diff --git a/hosts/common/nomad.nix b/hosts/common/nomad.nix index b619f0c..f431883 100644 --- a/hosts/common/nomad.nix +++ b/hosts/common/nomad.nix @@ -9,6 +9,7 @@ in enable = true; package = pkgs.unstable.nomad; # true breaks at least CSI volumes + # TODO: consider fixing dropPrivileges = false; settings = { @@ -21,11 +22,6 @@ in interface = "tailscale0"; cidr = "100.64.0.0/10"; }; - host_volume = { - sites.path = "/data/compute/sites"; - config.path = "/data/compute/config"; - appdata-grafana.path = "/data/compute/appdata/grafana"; - }; }; server = { @@ -44,6 +40,7 @@ in plugin.docker.config = { allow_privileged = true; # for keepalived, though only really needing "NET_ADMIN","NET_BROADCAST","NET_RAW" on top of default + # TODO: trim this down allow_caps = ["all"]; volumes.enabled = true; }; diff --git a/services/grafana.hcl b/services/grafana.hcl index a37ad48..6d2a15a 100644 --- a/services/grafana.hcl +++ b/services/grafana.hcl @@ -8,17 +8,13 @@ job "grafana" { } } - volume "appdata" { - type = "host" - source = "appdata-grafana" - } - task "grafana" { driver = "docker" config { image = "grafana/grafana-enterprise" ports = [ "http" ] + volumes = [ "/data/compute/appdata/grafana:/var/lib/grafana" ] } env { @@ -26,11 +22,6 @@ job "grafana" { GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}" } - volume_mount { - volume = "appdata" - destination = "/var/lib/grafana" - } - service { port = "http" name = "grafana" diff --git a/services/pi.paler.net.hcl b/services/pi.paler.net.hcl index 40e2615..fab95f8 100644 --- a/services/pi.paler.net.hcl +++ b/services/pi.paler.net.hcl @@ -26,12 +26,6 @@ job "pi.paler.net" { } } - volume "sites" { - type = "host" - source = "sites" - read_only = true - } - task "http-server" { driver = "docker" @@ -42,14 +36,10 @@ job "pi.paler.net" { args = [ "-port=${NOMAD_PORT_http}", - "-path=/srv/http/pi.paler.net", "-enable-health", ] - } - volume_mount { - volume = "sites" - destination = "/srv/http" + volumes = [ "/data/compute/sites/pi.paler.net:/srv/http" ] } } } diff --git a/services/traefik.hcl b/services/traefik.hcl index dcd6232..be327dd 100644 --- a/services/traefik.hcl +++ b/services/traefik.hcl @@ -15,11 +15,6 @@ job "traefik" { } } - volume "config" { - type = "host" - source = "config" - } - task "traefik" { driver = "docker" @@ -51,17 +46,13 @@ job "traefik" { ] } - volume_mount { - volume = "config" - destination = "/config" - } - config { image = "traefik:latest" ports = ["http", "https", "admin"] network_mode = "host" volumes = [ "local/traefik.yml:/etc/traefik/traefik.yml", + "/data/compute/config/traefik:/config", ] } @@ -107,7 +98,7 @@ serversTransport: providers: file: - directory: /config/traefik/rules + directory: /config/rules watch: true consulcatalog: @@ -119,7 +110,7 @@ certificatesResolvers: letsencrypt: acme: email: petru@paler.net - storage: /config/traefik/acme/acme.json + storage: /config/acme/acme.json tlsChallenge: {} global: @@ -147,7 +138,8 @@ EOH KEEPALIVED_VIRTUAL_ROUTES = "" } config { - image = "visibilityspots/keepalived" + # 2.2.8 wasn't starting, reason unknown + image = "visibilityspots/keepalived:2.2.7" network_mode = "host" privileged = true cap_add = ["NET_ADMIN", "NET_BROADCAST", "NET_RAW"]