From 98ea2a1ca0732e2ef8bddc683bdb45210bf584a0 Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Fri, 24 Mar 2023 16:32:37 -0700
Subject: [PATCH] A whole lot of incremental fixes for nomad variables and such

Also adds stunnel between redis and clients
---
 .terraform.lock.hcl                           | 38 ------------
 ansible_playbooks/setup-cluster.yml           |  2 +-
 core/blocky/blocky.nomad                      | 52 ++++++++++++++++-
 core/blocky/config.yml                        |  2 +-
 core/lldap.nomad                              | 18 +++---
 core/main.tf                                  | 25 ++------
 core/metrics/exporters.nomad                  |  2 +-
 core/metrics/grafana.nomad                    |  6 +-
 .../grafana/provisioning/datasources/loki.yml |  6 +-
 .../provisioning/datasources/prometheus.yml   |  6 +-
 core/metrics/prometheus.nomad                 |  9 +--
 core/traefik/traefik.nomad                    | 27 +++++----
 databases/mysql.nomad                         |  4 +-
 databases/redis.nomad                         | 55 ++++++++++++++++--
 databases/rediscommander.nomad                | 56 +++++++++++++++++-
 nomad_vars.py                                 |  2 +-
 providers.tf                                  | 43 +-------------
 service.nomad                                 |  1 +
 services.tf                                   | 10 ++--
 services/backups/backup.nomad                 |  4 +-
 services/backups/backups.tf                   |  4 +-
 services/external.tf                          | 58 +++++++++----------
 services/ip-dvr.nomad                         |  6 +-
 services/main.tf                              |  5 +-
 services/media/caddy.nomad                    |  2 +-
 services/service/service_template.nomad       |  2 +-
 services/whoami.nomad                         | 45 +-------------
 vars.tf                                       |  4 --
 28 files changed, 251 insertions(+), 243 deletions(-)

diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl
index 9da49e4..7d4f8ef 100644
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@@ -1,25 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.
 
-provider "registry.terraform.io/hashicorp/consul" {
-  version = "2.17.0"
-  hashes = [
-    "h1:k+8ptRn/iiCnE7mC0LVA8FvnukzKnlD3KAcquPFbtN8=",
-    "zh:1cca5e144b4696900d2410e26499a00c9666e5777b657e9844a4b6d198164a09",
-    "zh:4fe59329ae4a4fc13751cde4a1044427ca591ecefbaa8dde2ce828f660fbddb1",
-    "zh:55c42cec7dd10ee1f03eca03d5b8e3bcba7bf281bcd250ac220458aba735ba1f",
-    "zh:625a0481d0b2599d0e6ac609d9efc151f1c9cad53091e2ee3bfcedc34ccacb34",
-    "zh:7e9a08b19491f26aa685311a9211bacd7b7027d9cf6eaee16949435221a5f688",
-    "zh:9d92816f609367204c4df20c29c57ee631f5a65cf6bb782d9d9b3f945ba21353",
-    "zh:a332ef65a6ba829dc335ade1a3e69ae14e162dc6ca1a991d9d6ad4e596f4c2d7",
-    "zh:ce7ffac8d852342e9fe25053383613934c8b81d8c2ba2c9d10626b71e329fed7",
-    "zh:d384a1ef35c766362e8ae3131d00c05e1c0904d8b4b1d964548b91e1025f324b",
-    "zh:d85067f345b663e8e59fb02705918d3618ce56887a472665bec7f1aeddbc9ea4",
-    "zh:ddff8512e8181efae6d0d259abcd457d9a394a4a6f99d6bb0b180cabee373097",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/external" {
   version = "2.3.1"
   hashes = [
@@ -57,22 +38,3 @@ provider "registry.terraform.io/hashicorp/nomad" {
     "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
   ]
 }
-
-provider "registry.terraform.io/hashicorp/vault" {
-  version = "3.14.0"
-  hashes = [
-    "h1:/0pqMLODukJUiVpBdxXbb8vwp0HCtbTXWFq0BaNkcZM=",
-    "zh:07e797c3b14cc45f1a3fa3adb6269f28f182630b9af9403a2a447919d4e9992a",
-    "zh:0d88c6c50f7975f60c84d446bf95b26652c9457e62f2d5b24221b769d6daf809",
-    "zh:1670c513f85788308d317e45038234ac367f52f7bd0ea8f527f0a6291dd23659",
-    "zh:1b5a07fd053a0d7d1da80cb3e929b44c000c614d3738bb7ff82b4d56ed854017",
-    "zh:34a43de7f3d3749cbc50b81b84fe38961c3dfbda819708a814c2206045ecf69b",
-    "zh:416f710365d060c8239522363257e162a267c01463ac95ad2c2dd0acf05b6d35",
-    "zh:73956090e0e9b69adbcfe1bcaad20ec45779f2e7f3f2fb3a5f865402a2cd2485",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:e2df6077e925a8438cfd2deb3bce5f1029a2e3edd2a635b12636d426390600dd",
-    "zh:e3e2797ae1cfc6aff66329ee81baaf780e1f5f295ad887ac7ff4c1e2754a8c8c",
-    "zh:f34ec435d16244ecf0f909872850070428aeadd352b6a21ab1f787d81f8bae9f",
-    "zh:f3a930e64b2c10d2ece5acc856d3438cdd375ccfc5ac10fc4a8fe163f74af93a",
-  ]
-}
diff --git a/ansible_playbooks/setup-cluster.yml b/ansible_playbooks/setup-cluster.yml
index 609adbb..8a228ec 100644
--- a/ansible_playbooks/setup-cluster.yml
+++ b/ansible_playbooks/setup-cluster.yml
@@ -189,7 +189,7 @@
             interface: lo
             reserved_ports: "22"
           - name: wesher
-            interface: wgoverlay
+            interface: wesher
             reserved_ports: "22"
 
