A whole lot of incremental fixes for nomad variables and such

Also adds stunnel between redis and clients
2023-03-24 16:32:37 -07:00 · 2023-03-24 16:32:37 -07:00 · 98ea2a1ca0
commit 98ea2a1ca0
parent 9204f3c7f0
28 changed files with 251 additions and 243 deletions
--- a/.terraform.lock.hcl
+++ b/.terraform.lock.hcl
@ -1,25 +1,6 @@
 # This file is maintained automatically by "terraform init".
 # Manual edits may be lost in future updates.

-provider "registry.terraform.io/hashicorp/consul" {
-  version = "2.17.0"
-  hashes = [
-    "h1:k+8ptRn/iiCnE7mC0LVA8FvnukzKnlD3KAcquPFbtN8=",
-    "zh:1cca5e144b4696900d2410e26499a00c9666e5777b657e9844a4b6d198164a09",
-    "zh:4fe59329ae4a4fc13751cde4a1044427ca591ecefbaa8dde2ce828f660fbddb1",
-    "zh:55c42cec7dd10ee1f03eca03d5b8e3bcba7bf281bcd250ac220458aba735ba1f",
-    "zh:625a0481d0b2599d0e6ac609d9efc151f1c9cad53091e2ee3bfcedc34ccacb34",
-    "zh:7e9a08b19491f26aa685311a9211bacd7b7027d9cf6eaee16949435221a5f688",
-    "zh:9d92816f609367204c4df20c29c57ee631f5a65cf6bb782d9d9b3f945ba21353",
-    "zh:a332ef65a6ba829dc335ade1a3e69ae14e162dc6ca1a991d9d6ad4e596f4c2d7",
-    "zh:ce7ffac8d852342e9fe25053383613934c8b81d8c2ba2c9d10626b71e329fed7",
-    "zh:d384a1ef35c766362e8ae3131d00c05e1c0904d8b4b1d964548b91e1025f324b",
-    "zh:d85067f345b663e8e59fb02705918d3618ce56887a472665bec7f1aeddbc9ea4",
-    "zh:ddff8512e8181efae6d0d259abcd457d9a394a4a6f99d6bb0b180cabee373097",
-    "zh:f3d3efac504c9484a025beb919d22b290aa6dbff256f6e86c1f8ce7817e077e5",
-  ]
-}
-
 provider "registry.terraform.io/hashicorp/external" {
  version = "2.3.1"
  hashes = [
@ -57,22 +38,3 @@ provider "registry.terraform.io/hashicorp/nomad" {
    "zh:ffd1e096c1cc35de879c740a91918e9f06b627818a3cb4b1d87b829b54a6985f",
  ]
 }
-
-provider "registry.terraform.io/hashicorp/vault" {
-  version = "3.14.0"
-  hashes = [
-    "h1:/0pqMLODukJUiVpBdxXbb8vwp0HCtbTXWFq0BaNkcZM=",
-    "zh:07e797c3b14cc45f1a3fa3adb6269f28f182630b9af9403a2a447919d4e9992a",
-    "zh:0d88c6c50f7975f60c84d446bf95b26652c9457e62f2d5b24221b769d6daf809",
-    "zh:1670c513f85788308d317e45038234ac367f52f7bd0ea8f527f0a6291dd23659",
-    "zh:1b5a07fd053a0d7d1da80cb3e929b44c000c614d3738bb7ff82b4d56ed854017",
-    "zh:34a43de7f3d3749cbc50b81b84fe38961c3dfbda819708a814c2206045ecf69b",
-    "zh:416f710365d060c8239522363257e162a267c01463ac95ad2c2dd0acf05b6d35",
-    "zh:73956090e0e9b69adbcfe1bcaad20ec45779f2e7f3f2fb3a5f865402a2cd2485",
-    "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3",
-    "zh:e2df6077e925a8438cfd2deb3bce5f1029a2e3edd2a635b12636d426390600dd",
-    "zh:e3e2797ae1cfc6aff66329ee81baaf780e1f5f295ad887ac7ff4c1e2754a8c8c",
-    "zh:f34ec435d16244ecf0f909872850070428aeadd352b6a21ab1f787d81f8bae9f",
-    "zh:f3a930e64b2c10d2ece5acc856d3438cdd375ccfc5ac10fc4a8fe163f74af93a",
-  ]
-}
--- a/ansible_playbooks/setup-cluster.yml
+++ b/ansible_playbooks/setup-cluster.yml
@ -189,7 +189,7 @@
            interface: lo
            reserved_ports: "22"
          - name: wesher
-            interface: wgoverlay
+            interface: wesher
            reserved_ports: "22"

