From d5078b24da151a9ca10f4b86306680ef04a9fb7a Mon Sep 17 00:00:00 2001
From: Ian Fijolek <ian@iamthefij.com>
Date: Thu, 24 Aug 2023 12:36:47 -0700
Subject: [PATCH] Refactor use of wesher to be behind a variable toggle

Occasionally I run into issues with Wesher. This makes it easier to
disable use of Wesher by setting TF_VAR_use_wesher to false.
---
 backups.tf                              |  2 ++
 backups/backup.nomad                    |  2 ++
 backups/backups.tf                      |  2 ++
 backups/vars.tf                         |  5 +++++
 core.tf                                 |  1 +
 core/authelia.tf                        |  1 +
 core/blocky/blocky.nomad                | 16 +++++++-------
 core/blocky/blocky.tf                   | 12 ++++-------
 core/blocky/vars.tf                     | 11 ++++++++++
 core/lldap.nomad                        | 28 ++++++++++++++-----------
 core/loki.tf                            | 11 ++++++----
 core/main.tf                            | 10 +++++++--
 core/metrics/exporters.nomad            | 10 +++++----
 core/metrics/grafana.nomad              |  2 ++
 core/metrics/metrics.tf                 |  9 ++++++--
 core/metrics/prometheus.nomad           | 12 +++++++----
 core/metrics/vars.tf                    |  5 +++++
 core/vars.tf                            |  6 ++++++
 services.tf                             |  2 ++
 services/adminer.tf                     |  1 +
 services/bazarr.tf                      |  1 +
 services/ip-dvr.nomad                   |  6 ++++++
 services/lidarr.tf                      |  1 +
 services/main.tf                        |  8 +++----
 services/media-library.tf               |  2 ++
 services/minitor.tf                     |  1 +
 services/photoprism.tf                  |  1 +
 services/service/main.tf                |  1 +
 services/service/service_template.nomad |  2 ++
 services/service/vars.tf                |  6 ++++++
 services/vars.tf                        |  5 +++++
 services/whoami.nomad                   |  4 +++-
 services/whoami.tf                      |  4 +++-
 vars.tf                                 |  6 ++++++
 34 files changed, 146 insertions(+), 50 deletions(-)
 create mode 100644 backups/vars.tf
 create mode 100644 core/blocky/vars.tf
 create mode 100644 core/metrics/vars.tf
 create mode 100644 services/vars.tf

diff --git a/backups.tf b/backups.tf
index 16883e2..ee57db1 100644
--- a/backups.tf
+++ b/backups.tf
@@ -1,3 +1,5 @@
 module "backups" {
   source = "./backups"
+
+  use_wesher = var.use_wesher
 }
diff --git a/backups/backup.nomad b/backups/backup.nomad
index eb8f7c5..8a28215 100644
--- a/backups/backup.nomad
+++ b/backups/backup.nomad
@@ -31,7 +31,9 @@ job "backup%{ if batch_node != null }-oneoff-${batch_node}%{ endif }" {
       mode = "bridge"
 
       port "metrics" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 8080
       }
     }
diff --git a/backups/backups.tf b/backups/backups.tf
index d3c4d21..8a2b921 100644
--- a/backups/backups.tf
+++ b/backups/backups.tf
@@ -6,6 +6,7 @@ resource "nomad_job" "backup" {
   jobspec = templatefile("${path.module}/backup.nomad", {
     module_path = path.module,
     batch_node  = null,
+    use_wesher  = var.use_wesher
   })
 }
 
@@ -24,5 +25,6 @@ resource "nomad_job" "backup-oneoff" {
   jobspec = templatefile("${path.module}/backup.nomad", {
     module_path = path.module,
     batch_node  = each.key,
+    use_wesher  = var.use_wesher
   })
 }
diff --git a/backups/vars.tf b/backups/vars.tf
new file mode 100644
index 0000000..aa5858a
--- /dev/null
+++ b/backups/vars.tf
@@ -0,0 +1,5 @@
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}
diff --git a/core.tf b/core.tf
index 3d47af9..2374f5d 100644
--- a/core.tf
+++ b/core.tf
@@ -6,6 +6,7 @@ module "core" {
   source = "./core"
 
