diff --git a/config/nomad.d/host-thingvellir.hcl b/config/nomad.d/host-thingvellir.hcl new file mode 100644 index 0000000..8b0e116 --- /dev/null +++ b/config/nomad.d/host-thingvellir.hcl @@ -0,0 +1,34 @@ +client { + # --- Network --- + + host_network "public" { + interface = "ens3" + } + + # --- Volumes --- + # DNS + host_volume "dns-pihole" { + path = "/var/lib/nomad_volumes/dns/pihole/etc-pihole" + read_only = false + } + host_volume "dns-dnsmasq" { + path = "/var/lib/nomad_volumes/dns/pihole/etc-dnsmasq.d" + read_only = false + } + + # Caddy + host_volume "caddyfile" { + path = "/var/lib/nomad_volumes/caddy/Caddyfile" + read_only = false + } + host_volume "caddy-data" { + path = "/var/lib/nomad_volumes/caddy/data" + read_only = false + } + + # Gitea + # host_volume "gitea" { + # path = "/mnt/vatnajokull/nomad_volumes/gitea/data" + # read_only = false + # } +} diff --git a/config/nomad.d/host-thingvellir.json b/config/nomad.d/host-thingvellir.json deleted file mode 100644 index 4205232..0000000 --- a/config/nomad.d/host-thingvellir.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "client": { - "host_network": { - "public": { - "interface": "ens3", - "reserved_ports": "80,443,2222" - } - }, - "host_volume": { - "dns-unbound": { - "path": "/var/lib/nomad_volumes/dns/unbound", - "read_only": false - }, - "dns-pihole": { - "path": "/var/lib/nomad_volumes/dns/pihole/etc-pihole", - "read_only": false - }, - "dns-dnsmasq": { - "path": "/var/lib/nomad_volumes/dns/pihole/etc-dnsmasq.d", - "read_only": false - }, - - "caddyfile": { - "path": "/var/lib/nomad_volumes/caddy/Caddyfile", - "read_only": false - }, - "caddy-data": { - "path": "/var/lib/nomad_volumes/caddy/data", - "read_only": false - } - } - } -} diff --git a/hosts/thingvellir/default.nix b/hosts/thingvellir/default.nix index e4767da..3136de7 100644 --- a/hosts/thingvellir/default.nix +++ b/hosts/thingvellir/default.nix @@ -11,9 +11,15 @@ with lib; user.name = "marc"; user.shell = pkgs.zsh; - networking.hostName = "thingvellir"; - networking.firewall = { - enable = true; + networking = { + hostName = "thingvellir"; + firewall = { + enable = false; + allowedUDPPorts = [ + 53 # DNS (pihole + unbound) + 8600 # Consul DNS + ]; + }; }; # - Bootloader --------------------------------- @@ -53,7 +59,7 @@ with lib; server.nomad = { enable = true; server = true; - host-config = ../../config/nomad.d/host-thingvellir.json; + host-config = ../../config/nomad.d/host-thingvellir.hcl; }; # - Editors and development ------------------ diff --git a/modules/server/nomad.nix b/modules/server/nomad.nix index bbf6f98..2e5581c 100644 --- a/modules/server/nomad.nix +++ b/modules/server/nomad.nix @@ -24,6 +24,7 @@ in # services.consul.enable = true; services.nomad = { enable = true; + dropPrivileges = false; extraSettingsPaths = [ "/etc/nomad.d" ]; }; @@ -51,10 +52,10 @@ in target = "nomad.d/server.json"; source = ../../config/nomad.d/server.json; }; - } // lib.optionalAttrs cfg.host-config { + } // lib.optionalAttrs (! isNull cfg.host-config) { # Host-specific configuration nomad-host-cfg = { - target = "nomad.d/host.json"; + target = "nomad.d/host.hcl"; source = cfg.host-config; }; }; diff --git a/modules/system/tailscale.nix b/modules/system/tailscale.nix index f6748d9..6d33e0a 100644 --- a/modules/system/tailscale.nix +++ b/modules/system/tailscale.nix @@ -11,7 +11,7 @@ in # See https://github.com/tailscale/tailscale/issues/4432 networking = { firewall.checkReversePath = "loose"; - nameservers = [ "100.80.195.56" ]; + nameservers = [ "100.99.167.21" ]; networkmanager.dns = "none"; }; services.tailscale.enable = true;