         # Enable ACLs
diff --git a/core/blocky/blocky.nomad b/core/blocky/blocky.nomad
index a22aac2..05d1037 100644
--- a/core/blocky/blocky.nomad
+++ b/core/blocky/blocky.nomad
@@ -24,7 +24,7 @@ job "blocky" {
       }
 
       port "api" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = "4000"
       }
 
@@ -93,6 +93,56 @@ job "blocky" {
       }
     }
 
+    task "redis-stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 20
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_client]
+client = yes
+accept = 127.0.0.1:6379
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/blocky" -}}
+{{ .redis_stunnel_psk }}
+{{- end }}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
+
     task "blocky-bootstrap" {
       driver = "docker"
 
diff --git a/core/blocky/config.yml b/core/blocky/config.yml
index 4918867..710689d 100644
--- a/core/blocky/config.yml
+++ b/core/blocky/config.yml
@@ -94,7 +94,7 @@ prometheus:
 
 {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}}
 redis:
-    address: {{ .Address }}:{{ .Port }}
+    address: 127.0.0.1:6379
     # password: ""
     # database: 0
     connectionAttempts: 10
diff --git a/core/lldap.nomad b/core/lldap.nomad
index 503bb0e..366610e 100644
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@@ -8,10 +8,12 @@ job "lldap" {
       mode = "bridge"
 
       port "web" {
+        host_network = "wesher"
         to = 17170
       }
 
       port "ldap" {
+        host_network = "wesher"
         to = 3890
       }
     }
@@ -51,13 +53,7 @@ job "lldap" {
       config {
         image = "nitnelave/lldap:v0.4"
         ports = ["ldap", "web"]
-        args = ["run", "--config-file", "/lldap_config.toml"]
-
-        mount {
-          type = "bind"
-          source = "secrets/lldap_config.toml"
-          target = "/lldap_config.toml"
-        }
+        args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
       }
 