        # Enable ACLs
--- a/core/blocky/blocky.nomad
+++ b/core/blocky/blocky.nomad
@ -24,7 +24,7 @@ job "blocky" {
      }

      port "api" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = "4000"
      }

@ -93,6 +93,56 @@ job "blocky" {
      }
    }

+    task "redis-stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 20
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_client]
+client = yes
+accept = 127.0.0.1:6379
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/blocky" -}}
+{{ .redis_stunnel_psk }}
+{{- end }}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
+
    task "blocky-bootstrap" {
      driver = "docker"

--- a/core/blocky/config.yml
+++ b/core/blocky/config.yml
@ -94,7 +94,7 @@ prometheus:

 {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}}
 redis:
-    address: {{ .Address }}:{{ .Port }}
+    address: 127.0.0.1:6379
    # password: ""
    # database: 0
    connectionAttempts: 10
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@ -8,10 +8,12 @@ job "lldap" {
      mode = "bridge"

      port "web" {
+        host_network = "wesher"
        to = 17170
      }

      port "ldap" {
+        host_network = "wesher"
        to = 3890
      }
    }
@ -51,13 +53,7 @@ job "lldap" {
      config {
        image = "nitnelave/lldap:v0.4"
        ports = ["ldap", "web"]
-        args = ["run", "--config-file", "/lldap_config.toml"]
-
-        mount {
-          type = "bind"
-          source = "secrets/lldap_config.toml"
-          target = "/lldap_config.toml"
-        }
+        args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
      }

      env = {
@ -70,18 +66,18 @@ job "lldap" {
 database_url = "sqlite:///data/users.db?mode=rwc"
 key_file = "/data/private_key"
 ldap_base_dn = "{{ with nomadVar "nomad/jobs" }}{{ .base_dn }}{{ end }}"
-{{ with nomadVar "nomad/jobs/lldap" }}
+{{ with nomadVar "nomad/jobs/lldap" -}}
 jwt_secret = "{{ .jwt_secret }}"
 ldap_user_dn = "{{ .admin_user }}"
 ldap_user_email = "{{ .admin_email }}"
 ldap_user_pass = "{{ .admin_password }}"
-{{ end -}}
+{{- end }}
 {{ with nomadVar "nomad/jobs" -}}
 [smtp_options]
 enable_password_reset = true
 server = "{{ .smtp_server }}"
 port = {{ .smtp_port }}
-tls_required = {{ .smtp_tls }}
+tls_required = {{ .smtp_tls.Value | toLower }}
 user = "{{ .smtp_user }}"
 password = "{{ .smtp_password }}"
 {{ end -}}
@ -90,7 +86,7 @@ from = "{{ .smtp_from }}"
 reply_to = "{{ .smtp_reply_to }}"
 {{ end -}}
        EOH
-        destination = "secrets/lldap_config.toml"
+        destination = "${NOMAD_SECRETS_DIR}/lldap_config.toml"
        change_mode = "restart"
      }

--- a/core/main.tf
+++ b/core/main.tf
@ -12,28 +12,11 @@ module "traefik" {
  base_hostname = var.base_hostname
 }

-module "nomad_login" {
-  source  = "IamTheFij/levant/nomad"
-  version = "0.1.0"
-
-  template_path = "service.nomad"
-  variables = {
-    name         = "nomad-login"
-    image        = "iamthefij/nomad-vault-login"
-    service_port = 5000
-    ingress      = true
-    ingress_rule = "Host(`nomad.thefij.rocks`) && PathPrefix(`/login`)"
-    env = jsonencode({
-      VAULT_ADDR = "http://$${attr.unique.network.ip-address}:8200",
-    })
+module "metrics" {
+  source = "./metrics"
+  # Not in this module
+  # depends_on = [module.databases]
 }
-}
-
-# module "metrics" {
-#   source = "./metrics"
-#   # Not in this module
-#   # depends_on = [module.databases]
-# }

 module "loki" {
  source  = "IamTheFij/levant/nomad"
--- a/core/metrics/exporters.nomad
+++ b/core/metrics/exporters.nomad
@ -24,7 +24,7 @@ job "metrics" {

      tags = [
        "prometheus.scrape",
-      }
+      ]
    }

    task "promtail" {
--- a/core/metrics/grafana.nomad
+++ b/core/metrics/grafana.nomad
@ -8,7 +8,7 @@ job "grafana" {
      mode = "bridge"

