM,data:+NnopVex61fOpxTSMhkrBQXB2Zq1Vj4a5kNrdFI2o947NCMkRxtTyYYP+7xEsk97P0z7eUCRE0xG5vMU0u+w+i+wgV5OtlSlJMoLJaXA2Rtxvd+THmzk9CEWHpxRzyZFGB5r124LANiMXb+YWEH2HYEqmk0Y0TiOGAqnN2Z0kzo=,iv:Xf49WoI27nJf3RdIaDqRdxITpizXFT3Uht/MWxjJInE=,tag:o/WS1Nk0Q9o/fB881saaOw==,type:str]",
+		"lastmodified": "2025-10-11T03:45:00Z",
+		"mac": "ENC[AES256_GCM,data:zLaCBYKSnXc81LOSuKHlBkiclsvV2B88SUFvy5oW2kL+Sbu3x058oE0P6T+9BlKkfKWLuTKjMwzAQGPeY0wjHtS4htxpcnMl+uVni888jr3lDLe7IPDReOp7Liv7UddQnLP9ftLIxZEOCeFtCP3/jkCEFbD8t30tLM2hSO6MjgM=,iv:IuMsWEQWZT537vMgfOFxdw2kwJO2rB5PmhsjJsnE934=,tag:8j5hVJCsvffebuj2Ay7zgg==,type:str]",
 		"encrypted_regex": "^(.*)$",
 		"version": "3.10.2"
 	}

2-nomad-config/traefik.nomad.hcl

@@ -112,7 +112,7 @@ http:
   middlewares:
     auth:
       forwardAuth:
-        address: "http://192.168.1.235:9091/api/authz/forward-auth"
+        address: "http://jaglan-beta-m21:9091/api/authz/forward-auth"
         trustForwardHeader: true
     auth-allow-token:
       chain:
@@ -192,5 +192,24 @@ EOF
         memory = 128
       }
     }
+
+    task "cloudflared" {
+      driver = "docker"
+
+      config {
+        image = "cloudflare/cloudflared:latest"
+        args = [
+          "tunnel", "--no-autoupdate", "run"
+        ]
+      }
+
+      template {
+        data        = <<EOH
+TUNNEL_TOKEN="{{ with nomadVar "nomad/jobs/traefik" }}{{ .cf_tunnel_token }}{{ end }}"
+EOH
+        destination = "secrets/tunnel.env"
+        env         = true # Load the file as environment variables
+      }
+    }
   }
 }

2-nomad-config/traefik.tf

@@ -1,23 +1,30 @@
 resource "cloudflare_dns_record" "othrayte-one" {
-  comment = "othrayte.one proxy to internal IP for traefik"
+  comment = "othrayte.one proxy via cloudflared tunnel to traefik"
   zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
-  type    = "AAAA"
+  type    = "CNAME"
   name    = "othrayte.one"
-  content = data.sops_file.secrets.data["cloudflare.direct_ip6"]
+  content = "59ca3eb1-5f0b-45e1-97ff-e373569c6689.cfargotunnel.com"
   proxied = true
   ttl     = 1 # Auto
 }
 
 resource "cloudflare_dns_record" "star-othrayte-one" {
-  comment = "*.othrayte.one proxy to internal IP for traefik"
+  comment = "*.othrayte.one proxy via cloudflared tunnel to traefik"
   zone_id = "2616ab2a44d0645b03fbc3106c79bd99"
-  type    = "AAAA"
+  type    = "CNAME"
   name    = "*.othrayte.one"
-  content = data.sops_file.secrets.data["cloudflare.direct_ip6"]
+  content = "59ca3eb1-5f0b-45e1-97ff-e373569c6689.cfargotunnel.com"
   proxied = true
   ttl     = 1 # Auto
 }
 
+resource "nomad_variable" "traefik" {
+  path = "nomad/jobs/traefik"
+  items = {
+    cf_tunnel_token = data.sops_file.secrets.data["traefik.cf_tunnel_token"]
+  }
+}
+
 resource "nomad_job" "traefik" {
   jobspec = templatefile("traefik.nomad.hcl", {
     hass_magic_token = nonsensitive(data.sops_file.secrets.data["hass.magic-token"])