       env = {
@@ -70,18 +66,18 @@ job "lldap" {
 database_url = "sqlite:///data/users.db?mode=rwc"
 key_file = "/data/private_key"
 ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}"
-{{ with nomadVar "nomad/jobs/lldap" }}
+{{ with nomadVar "nomad/jobs/lldap" -}}
 jwt_secret = "{{ .jwt_secret }}"
 ldap_user_dn = "{{ .admin_user }}"
 ldap_user_email = "{{ .admin_email }}"
 ldap_user_pass = "{{ .admin_password }}"
-{{ end -}}
+{{- end }}
 {{ with nomadVar "nomad/jobs" -}}
 [smtp_options]
 enable_password_reset = true
 server = "{{ .smtp_server }}"
 port = {{ .smtp_port }}
-tls_required = {{ .smtp_tls }}
+tls_required = {{ .smtp_tls.Value | toLower }}
 user = "{{ .smtp_user }}"
 password = "{{ .smtp_password }}"
 {{ end -}}
@@ -90,7 +86,7 @@ from = "{{ .smtp_from }}"
 reply_to = "{{ .smtp_reply_to }}"
 {{ end -}}
         EOH
-        destination = "secrets/lldap_config.toml"
+        destination = "${NOMAD_SECRETS_DIR}/lldap_config.toml"
         change_mode = "restart"
       }
 
diff --git a/core/main.tf b/core/main.tf
index 6288fc6..a013eff 100644
--- a/core/main.tf
+++ b/core/main.tf
@@ -12,29 +12,12 @@ module "traefik" {
   base_hostname = var.base_hostname
 }
 
-module "nomad_login" {
-  source  = "IamTheFij/levant/nomad"
-  version = "0.1.0"
-
-  template_path = "service.nomad"
-  variables = {
-    name         = "nomad-login"
-    image        = "iamthefij/nomad-vault-login"
-    service_port = 5000
-    ingress      = true
-    ingress_rule = "Host(`nomad.thefij.rocks`) && PathPrefix(`/login`)"
-    env = jsonencode({
-      VAULT_ADDR = "http://$${attr.unique.network.ip-address}:8200",
-    })
-  }
+module "metrics" {
+  source = "./metrics"
+  # Not in this module
+  # depends_on = [module.databases]
 }
 
-# module "metrics" {
-#   source = "./metrics"
-#   # Not in this module
-#   # depends_on = [module.databases]
-# }
-
 module "loki" {
   source  = "IamTheFij/levant/nomad"
   version = "0.1.0"
diff --git a/core/metrics/exporters.nomad b/core/metrics/exporters.nomad
index c2cafc2..6eeda97 100644
--- a/core/metrics/exporters.nomad
+++ b/core/metrics/exporters.nomad
@@ -24,7 +24,7 @@ job "metrics" {
 
       tags = [
         "prometheus.scrape",
-      }
+      ]
     }
 
     task "promtail" {
diff --git a/core/metrics/grafana.nomad b/core/metrics/grafana.nomad
index d856827..35c2700 100644
--- a/core/metrics/grafana.nomad
+++ b/core/metrics/grafana.nomad
@@ -8,7 +8,7 @@ job "grafana" {
       mode = "bridge"
 
       port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 3000
       }
 
@@ -123,8 +123,8 @@ GF_SMTP_USER={{ .smtp_user }}
 GF_SMTP_PASSWORD={{ .smtp_password }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
-GRAFANA_ALERT_EMAIL_ADDRESSES={{ .Data.data.alert_email_addresses }}
-{{ if .Data.data.db_name -}}
+GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
+{{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql
 {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
diff --git a/core/metrics/grafana/provisioning/datasources/loki.yml b/core/metrics/grafana/provisioning/datasources/loki.yml
index 71fd830..3364216 100644
--- a/core/metrics/grafana/provisioning/datasources/loki.yml
+++ b/core/metrics/grafana/provisioning/datasources/loki.yml
@@ -2,11 +2,11 @@
 apiVersion: 1
 
 datasources:
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "loki" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "loki" }}
   - name: Loki
-    url: http://{{ .Address }}:{{ .Port }}
+    url: "http://{{ .Address }}:{{ .Port }}"
     type: loki
     access: proxy
     isDefault: false
     version: 1
-{{- end }}
+{{ end }}
diff --git a/core/metrics/grafana/provisioning/datasources/prometheus.yml b/core/metrics/grafana/provisioning/datasources/prometheus.yml
index 81f4f49..5ae472a 100644
--- a/core/metrics/grafana/provisioning/datasources/prometheus.yml
+++ b/core/metrics/grafana/provisioning/datasources/prometheus.yml
@@ -2,11 +2,11 @@
 apiVersion: 1
 