   base_hostname = var.base_hostname
+  use_wesher    = var.use_wesher
 
   # Metrics and Blocky depend on databases
   depends_on = [module.databases]
diff --git a/core/authelia.tf b/core/authelia.tf
index bbcd56c..5bda631 100644
--- a/core/authelia.tf
+++ b/core/authelia.tf
@@ -9,6 +9,7 @@ module "authelia" {
   ingress             = true
   service_port        = 9999
   service_port_static = true
+  use_wesher          = var.use_wesher
   # metrics_port = 9959
 
   env = {
diff --git a/core/blocky/blocky.nomad b/core/blocky/blocky.nomad
index 3fda8f6..aad22ef 100644
--- a/core/blocky/blocky.nomad
+++ b/core/blocky/blocky.nomad
@@ -24,7 +24,9 @@ job "blocky" {
       }
 
       port "api" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = "4000"
       }
 
@@ -66,7 +68,7 @@ job "blocky" {
 
       config {
         image = "ghcr.io/0xerr0r/blocky"
-        args = ["-c", "${NOMAD_TASK_DIR}/config.yml"]
+        args = ["-c", "$${NOMAD_TASK_DIR}/config.yml"]
         ports = ["dns", "api"]
       }
 
@@ -78,7 +80,7 @@ job "blocky" {
 
       template {
         data = var.config_data
-        destination = "${NOMAD_TASK_DIR}/config.yml"
+        destination = "$${NOMAD_TASK_DIR}/config.yml"
         splay = "1m"
 
         wait {
@@ -95,7 +97,7 @@ job "blocky" {
 {{- end }}
 {{- end }}
         EOF
-        destination = "${NOMAD_TASK_DIR}/nomad.hosts"
+        destination = "$${NOMAD_TASK_DIR}/nomad.hosts"
         change_mode = "noop"
 
         wait {
@@ -116,7 +118,7 @@ job "blocky" {
       config {
         image = "alpine:3.17"
         ports = ["tls"]
-        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+        args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
       }
 
       resources {
@@ -130,7 +132,7 @@ set -e
 apk add stunnel
 exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
         EOF
-        destination = "${NOMAD_TASK_DIR}/start.sh"
+        destination = "$${NOMAD_TASK_DIR}/start.sh"
       }
 
       template {
@@ -155,7 +157,7 @@ connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/stunnel_psk.txt
         EOF
-        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
       }
 
       template {
@@ -169,7 +171,7 @@ EOF
         data = <<EOF
 {{- with nomadVar "nomad/jobs/blocky/blocky/stunnel" -}}{{ .redis_stunnel_psk }}{{ end -}}
         EOF
-        destination = "${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
+        destination = "$${NOMAD_SECRETS_DIR}/stunnel_psk.txt"
       }
     }
 
diff --git a/core/blocky/blocky.tf b/core/blocky/blocky.tf
index 1a9e6f2..2eb6a03 100644
--- a/core/blocky/blocky.tf
+++ b/core/blocky/blocky.tf
@@ -1,14 +1,8 @@
-variable "base_hostname" {
-  type        = string
-  description = "Base hostname to serve content from"
-  default     = "dev.homelab"
-}
-
 locals {
   config_data = templatefile(
     "${path.module}/config.yml",
     {
-      "base_hostname" = var.base_hostname,
+      base_hostname = var.base_hostname,
     }
   )
 }
@@ -21,5 +15,7 @@ resource "nomad_job" "blocky" {
     }
   }
 
-  jobspec = file("${path.module}/blocky.nomad")
+  jobspec = templatefile("${path.module}/blocky.nomad", {
+    use_wesher = var.use_wesher,
+  })
 }
diff --git a/core/blocky/vars.tf b/core/blocky/vars.tf
new file mode 100644
index 0000000..06c6ae3
--- /dev/null
+++ b/core/blocky/vars.tf
@@ -0,0 +1,11 @@
+variable "base_hostname" {
+  type        = string
+  description = "Base hostname to serve content from"
+  default     = "dev.homelab"
+}
+
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}
diff --git a/core/lldap.nomad b/core/lldap.nomad
index f991cd9..bc98a4b 100644
--- a/core/lldap.nomad
+++ b/core/lldap.nomad
@@ -9,11 +9,15 @@ job "lldap" {
       mode = "bridge"
 