      port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 3000
      }

@ -123,8 +123,8 @@ GF_SMTP_USER={{ .smtp_user }}
 GF_SMTP_PASSWORD={{ .smtp_password }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_ACCESS_KEY={{ .minio_access_key }}
 GF_EXTERNAL_IMAGE_STORAGE_S3_SECRET_KEY={{ .minio_secret_key }}
-GRAFANA_ALERT_EMAIL_ADDRESSES={{ .Data.data.alert_email_addresses }}
-{{ if .Data.data.db_name -}}
+GRAFANA_ALERT_EMAIL_ADDRESSES={{ .alert_email_addresses }}
+{{ if .db_name -}}
 # Database storage
 GF_DATABASE_TYPE=mysql
 {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
--- a/core/metrics/grafana/provisioning/datasources/loki.yml
+++ b/core/metrics/grafana/provisioning/datasources/loki.yml
@ -2,11 +2,11 @@
 apiVersion: 1

 datasources:
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "loki" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "loki" }}
  - name: Loki
-    url: http://{{ .Address }}:{{ .Port }}
+    url: "http://{{ .Address }}:{{ .Port }}"
    type: loki
    access: proxy
    isDefault: false
    version: 1
-{{- end }}
+{{ end }}
--- a/core/metrics/grafana/provisioning/datasources/prometheus.yml
+++ b/core/metrics/grafana/provisioning/datasources/prometheus.yml
@ -2,11 +2,11 @@
 apiVersion: 1

 datasources:
-{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "prometheus" -}}
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "prometheus" }}
  - name: Prometheus
-    url: http://{{ .Address }}:{{ .Port }}
+    url: "http://{{ .Address }}:{{ .Port }}"
    type: prometheus
    access: proxy
    isDefault: true
    version: 1
-{{- end }}
+{{ end }}
--- a/core/metrics/prometheus.nomad
+++ b/core/metrics/prometheus.nomad
@ -8,7 +8,7 @@ job "prometheus" {
      mode = "bridge"

      port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 9090
      }
    }
@ -34,7 +34,7 @@ job "prometheus" {
      driver = "docker"

      config {
-        image = "prom/prometheus:v2.30.2"
+        image = "prom/prometheus:v2.43.0"
        ports = ["web"]
        args = [
          "--config.file=/etc/prometheus/config/prometheus.yml",
@ -91,12 +91,13 @@ scrape_configs:
  - job_name: "nomad_services"
    metrics_path: "/metrics"
    nomad_sd_configs:
-      - server: "http://{{env "attr.unique.network.ip-address"}}:8500"
+      - server: "http://{{env "attr.unique.network.ip-address"}}:4646"
    relabel_configs:
      - source_labels: [__meta_nomad_tags]
        regex: .*(prometheus.scrape).*
        action: keep
-      - source_labels: [__meta_nomad_address]
+      - source_labels: [__meta_nomad_service_address,__meta_nomad_service_port]
+        separator: ":"
        target_label: __address__
      - source_labels: [__meta_nomad_service]
        target_label: nomad_service
--- a/core/traefik/traefik.nomad
+++ b/core/traefik/traefik.nomad
@ -158,6 +158,7 @@ job "traefik" {
    provider = "cloudflare"
    resolvers = ["1.1.1.1:53", "8.8.8.8:53"]
    delayBeforeCheck = 0
+<<- end >>
        EOH
        destination = "local/config/traefik.toml"
      }
@ -181,16 +182,20 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
      entryPoints = ["websecure"]
      service = "nomad"
      rule = "Host(`nomad.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"
+    [http.routers.hass]
+      entryPoints = ["websecure"]
+      service = "hass"
+      rule = "Host(`hass.{{ with nomadVar "nomad/jobs" }}{{ .base_hostname }}{{ end }}`)"

  [http.services]
-    {{ with nomadService "nomad-client" -}}
    [http.services.nomad]
      [http.services.nomad.loadBalancer]
-        {{ range . -}}
        [[http.services.nomad.loadBalancer.servers]]
-          url = "http://{{ .Address }}:{{ .Port }}"
-        {{ end }}
-    {{- end }}
+          url = "http://127.0.0.1:4646"
+    [http.services.hass]
+      [http.services.hass.loadBalancer]
+        [[http.services.hass.loadBalancer.servers]]
+          url = "http://192.168.3.65:8123"
        EOH
        destination = "local/config/conf/route-hashi.toml"
        change_mode = "noop"
@ -212,7 +217,7 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
      [[tcp.services.syslogngtcp.loadBalancer.servers]]
        address = "{{ .Address }}:{{ .Port }}"
      {{ end -}}
-{{ end }}
+{{- end }}