 datasources:
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "prometheus" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "prometheus" }}
   - name: Prometheus
-    url: http://{{ .Address }}:{{ .Port }}
+    url: "http://{{ .Address }}:{{ .Port }}"
     type: prometheus
     access: proxy
     isDefault: true
     version: 1
-{{- end }}
+{{ end }}
diff --git a/core/metrics/prometheus.nomad b/core/metrics/prometheus.nomad
index b2677f0..1006532 100644
--- a/core/metrics/prometheus.nomad
+++ b/core/metrics/prometheus.nomad
@@ -8,7 +8,7 @@ job "prometheus" {
       mode = "bridge"
 
       port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 9090
       }
     }
@@ -34,7 +34,7 @@ job "prometheus" {
       driver = "docker"
 
       config {
-        image = "prom/prometheus:v2.30.2"
+        image = "prom/prometheus:v2.43.0"
         ports = ["web"]
         args = [
           "--config.file=/etc/prometheus/config/prometheus.yml",
@@ -91,12 +91,13 @@ scrape_configs:
   - job_name: "nomad_services"
     metrics_path: "/metrics"
     nomad_sd_configs:
-      - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
+      - server: "http://{{env "attr.unique.network.ip-address"}}:4646"
     relabel_configs:
       - source_labels: [__meta_nomad_tags]
         regex: .*(prometheus.scrape).*
         action: keep
-      - source_labels: [__meta_nomad_address]
+      - source_labels: [__meta_nomad_service_address,__meta_nomad_service_port]
+        separator: ":"
         target_label: __address__
       - source_labels: [__meta_nomad_service]
         target_label: nomad_service
diff --git a/core/traefik/traefik.nomad b/core/traefik/traefik.nomad
index 94151e1..0986431 100644
--- a/core/traefik/traefik.nomad
+++ b/core/traefik/traefik.nomad
@@ -158,6 +158,7 @@ job "traefik" {
     provider = "cloudflare"
     resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
     delayBeforeCheck = 0
+<<- end >>
         EOH
         destination = "local/config/traefik.toml"
       }
@@ -181,16 +182,20 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
       entryPoints = ["websecure"]
       service = "nomad"
       rule = "Host(`nomad.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
+    [http.routers.hass]
+      entryPoints = ["websecure"]
+      service = "hass"
+      rule = "Host(`hass.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
 
   [http.services]
-    {{ with nomadService "nomad-client" -}}
     [http.services.nomad]
       [http.services.nomad.loadBalancer]
-        {{ range . -}}
         [[http.services.nomad.loadBalancer.servers]]
-          url = "http://{{ .Address }}:{{ .Port }}"
-        {{ end }}
-    {{- end }}
+          url = "http://127.0.0.1:4646"
+    [http.services.hass]
+      [http.services.hass.loadBalancer]
+        [[http.services.hass.loadBalancer.servers]]
+          url = "http://192.168.3.65:8123"
         EOH
         destination = "local/config/conf/route-hashi.toml"
         change_mode = "noop"
@@ -212,7 +217,7 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
       [[tcp.services.syslogngtcp.loadBalancer.servers]]
         address = "{{ .Address }}:{{ .Port }}"
       {{ end -}}
-{{ end }}
+{{- end }}
 
 {{ with nomadService "syslogng" -}}
 [udp.routers]
@@ -227,7 +232,7 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
       [[udp.services.syslogngudp.loadBalancer.servers]]
         address = "{{ .Address }}:{{ .Port }}"
       {{ end -}}
-{{ end }}
+{{- end }}
         EOH
         destination = "local/config/conf/route-syslog-ng.toml"
         change_mode = "noop"
@@ -241,8 +246,8 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
   [http.middlewares.basic-auth.basicAuth]
   # TODO: Reference secrets mount
     usersFile = "/etc/traefik/usersfile"
-{{ end }}
-{{ end }}
+{{- end }}
+{{- end }}
         EOH
         destination = "local/config/conf/middlewares.toml"
         change_mode = "noop"
@@ -250,9 +255,9 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
 
       template {
         data = <<EOH
-{{ with nomadVar "nomad/jobs/traefik" }}
+{{ with nomadVar "nomad/jobs/traefik" -}}
 {{ .usersfile }}
-{{ end }}
+{{- end }}
         EOH
         destination = "secrets/usersfile"
         change_mode = "noop"
diff --git a/databases/mysql.nomad b/databases/mysql.nomad
index 9cd8879..4e6a4f5 100644
--- a/databases/mysql.nomad
+++ b/databases/mysql.nomad
@@ -18,9 +18,7 @@ job "mysql-server" {
 