       port "web" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
       }
 
       port "ldap" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
       }
 
       port "tls" {}
@@ -48,13 +52,13 @@ job "lldap" {
       config {
         image = "nitnelave/lldap:latest"
         ports = ["ldap", "web"]
-        args = ["run", "--config-file", "${NOMAD_SECRETS_DIR}/lldap_config.toml"]
+        args = ["run", "--config-file", "$${NOMAD_SECRETS_DIR}/lldap_config.toml"]
       }
 
       env = {
         "LLDAP_VERBOSE" = "true"
-        "LLDAP_LDAP_PORT" = "${NOMAD_PORT_ldap}"
-        "LLDAP_HTTP_PORT" = "${NOMAD_PORT_web}"
+        "LLDAP_LDAP_PORT" = "$${NOMAD_PORT_ldap}"
+        "LLDAP_HTTP_PORT" = "$${NOMAD_PORT_web}"
       }
 
       template {
@@ -86,7 +90,7 @@ user = "{{ .smtp_user }}"
 password = "{{ .smtp_password }}"
 {{ end -}}
         EOH
-        destination = "${NOMAD_SECRETS_DIR}/lldap_config.toml"
+        destination = "$${NOMAD_SECRETS_DIR}/lldap_config.toml"
         change_mode = "restart"
       }
 
@@ -112,7 +116,7 @@ password = "{{ .smtp_password }}"
           "2m",
           "/bin/bash",
           "-c",
-          "until /usr/bin/mysql --defaults-extra-file=${NOMAD_SECRETS_DIR}/my.cnf < ${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
+          "until /usr/bin/mysql --defaults-extra-file=$${NOMAD_SECRETS_DIR}/my.cnf < $${NOMAD_SECRETS_DIR}/bootstrap.sql; do sleep 10; done",
         ]
       }
 
@@ -127,7 +131,7 @@ user=root
 password={{ .mysql_root_password }}
 {{ end -}}
         EOF
-        destination = "${NOMAD_SECRETS_DIR}/my.cnf"
+        destination = "$${NOMAD_SECRETS_DIR}/my.cnf"
       }
 
       template {
@@ -146,7 +150,7 @@ GRANT ALL ON `{{ .db_name }}`.*
 SELECT 'NOOP';
 {{ end -}}
         EOF
-        destination = "${NOMAD_SECRETS_DIR}/bootstrap.sql"
+        destination = "$${NOMAD_SECRETS_DIR}/bootstrap.sql"
       }
 
       resources {
@@ -166,7 +170,7 @@ SELECT 'NOOP';
       config {
         image = "alpine:3.17"
         ports = ["tls"]
-        args = ["/bin/sh", "${NOMAD_TASK_DIR}/start.sh"]
+        args = ["/bin/sh", "$${NOMAD_TASK_DIR}/start.sh"]
       }
 
       resources {
@@ -180,7 +184,7 @@ set -e
 apk add stunnel
 exec stunnel {{ env "NOMAD_TASK_DIR" }}/stunnel.conf
         EOF
-        destination = "${NOMAD_TASK_DIR}/start.sh"
+        destination = "$${NOMAD_TASK_DIR}/start.sh"
       }
 
       template {
@@ -203,7 +207,7 @@ connect = {{ .Address }}:{{ .Port }}
 {{- end }}
 PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
         EOF
-        destination = "${NOMAD_TASK_DIR}/stunnel.conf"
+        destination = "$${NOMAD_TASK_DIR}/stunnel.conf"
       }
 
       template {
@@ -212,14 +216,14 @@ PSKsecrets = {{ env "NOMAD_SECRETS_DIR" }}/mysql_stunnel_psk.txt
 {{ .allowed_psks }}
 {{- end }}
 EOF
-        destination = "${NOMAD_TASK_DIR}/stunnel_psk.txt"
+        destination = "$${NOMAD_TASK_DIR}/stunnel_psk.txt"
       }
 
       template {
         data = <<EOF
 {{- with nomadVar "nomad/jobs/lldap/lldap/stunnel" }}{{ .mysql_stunnel_psk }}{{ end -}}
 EOF
-        destination = "${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
+        destination = "$${NOMAD_SECRETS_DIR}/mysql_stunnel_psk.txt"
       }
 
     }
diff --git a/core/loki.tf b/core/loki.tf
index af4a482..b428d90 100644
--- a/core/loki.tf
+++ b/core/loki.tf
@@ -1,12 +1,15 @@
 module "loki" {
   source = "../services/service"
 