 {{ with nomadService "syslogng" -}}
 [udp.routers]
@ -227,7 +232,7 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
      [[udp.services.syslogngudp.loadBalancer.servers]]
        address = "{{ .Address }}:{{ .Port }}"
      {{ end -}}
-{{ end }}
+{{- end }}
        EOH
        destination = "local/config/conf/route-syslog-ng.toml"
        change_mode = "noop"
@ -241,8 +246,8 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}
  [http.middlewares.basic-auth.basicAuth]
  # TODO: Reference secrets mount
    usersFile = "/etc/traefik/usersfile"
-{{ end }}
-{{ end }}
+{{- end }}
+{{- end }}
        EOH
        destination = "local/config/conf/middlewares.toml"
        change_mode = "noop"
@ -250,9 +255,9 @@ CF_ZONE_API_TOKEN={{ .domain_lego_dns }}

      template {
        data = <<EOH
-{{ with nomadVar "nomad/jobs/traefik" }}
+{{ with nomadVar "nomad/jobs/traefik" -}}
 {{ .usersfile }}
-{{ end }}
+{{- end }}
        EOH
        destination = "secrets/usersfile"
        change_mode = "noop"
--- a/databases/mysql.nomad
+++ b/databases/mysql.nomad
@ -18,9 +18,7 @@ job "mysql-server" {

      port "db" {
        to = 3306
-      }
-      port "envoy_metrics" {
-        to = 9123
+        host_network = "wesher"
      }
    }

--- a/databases/redis.nomad
+++ b/databases/redis.nomad
@ -15,15 +15,15 @@ job "redis" {
    network {
      mode = "bridge"

-      port "main" {
-        to = 6379
+      port "tls" {
+        host_network = "wesher"
      }
    }

    service {
-      name = "redis"
+      name = "redis-tls"
      provider = "nomad"
-      port = "main"
+      port = "tls"
    }

    task "redis" {
@ -41,5 +41,52 @@ job "redis" {
        memory_max = 512
      }
    }
+
+    task "stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel ${NOMAD_TASK_DIR}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_server]
+
+accept = {{ env "NOMAD_PORT_tls" }}
+connect = 127.0.0.1:6379
+ciphers = PSK
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+test1:oaP4EishaeSaishei6rio6xeeph3az
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
  }
 }
--- a/databases/rediscommander.nomad
+++ b/databases/rediscommander.nomad
@ -9,12 +9,14 @@ job "rediscommander" {
      mode = "bridge"

      port "main" {
+        host_network = "wesher"
        to = 8081
      }
    }

    service {
      name = "rediscommander"
+      provider = "nomad"
      port = "main"

      tags = [
@ -33,9 +35,7 @@ job "rediscommander" {

      template {
        data = <<EOH
-        {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis" -}}
-        REDIS_HOSTS=local:{{ .Address }}:{{ .Port }}
-        {{- end }}
+        REDIS_HOSTS=stunnel:127.0.0.1:6379
        EOH
        env = true
        destination = "env"
@ -46,5 +46,55 @@ job "rediscommander" {
        memory = 50
      }
    }
+
+    task "redis-stunnel" {
+      driver = "docker"
+
+      config {
+        image = "alpine:3.17"
+        ports = ["tls"]
+        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+      }
+
+      resources {
+        cpu = 100
+        memory = 100
+      }
+
+      template {
+        data = <<EOF
+set -e
+apk add stunnel
+exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
+        EOF
+        destination = "${NOMAD_TASK_DIR}/start.sh"
+      }
+
+      template {
+        data = <<EOF
+syslog = no
+foreground = yes
+delay = yes
+
+[redis_client]
+client = yes
+accept = 127.0.0.1:6379
+{{ range nomadService 1 (env "NOMAD_ALLOC_ID") "redis-tls" -}}
+connect = {{ .Address }}:{{ .Port }}
+{{- end }}
+PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
+        EOF
+        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+      }
+
+      template {
+        data = <<EOF
+{{ with nomadVar "nomad/jobs/rediscommander" -}}
+{{ .redis_stunnel_psk }}
+{{- end }}
+        EOF
+        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+      }
+    }
  }
 }
--- a/nomad_vars.py
+++ b/nomad_vars.py
@ -30,7 +30,7 @@ def nomad_req(method: str, path: str, json: dict|None = None) -> dict:


 def write_var(path: str, items: dict[str, str | float | int]) -> dict:
-    return nomad_req("GET", f"var/{path}",
+    return nomad_req("PUT", f"var/{path}",
        json={
            "Path": path,
            "Items": {k: str(v) for k, v in items.items()},
--- a/providers.tf
+++ b/providers.tf
@ -1,46 +1,7 @@
-# Configure Consul provider
-provider "consul" {
-  address = var.consul_address
-}
-
-# Get Nomad client from Consul
-data "consul_service" "nomad" {
-  name = "nomad-client"
-}
-
-# Get Vault client from Consul
-data "consul_service" "vault" {
-  name = "vault"
-  tag  = "active"
-}
-
-locals {
-  # Get Nomad address from Consul
-  nomad_node         = data.consul_service.nomad.service[0]
-  nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
-
-  # Get Vault address from Consul
-  vault_node         = data.consul_service.vault.service[0]
-  vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}"
-}
-
-# Configure the Vault provider
-provider "vault" {
-  address = length(var.vault_address) == 0 ? local.vault_node_address : var.vault_address
-  token   = var.vault_token
-}
-
-# Something that should exist in a post bootstrap module, right now module includes bootstrapping
-# which requries Admin
-# data "vault_nomad_access_token" "deploy" {
-#   backend = "nomad"
-#   role    = "deploy"
-# }

 # Configure the Nomad provider
 provider "nomad" {
-  address   = length(var.nomad_address) == 0 ? local.nomad_node_address : var.nomad_address
+  address   = var.nomad_address
  secret_id = var.nomad_secret_id
-  # secret_id = length(var.nomad_secret_id) == 0 ? data.vault_nomad_access_token.admin.secret_id : var.nomad_secret_id
  region    = "global"
 }
--- a/service.nomad
+++ b/service.nomad
@ -51,6 +51,7 @@ job "[[.name]]" {
      mode = "bridge"
      [[ if not (empty .service_port) -]]
      port "main" {
+        host_network = "wesher"
        to = [[ .service_port ]]
      }
      [[ end -]]
--- a/services.tf
+++ b/services.tf
@ -1,5 +1,5 @@
-# module "services" {
-#   source = "./services"
-#
-#   depends_on = [module.databases, module.core]
-# }
+module "services" {
+  source = "./services"
+
+  depends_on = [module.databases, module.core]
+}
--- a/services/backups/backup.nomad
+++ b/services/backups/backup.nomad
@ -49,7 +49,7 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
    }

    service {
-      name = "backups"
+      name = "backup"
      provider = "nomad"
      port = "metrics"

@ -97,7 +97,7 @@ MYSQL_PORT={{ .Port }}
 MYSQL_USER=root
 MYSQL_PASSWORD={{ .mysql_root_password }}
 {{ end -}}
-{{ with nomadVar "nomad/jobs/backups" -}}
+{{ with nomadVar "nomad/jobs/backup" -}}
 BACKUP_PASSPHRASE={{ .backup_passphrase }}
 RCLONE_FTP_HOST={{ .nas_ftp_host }}
 RCLONE_FTP_USER={{ .nas_ftp_user }}
--- a/services/backups/backups.tf
+++ b/services/backups/backups.tf
@ -1,4 +1,4 @@
-resource "nomad_job" "backups" {
+resource "nomad_job" "backup" {
  jobspec = templatefile("${path.module}/backup.nomad", {
    module_path = path.module,
    batch_node  = null,
@ -10,7 +10,7 @@ resource "nomad_job" "backups" {
 #   name = "nomad-client"
 # }