       port "db" {
         to = 3306
-      }
-      port "envoy_metrics" {
-        to = 9123
+        host_network = "wesher"
       }
     }
 
diff --git a/databases/redis.nomad b/databases/redis.nomad
index 40e0088..68ffa7e 100644
--- a/databases/redis.nomad
+++ b/databases/redis.nomad
@@ -15,15 +15,15 @@ job "redis" {
     network {
       mode = "bridge"
 
-      port "main" {
-        to = 6379
+      port "tls" {
+        host_network = "wesher"
       }
     }
 
     service {
-      name = "redis"
+      name = "redis-tls"
       provider = "nomad"
-      port = "main"
+      port = "tls"
     }
 
     task "redis" {
@@ -41,5 +41,52 @@ job "redis" {
         memory_max = 512
       }
     }
+
+    task "stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_server]
+
+accept = {{ env "NOMAD_PORT_tls" }}
+connect = 127.0.0.1:6379
+ciphers = PSK
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+test1:oaP4EishaeSaishei6rio6xeeph3az
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
   }
 }
diff --git a/databases/rediscommander.nomad b/databases/rediscommander.nomad
index 8f703b3..fa15b6e 100644
--- a/databases/rediscommander.nomad
+++ b/databases/rediscommander.nomad
@@ -9,12 +9,14 @@ job "rediscommander" {
       mode = "bridge"
 
       port "main" {
+        host_network = "wesher"
         to = 8081
       }
     }
 
     service {
       name = "rediscommander"
+      provider = "nomad"
       port = "main"
 
       tags = [
@@ -33,9 +35,7 @@ job "rediscommander" {
 
       template {
         data = <<EOH
-        {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}}
-        REDIS_HOSTS=local:{{ .Address }}:{{ .Port }}
-        {{- end }}
+        REDIS_HOSTS=stunnel:127.0.0.1:6379
         EOH
         env = true
         destination = "env"
@@ -46,5 +46,55 @@ job "rediscommander" {
         memory = 50
       }
     }
+
+    task "redis-stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_client]
+client = yes
+accept = 127.0.0.1:6379
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/rediscommander" -}}
+{{ .redis_stunnel_psk }}
+{{- end }}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
   }
 }
diff --git a/nomad_vars.py b/nomad_vars.py
index a3d1ffe..2454a20 100755
--- a/nomad_vars.py
+++ b/nomad_vars.py
@@ -30,7 +30,7 @@ def nomad_req(method: str, path: str, json: dict|None = None) -> dict:
 
 
 def write_var(path: str, items: dict[str, str | float | int]) -> dict:
-    return nomad_req("GET", f"var/{path}",
+    return nomad_req("PUT", f"var/{path}",
         json={
             "Path": path,
             "Items": {k: str(v) for k, v in items.items()},
diff --git a/providers.tf b/providers.tf
index 6e5ef19..f1dce85 100644
--- a/providers.tf
+++ b/providers.tf
@@ -1,46 +1,7 @@
-# Configure Consul provider
-provider "consul" {
-  address = var.consul_address
-}
-
-# Get Nomad client from Consul
-data "consul_service" "nomad" {
-  name = "nomad-client"
-}
-
-# Get Vault client from Consul
-data "consul_service" "vault" {
-  name = "vault"
-  tag  = "active"
-}
-
-locals {
-  # Get Nomad address from Consul
-  nomad_node         = data.consul_service.nomad.service[0]
-  nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
-
-  # Get Vault address from Consul
-  vault_node         = data.consul_service.vault.service[0]
-  vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}"
-}
-
-# Configure the Vault provider
-provider "vault" {
-  address = length(var.vault_address) == 0 ? local.vault_node_address : var.vault_address
-  token   = var.vault_token
-}
-
-# Something that should exist in a post bootstrap module, right now module includes bootstrapping
-# which requries Admin
-# data "vault_nomad_access_token" "deploy" {
-#   backend = "nomad"
-#   role    = "deploy"
-# }
 