-  name         = "loki"
-  image        = "grafana/loki:2.2.1"
-  args         = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
+  name  = "loki"
+  image = "grafana/loki:2.2.1"
+  args  = ["--config.file=$${NOMAD_TASK_DIR}/loki-config.yml"]
+
   service_port = 3100
   ingress      = true
-  sticky_disk  = true
+  use_wesher   = var.use_wesher
+
+  sticky_disk = true
   # healthcheck  = "/ready"
   templates = [
     {
diff --git a/core/main.tf b/core/main.tf
index 4da4aae..4001dc8 100644
--- a/core/main.tf
+++ b/core/main.tf
@@ -2,6 +2,8 @@ module "blocky" {
   source = "./blocky"
 
   base_hostname = var.base_hostname
+  use_wesher    = var.use_wesher
+
   # Not in this module
   # depends_on = [module.databases]
 }
@@ -13,7 +15,9 @@ module "traefik" {
 }
 
 module "metrics" {
-  source = "./metrics"
+  source     = "./metrics"
+  use_wesher = var.use_wesher
+
   # Not in this module
   # depends_on = [module.databases]
 }
@@ -32,5 +36,7 @@ resource "nomad_job" "ddclient" {
 }
 
 resource "nomad_job" "lldap" {
-  jobspec = file("${path.module}/lldap.nomad")
+  jobspec = templatefile("${path.module}/lldap.nomad", {
+    use_wesher = var.use_wesher,
+  })
 }
diff --git a/core/metrics/exporters.nomad b/core/metrics/exporters.nomad
index 7560872..7501d6e 100644
--- a/core/metrics/exporters.nomad
+++ b/core/metrics/exporters.nomad
@@ -8,7 +8,9 @@ job "exporters" {
       mode = "bridge"
 
       port "promtail" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 9080
       }
     }
@@ -19,8 +21,8 @@ job "exporters" {
       port = "promtail"
 
       meta {
-        nomad_dc = "${NOMAD_DC}"
-        nomad_node_name = "${node.unique.name}"
+        nomad_dc = "$${NOMAD_DC}"
+        nomad_node_name = "$${node.unique.name}"
       }
 
       tags = [
@@ -39,7 +41,7 @@ job "exporters" {
 
       config {
         image = "grafana/promtail:2.7.1"
-        args = ["-config.file=${NOMAD_TASK_DIR}/promtail.yml"]
+        args = ["-config.file=$${NOMAD_TASK_DIR}/promtail.yml"]
         ports = ["promtail"]
 
         # Bind mount host machine-id and log directories
@@ -127,7 +129,7 @@ scrape_configs:
       - source_labels: ['__journal_com_hashicorp_nomad_task_name']
         target_label: nomad_task_name
 EOF
-        destination = "${NOMAD_TASK_DIR}/promtail.yml"
+        destination = "$${NOMAD_TASK_DIR}/promtail.yml"
       }
 
       resources {
diff --git a/core/metrics/grafana.nomad b/core/metrics/grafana.nomad
index 2bae0c9..6bde3f8 100644
--- a/core/metrics/grafana.nomad
+++ b/core/metrics/grafana.nomad
@@ -8,7 +8,9 @@ job "grafana" {
       mode = "bridge"
 
       port "web" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 3000
       }
     }
diff --git a/core/metrics/metrics.tf b/core/metrics/metrics.tf
index b84b600..1fcfd62 100644
--- a/core/metrics/metrics.tf
+++ b/core/metrics/metrics.tf
@@ -3,7 +3,9 @@ resource "nomad_job" "exporters" {
     enabled = true
   }
 
-  jobspec = file("${path.module}/exporters.nomad")
+  jobspec = templatefile("${path.module}/exporters.nomad", {
+    use_wesher = var.use_wesher,
+  })
 }
 
 resource "nomad_job" "prometheus" {
@@ -11,7 +13,9 @@ resource "nomad_job" "prometheus" {
     enabled = true
   }
 
