Switch remaining services from nomad host volumes to docker volumes.

hosts/common/nomad.nix

@@ -9,6 +9,7 @@ in
     enable = true;
     package = pkgs.unstable.nomad;
     # true breaks at least CSI volumes
+    # TODO: consider fixing
     dropPrivileges = false;
 
     settings = {
@@ -21,11 +22,6 @@ in
           interface = "tailscale0";
           cidr = "100.64.0.0/10";
         };
-        host_volume = {
-          sites.path = "/data/compute/sites";
-          config.path = "/data/compute/config";
-          appdata-grafana.path = "/data/compute/appdata/grafana";
-        };
       };
 
       server = {
@@ -44,6 +40,7 @@ in
     plugin.docker.config = {
       allow_privileged = true;
       # for keepalived, though only really needing "NET_ADMIN","NET_BROADCAST","NET_RAW" on top of default
+      # TODO: trim this down
       allow_caps = ["all"];
       volumes.enabled = true;
     };

services/grafana.hcl

@@ -8,17 +8,13 @@ job "grafana" {
       }
     }
 
-    volume "appdata" {
-      type = "host"
-      source = "appdata-grafana"
-    }
-
     task "grafana" {
       driver = "docker"
 
       config {
         image = "grafana/grafana-enterprise"
         ports = [ "http" ]
+        volumes = [ "/data/compute/appdata/grafana:/var/lib/grafana" ]
       }
 
       env {
@@ -26,11 +22,6 @@ job "grafana" {
         GF_SERVER_HTTP_PORT = "${NOMAD_PORT_http}"
       }
 
-      volume_mount {
-        volume = "appdata"
-        destination = "/var/lib/grafana"
-      }
-
       service {
         port = "http"
 	name = "grafana"

services/pi.paler.net.hcl

@@ -26,12 +26,6 @@ job "pi.paler.net" {
       } 
     }
 
-    volume "sites" {
-      type = "host"
-      source = "sites"
-      read_only = true
-    }
-
     task "http-server" {
       driver = "docker"
 
@@ -42,14 +36,10 @@ job "pi.paler.net" {
 
         args = [
           "-port=${NOMAD_PORT_http}",
-          "-path=/srv/http/pi.paler.net",
           "-enable-health",
         ]
-      }
 
-      volume_mount {
+        volumes = [ "/data/compute/sites/pi.paler.net:/srv/http" ]
-        volume = "sites"
-        destination = "/srv/http"
       }
     }
   }

services/traefik.hcl

@@ -15,11 +15,6 @@ job "traefik" {
       }
     }
 
-    volume "config" {
-      type = "host"
-      source = "config"
-    }
-
     task "traefik" {
       driver = "docker"
 
@@ -51,17 +46,13 @@ job "traefik" {
         ]
       }
 
-      volume_mount {
-        volume = "config"
-        destination = "/config"
-      }
-
       config {
         image = "traefik:latest"
         ports = ["http", "https", "admin"]
         network_mode = "host"
         volumes = [
           "local/traefik.yml:/etc/traefik/traefik.yml",
+          "/data/compute/config/traefik:/config",
         ]
       }
 
@@ -107,7 +98,7 @@ serversTransport:
 
 providers:
   file:
-    directory: /config/traefik/rules
+    directory: /config/rules
     watch: true
 
   consulcatalog:
@@ -119,7 +110,7 @@ certificatesResolvers:
   letsencrypt:
     acme:
       email: petru@paler.net
-      storage: /config/traefik/acme/acme.json
+      storage: /config/acme/acme.json
       tlsChallenge: {}
 
 global:
@@ -147,7 +138,8 @@ EOH
         KEEPALIVED_VIRTUAL_ROUTES = ""
       }
       config {
-        image        = "visibilityspots/keepalived"
+        # 2.2.8 wasn't starting, reason unknown
+        image        = "visibilityspots/keepalived:2.2.7"
         network_mode = "host"
         privileged   = true
         cap_add      = ["NET_ADMIN", "NET_BROADCAST", "NET_RAW"]