Migrate all jobs to thingvellir

2024-02-18 19:33:57 +01:00
parent 2e3dad1c1b
commit 4f70bf991c
5 changed files with 48 additions and 40 deletions
--- a/config/nomad.d/host-thingvellir.hcl
+++ b/config/nomad.d/host-thingvellir.hcl
@@ -0,0 +1,34 @@
+client {
+  # --- Network ---
+
+  host_network "public" {
+    interface = "ens3"
+  }
+
+  # --- Volumes ---
+  # DNS
+  host_volume "dns-pihole" {
+    path = "/var/lib/nomad_volumes/dns/pihole/etc-pihole"
+    read_only = false
+  }
+  host_volume "dns-dnsmasq" {
+    path = "/var/lib/nomad_volumes/dns/pihole/etc-dnsmasq.d"
+    read_only = false
+  }
+
+  # Caddy
+  host_volume "caddyfile" {
+    path = "/var/lib/nomad_volumes/caddy/Caddyfile"
+    read_only = false
+  }
+  host_volume "caddy-data" {
+    path = "/var/lib/nomad_volumes/caddy/data"
+    read_only = false
+  }
+
+  # Gitea
+  # host_volume "gitea" {
+  #   path = "/mnt/vatnajokull/nomad_volumes/gitea/data"
+  #   read_only = false
+  # }
+}
--- a/config/nomad.d/host-thingvellir.json
+++ b/config/nomad.d/host-thingvellir.json
@@ -1,33 +0,0 @@
-{
-  "client": {
-    "host_network": {
-      "public": {
-        "interface": "ens3",
-        "reserved_ports": "80,443,2222"
-      }
-    },
-    "host_volume": {
-      "dns-unbound": {
-        "path": "/var/lib/nomad_volumes/dns/unbound",
-        "read_only": false
-      },
-      "dns-pihole": {
-        "path": "/var/lib/nomad_volumes/dns/pihole/etc-pihole",
-        "read_only": false
-      },
-      "dns-dnsmasq": {
-        "path": "/var/lib/nomad_volumes/dns/pihole/etc-dnsmasq.d",
-        "read_only": false
-      },
-
-      "caddyfile": {
-        "path": "/var/lib/nomad_volumes/caddy/Caddyfile",
-        "read_only": false
-      },
-      "caddy-data": {
-        "path": "/var/lib/nomad_volumes/caddy/data",
-        "read_only": false
-      }
-    }
-  }
-}
--- a/hosts/thingvellir/default.nix
+++ b/hosts/thingvellir/default.nix
@@ -11,9 +11,15 @@ with lib;

  user.name = "marc";
  user.shell = pkgs.zsh;
-  networking.hostName = "thingvellir";
-  networking.firewall = {
-    enable = true;
+  networking = {
+    hostName = "thingvellir";
+    firewall = {
+      enable = false;
+      allowedUDPPorts = [
+        53      # DNS (pihole + unbound)
+        8600    # Consul DNS
+       ];
+    };
  };

  # - Bootloader ---------------------------------
@@ -53,7 +59,7 @@ with lib;
    server.nomad = {
      enable = true;
      server = true;
-      host-config = ../../config/nomad.d/host-thingvellir.json;
+      host-config = ../../config/nomad.d/host-thingvellir.hcl;
    };

    # - Editors and development ------------------
--- a/modules/server/nomad.nix
+++ b/modules/server/nomad.nix
@@ -24,6 +24,7 @@ in
    # services.consul.enable = true;
    services.nomad = {
      enable = true;
+      dropPrivileges = false;
      extraSettingsPaths = [ "/etc/nomad.d" ];
    };

@@ -51,10 +52,10 @@ in
        target = "nomad.d/server.json";
        source = ../../config/nomad.d/server.json;
      };
-    } // lib.optionalAttrs cfg.host-config {
+    } // lib.optionalAttrs (! isNull cfg.host-config) {
      # Host-specific configuration
      nomad-host-cfg = {
-        target = "nomad.d/host.json";
+        target = "nomad.d/host.hcl";
        source = cfg.host-config;
      };
    };
--- a/modules/system/tailscale.nix
+++ b/modules/system/tailscale.nix
@@ -11,7 +11,7 @@ in
    # See https://github.com/tailscale/tailscale/issues/4432
    networking = {
      firewall.checkReversePath = "loose";
-      nameservers = [ "100.80.195.56" ];
+      nameservers = [ "100.99.167.21" ];
      networkmanager.dns = "none";
    };
    services.tailscale.enable = true;