Migrate all jobs to thingvellir

config/nomad.d/host-thingvellir.hcl

@@ -0,0 +1,34 @@
+client {
+  # --- Network ---
+
+  host_network "public" {
+    interface = "ens3"
+  }
+
+  # --- Volumes ---
+  # DNS
+  host_volume "dns-pihole" {
+    path = "/var/lib/nomad_volumes/dns/pihole/etc-pihole"
+    read_only = false
+  }
+  host_volume "dns-dnsmasq" {
+    path = "/var/lib/nomad_volumes/dns/pihole/etc-dnsmasq.d"
+    read_only = false
+  }
+
+  # Caddy
+  host_volume "caddyfile" {
+    path = "/var/lib/nomad_volumes/caddy/Caddyfile"
+    read_only = false
+  }
+  host_volume "caddy-data" {
+    path = "/var/lib/nomad_volumes/caddy/data"
+    read_only = false
+  }
+
+  # Gitea
+  # host_volume "gitea" {
+  #   path = "/mnt/vatnajokull/nomad_volumes/gitea/data"
+  #   read_only = false
+  # }
+}

config/nomad.d/host-thingvellir.json

@@ -1,33 +0,0 @@
-{
-  "client": {
-    "host_network": {
-      "public": {
-        "interface": "ens3",
-        "reserved_ports": "80,443,2222"
-      }
-    },
-    "host_volume": {
-      "dns-unbound": {
-        "path": "/var/lib/nomad_volumes/dns/unbound",
-        "read_only": false
-      },
-      "dns-pihole": {
-        "path": "/var/lib/nomad_volumes/dns/pihole/etc-pihole",
-        "read_only": false
-      },
-      "dns-dnsmasq": {
-        "path": "/var/lib/nomad_volumes/dns/pihole/etc-dnsmasq.d",
-        "read_only": false
-      },
-
-      "caddyfile": {
-        "path": "/var/lib/nomad_volumes/caddy/Caddyfile",
-        "read_only": false
-      },
-      "caddy-data": {
-        "path": "/var/lib/nomad_volumes/caddy/data",
-        "read_only": false
-      }
-    }
-  }
-}

hosts/thingvellir/default.nix

@@ -11,9 +11,15 @@ with lib;
 
   user.name = "marc";
   user.shell = pkgs.zsh;
-  networking.hostName = "thingvellir";
+  networking = {
-  networking.firewall = {
+    hostName = "thingvellir";
-    enable = true;
+    firewall = {
+      enable = false;
+      allowedUDPPorts = [
+        53      # DNS (pihole + unbound)
+        8600    # Consul DNS
+       ];
+    };
   };
 
   # - Bootloader ---------------------------------
@@ -53,7 +59,7 @@ with lib;
     server.nomad = {
       enable = true;
       server = true;
-      host-config = ../../config/nomad.d/host-thingvellir.json;
+      host-config = ../../config/nomad.d/host-thingvellir.hcl;
     };
 
     # - Editors and development ------------------

modules/server/nomad.nix

@@ -24,6 +24,7 @@ in
     # services.consul.enable = true;
     services.nomad = {
       enable = true;
+      dropPrivileges = false;
       extraSettingsPaths = [ "/etc/nomad.d" ];
     };
 
@@ -51,10 +52,10 @@ in
         target = "nomad.d/server.json";
         source = ../../config/nomad.d/server.json;
       };
-    } // lib.optionalAttrs cfg.host-config {
+    } // lib.optionalAttrs (! isNull cfg.host-config) {
       # Host-specific configuration
       nomad-host-cfg = {
-        target = "nomad.d/host.json";
+        target = "nomad.d/host.hcl";
         source = cfg.host-config;
       };
     };

modules/system/tailscale.nix

@@ -11,7 +11,7 @@ in
     # See https://github.com/tailscale/tailscale/issues/4432
     networking = {
       firewall.checkReversePath = "loose";
-      nameservers = [ "100.80.195.56" ];
+      nameservers = [ "100.99.167.21" ];
       networkmanager.dns = "none";
     };
     services.tailscale.enable = true;