-resource "nomad_job" "backups-oneoff" {
+resource "nomad_job" "backup-oneoff" {
  # TODO: Get list of nomad hosts dynamically
  for_each = toset(["n1", "n2"])
  # for_each = toset([
--- a/services/external.tf
+++ b/services/external.tf
@ -1,29 +1,29 @@
-resource "consul_service" "homeassistant" {
-  name = "hass"
-  node = consul_node.homeassistant.name
-  port = 8123
-  tags = [
-    "traefik.enable=true",
-    "traefik.consulcatalog.connect=false",
-    "traefik.http.routers.hass.entryPoints=websecure",
-  ]
-
-  check {
-    check_id = "homeassistant:hass"
-    status   = "passing"
-    name     = "Home Assistant Health Check"
-    http     = "192.168.3.65:8123"
-    interval = "30s"
-    timeout  = "10s"
-  }
-}
-
-resource "consul_node" "homeassistant" {
-  name    = "homeassistant"
-  address = "192.168.3.65"
-
-  meta = {
-    "external-node"  = "true"
-    "external-probe" = "true"
-  }
-}
+# resource "consul_service" "homeassistant" {
+#   name = "hass"
+#   node = consul_node.homeassistant.name
+#   port = 8123
+#   tags = [
+#     "traefik.enable=true",
+#     "traefik.consulcatalog.connect=false",
+#     "traefik.http.routers.hass.entryPoints=websecure",
+#   ]
+#
+#   check {
+#     check_id = "homeassistant:hass"
+#     status   = "passing"
+#     name     = "Home Assistant Health Check"
+#     http     = "192.168.3.65:8123"
+#     interval = "30s"
+#     timeout  = "10s"
+#   }
+# }
+#
+# resource "consul_node" "homeassistant" {
+#   name    = "homeassistant"
+#   address = "192.168.3.65"
+#
+#   meta = {
+#     "external-node"  = "true"
+#     "external-probe" = "true"
+#   }
+# }
--- a/services/ip-dvr.nomad
+++ b/services/ip-dvr.nomad
@ -9,7 +9,7 @@ job "ipdvr" {
      mode = "bridge"

      port "main" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 8080
      }
    }
@ -75,7 +75,7 @@ job "ipdvr" {
    network {
      mode = "bridge"
      port "main" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 6789
      }
    }
@ -142,7 +142,7 @@ job "ipdvr" {
    network {
      mode = "bridge"
      port "main" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 8989
      }
    }
--- a/services/main.tf
+++ b/services/main.tf
@ -172,8 +172,9 @@ module "photoprism_module" {
      PHOTOPRISM_DATABASE_USER={{ .db_user }}
      PHOTOPRISM_DATABASE_PASSWORD={{ .db_pass }}
      {{ range nomadService 1 (env "NOMAD_ALLOC_ID") "mysql-server" -}}
-      PHOTOPRISM_DATABASE_SERVER="{{ .Address" }}:{{ .Port }}"
-      {{ end -}}
+      PHOTOPRISM_DATABASE_SERVER="{{ .Address }}:{{ .Port }}"
+      {{- end }}
+      {{- end }}
      EOF
      dest_prefix = "$${NOMAD_SECRETS_DIR}/"
      dest        = "env"
--- a/services/media/caddy.nomad
+++ b/services/media/caddy.nomad
@ -8,7 +8,7 @@ job "multimedia" {
    network {
      mode = "bridge"
      port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 80
      }
    }
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@ -10,7 +10,7 @@ job "${name}" {
      %{ if service_port != null ~}
      port "main" {
        %{ if ingress }
-        host_network = "wgoverlay"
+        host_network = "wesher"
        %{~ endif }
        to = ${service_port}
      }
--- a/services/whoami.nomad
+++ b/services/whoami.nomad
@ -9,56 +9,13 @@ job "whoami" {

  type = "service"

-  group "whoami-nomad" {
-    count = var.count
-
-    network {
-      mode = "bridge"
-      port "web" {
-        host_network = "wesher"
-        to = 80
-      }
-    }
-
-    service {
-      name = "whoami-nomad"
-      provider = "nomad"
-      port = "web"
-
-      tags = [
-        "traefik.enable=true",
-        "traefik.http.routers.whoami-nomad.entryPoints=websecure",
-        "traefik.http.routers.whoami-nomad.middlewares=basic-auth@file",
-      ]
-    }
-
-    task "whoami" {
-      driver = "docker"
-
-      meta = {
-        "diun.enable" = false
-      }
-
-      config {
-        image = "containous/whoami:latest"
-        ports = ["web"]
-        args = ["--port", "${NOMAD_PORT_web}"]
-      }
-
-      resources {
-        cpu = 50
-        memory = 20
-      }
-    }
-  }
-
  group "whoami" {
    count = var.count

    network {
      mode = "bridge"
      port "web" {
-        host_network = "wgoverlay"
+        host_network = "wesher"
        to = 80
      }
    }
--- a/vars.tf
+++ b/vars.tf
@ -1,7 +1,3 @@
-variable "consul_address" {
-  type    = string
-  default = "http://n1.thefij:8500"
-}

 variable "nomad_address" {
  type    = string