 # Configure the Nomad provider
 provider "nomad" {
-  address   = length(var.nomad_address) == 0 ? local.nomad_node_address : var.nomad_address
+  address   = var.nomad_address
   secret_id = var.nomad_secret_id
-  # secret_id = length(var.nomad_secret_id) == 0 ? data.vault_nomad_access_token.admin.secret_id : var.nomad_secret_id
-  region = "global"
+  region    = "global"
 }
diff --git a/service.nomad b/service.nomad
index 54a1fd7..fe2253f 100644
--- a/service.nomad
+++ b/service.nomad
@@ -51,6 +51,7 @@ job "[[.name]]" {
       mode = "bridge"
       [[ if not (empty .service_port) -]]
       port "main" {
+        host_network = "wesher"
         to = [[ .service_port ]]
       }
       [[ end -]]
diff --git a/services.tf b/services.tf
index 25ebceb..1f9cac3 100644
--- a/services.tf
+++ b/services.tf
@@ -1,5 +1,5 @@
-# module "services" {
-#   source = "./services"
-#
-#   depends_on = [module.databases, module.core]
-# }
+module "services" {
+  source = "./services"
+
+  depends_on = [module.databases, module.core]
+}
diff --git a/services/backups/backup.nomad b/services/backups/backup.nomad
index 25af9aa..cf132e0 100644
--- a/services/backups/backup.nomad
+++ b/services/backups/backup.nomad
@@ -49,7 +49,7 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
     }
 
     service {
-      name = "backups"
+      name = "backup"
       provider = "nomad"
       port = "metrics"
 
@@ -97,7 +97,7 @@ MYSQL_PORT={{ .Port }}
 MYSQL_USER=root
 MYSQL_PASSWORD={{ .mysql_root_password }}
 {{ end -}}
-{{ with nomadVar "nomad/jobs/backups" -}}
+{{ with nomadVar "nomad/jobs/backup" -}}
 BACKUP_PASSPHRASE={{ .backup_passphrase }}
 RCLONE_FTP_HOST={{ .nas_ftp_host }}
 RCLONE_FTP_USER={{ .nas_ftp_user }}
diff --git a/services/backups/backups.tf b/services/backups/backups.tf
index e26a628..a4a5ed7 100644
--- a/services/backups/backups.tf
+++ b/services/backups/backups.tf
@@ -1,4 +1,4 @@
-resource "nomad_job" "backups" {
+resource "nomad_job" "backup" {
   jobspec = templatefile("${path.module}/backup.nomad", {
     module_path = path.module,
     batch_node  = null,
@@ -10,7 +10,7 @@ resource "nomad_job" "backups" {
 #   name = "nomad-client"
 # }
 
-resource "nomad_job" "backups-oneoff" {
+resource "nomad_job" "backup-oneoff" {
   # TODO: Get list of nomad hosts dynamically
   for_each = toset(["n1", "n2"])
   # for_each = toset([
diff --git a/services/external.tf b/services/external.tf
index 8f31bf6..171939f 100644
--- a/services/external.tf
+++ b/services/external.tf
@@ -1,29 +1,29 @@
-resource "consul_service" "homeassistant" {
-  name = "hass"
-  node = consul_node.homeassistant.name
-  port = 8123
-  tags = [
-    "traefik.enable=true",
-    "traefik.consulcatalog.connect=false",
-    "traefik.http.routers.hass.entryPoints=websecure",
-  ]
-
-  check {
-    check_id = "homeassistant:hass"
-    status   = "passing"
-    name     = "Home Assistant Health Check"
-    http     = "192.168.3.65:8123"
-    interval = "30s"
-    timeout  = "10s"
-  }
-}
-
-resource "consul_node" "homeassistant" {
-  name    = "homeassistant"
-  address = "192.168.3.65"
-
-  meta = {
-    "external-node"  = "true"
-    "external-probe" = "true"
-  }
-}
+# resource "consul_service" "homeassistant" {
+#   name = "hass"
+#   node = consul_node.homeassistant.name
+#   port = 8123
+#   tags = [
+#     "traefik.enable=true",
+#     "traefik.consulcatalog.connect=false",
+#     "traefik.http.routers.hass.entryPoints=websecure",
+#   ]
+#
+#   check {
+#     check_id = "homeassistant:hass"
+#     status   = "passing"
+#     name     = "Home Assistant Health Check"
+#     http     = "192.168.3.65:8123"
+#     interval = "30s"
+#     timeout  = "10s"
+#   }
+# }
+#
+# resource "consul_node" "homeassistant" {
+#   name    = "homeassistant"
+#   address = "192.168.3.65"
+#
+#   meta = {
+#     "external-node"  = "true"
+#     "external-probe" = "true"
+#   }
+# }
diff --git a/services/ip-dvr.nomad b/services/ip-dvr.nomad
index adadacb..8b8cf7c 100644
--- a/services/ip-dvr.nomad
+++ b/services/ip-dvr.nomad
@@ -9,7 +9,7 @@ job "ipdvr" {
       mode = "bridge"
 
       port "main" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 8080
       }
     }
@@ -75,7 +75,7 @@ job "ipdvr" {
     network {
       mode = "bridge"
       port "main" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 6789
       }
     }
@@ -142,7 +142,7 @@ job "ipdvr" {
     network {
       mode = "bridge"
       port "main" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 8989
       }
     }
diff --git a/services/main.tf b/services/main.tf
index d0570f6..40c86bf 100644
--- a/services/main.tf
+++ b/services/main.tf
@@ -172,8 +172,9 @@ module "photoprism_module" {
       PHOTOPRISM_DATABASE_USER={{ .db_user }}
       PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
       {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-      PHOTOPRISM_DATABASE_SERVER="{{ .Address" }}:{{ .Port }}"
-      {{ end -}}
+      PHOTOPRISM_DATABASE_SERVER="{{ .Address }}:{{ .Port }}"
+      {{- end }}
+      {{- end }}
       EOF
       dest_prefix = "$${NOMAD_SECRETS_DIR}/"
       dest        = "env"
diff --git a/services/media/caddy.nomad b/services/media/caddy.nomad
index 9991ad6..bbcca6b 100644
--- a/services/media/caddy.nomad
+++ b/services/media/caddy.nomad
@@ -8,7 +8,7 @@ job "multimedia" {
     network {
       mode = "bridge"
       port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 80
       }
     }
diff --git a/services/service/service_template.nomad b/services/service/service_template.nomad
index 3d70982..a69a6bf 100644
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@@ -10,7 +10,7 @@ job "${name}" {
       %{ if service_port != null ~}
       port "main" {
         %{ if ingress }
-        host_network = "wgoverlay"
+        host_network = "wesher"
         %{~ endif }
         to = ${service_port}
       }
diff --git a/services/whoami.nomad b/services/whoami.nomad
index e0648ad..0ff680e 100644
--- a/services/whoami.nomad
+++ b/services/whoami.nomad
@@ -9,56 +9,13 @@ job "whoami" {
 
   type = "service"
 
-  group "whoami-nomad" {
-    count = var.count
-
-    network {
-      mode = "bridge"
-      port "web" {
-        host_network = "wesher"
-        to = 80
-      }
-    }
-
-    service {
-      name = "whoami-nomad"
-      provider = "nomad"
-      port = "web"
-
-      tags = [
-        "traefik.enable=true",
-        "traefik.http.routers.whoami-nomad.entryPoints=websecure",
-        "traefik.http.routers.whoami-nomad.middlewares=basic-auth@file",
-      ]
-    }
-
-    task "whoami" {
-      driver = "docker"
-
-      meta = {
-        "diun.enable" = false
-      }
-
-      config {
-        image = "containous/whoami:latest"
-        ports = ["web"]
-        args = ["--port", "${NOMAD_PORT_web}"]
-      }
-
-      resources {
-        cpu = 50
-        memory = 20
-      }
-    }
-  }
-
   group "whoami" {
     count = var.count
 
     network {
       mode = "bridge"
       port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
         to = 80
       }
     }
diff --git a/vars.tf b/vars.tf
index 5b8bf7f..3ca5a12 100644
--- a/vars.tf
+++ b/vars.tf
@@ -1,7 +1,3 @@
-variable "consul_address" {
-  type    = string
-  default = "http://n1.thefij:8500"
-}
 
 variable "nomad_address" {
   type    = string