-  jobspec = file("${path.module}/prometheus.nomad")
+  jobspec = templatefile("${path.module}/prometheus.nomad", {
+    use_wesher = var.use_wesher,
+  })
 }
 
 resource "nomad_job" "grafana" {
@@ -21,6 +25,7 @@ resource "nomad_job" "grafana" {
 
   jobspec = templatefile("${path.module}/grafana.nomad", {
     module_path = path.module
+    use_wesher  = var.use_wesher
   })
 
   depends_on = [nomad_job.prometheus]
diff --git a/core/metrics/prometheus.nomad b/core/metrics/prometheus.nomad
index f065d3c..5f57460 100644
--- a/core/metrics/prometheus.nomad
+++ b/core/metrics/prometheus.nomad
@@ -8,12 +8,16 @@ job "prometheus" {
       mode = "bridge"
 
       port "web" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 9090
       }
 
       port "pushgateway" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         static = 9091
       }
     }
@@ -48,8 +52,8 @@ job "prometheus" {
         image = "prom/prometheus:v2.43.0"
         ports = ["web"]
         args = [
-          "--config.file=${NOMAD_TASK_DIR}/prometheus.yml",
-          "--storage.tsdb.path=${NOMAD_ALLOC_DIR}/data/tsdb",
+          "--config.file=$${NOMAD_TASK_DIR}/prometheus.yml",
+          "--storage.tsdb.path=$${NOMAD_ALLOC_DIR}/data/tsdb",
           "--web.listen-address=0.0.0.0:9090",
           "--web.console.libraries=/usr/share/prometheus/console_libraries",
           "--web.console.templates=/usr/share/prometheus/consoles",
@@ -112,7 +116,7 @@ scrape_configs:
         EOF
         change_mode = "signal"
         change_signal = "SIGHUP"
-        destination = "${NOMAD_TASK_DIR}/prometheus.yml"
+        destination = "$${NOMAD_TASK_DIR}/prometheus.yml"
       }
 
       resources {
@@ -128,7 +132,7 @@ scrape_configs:
         image = "prom/pushgateway"
         ports = ["pushgateway"]
         args = [
-          "--persistence.file=${NOMAD_ALLOC_DIR}/pushgateway-persistence",
+          "--persistence.file=$${NOMAD_ALLOC_DIR}/pushgateway-persistence",
         ]
       }
 
diff --git a/core/metrics/vars.tf b/core/metrics/vars.tf
new file mode 100644
index 0000000..aa5858a
--- /dev/null
+++ b/core/metrics/vars.tf
@@ -0,0 +1,5 @@
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}
diff --git a/core/vars.tf b/core/vars.tf
index 25f4421..06c6ae3 100644
--- a/core/vars.tf
+++ b/core/vars.tf
@@ -3,3 +3,9 @@ variable "base_hostname" {
   description = "Base hostname to serve content from"
   default     = "dev.homelab"
 }
+
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}
diff --git a/services.tf b/services.tf
index 1f9cac3..be7d291 100644
--- a/services.tf
+++ b/services.tf
@@ -1,5 +1,7 @@
 module "services" {
   source = "./services"
 
+  use_wesher = var.use_wesher
+
   depends_on = [module.databases, module.core]
 }
diff --git a/services/adminer.tf b/services/adminer.tf
index 6730f82..24d9d34 100644
--- a/services/adminer.tf
+++ b/services/adminer.tf
@@ -6,6 +6,7 @@ module "adminer" {
 
   ingress      = true
   service_port = 8080
+  use_wesher   = var.use_wesher
 
   use_mysql    = true
   use_postgres = true
diff --git a/services/bazarr.tf b/services/bazarr.tf
index 1f9215b..76917c0 100644
--- a/services/bazarr.tf
+++ b/services/bazarr.tf
@@ -11,6 +11,7 @@ module "bazarr" {
 
   ingress      = true
   service_port = 6767
+  use_wesher   = var.use_wesher
 
   use_postgres = true
   postgres_bootstrap = {
diff --git a/services/ip-dvr.nomad b/services/ip-dvr.nomad
index 7e91aeb..c11d7e9 100644
--- a/services/ip-dvr.nomad
+++ b/services/ip-dvr.nomad
@@ -9,7 +9,9 @@ job "ipdvr" {
       mode = "bridge"
 
       port "main" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 8080
       }
     }
@@ -75,7 +77,9 @@ job "ipdvr" {
     network {
       mode = "bridge"
       port "main" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         static = 6789
       }
     }
@@ -142,7 +146,9 @@ job "ipdvr" {
     network {
       mode = "bridge"
       port "main" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 8989
       }
     }
diff --git a/services/lidarr.tf b/services/lidarr.tf
index 1bdc41f..4faea77 100644
--- a/services/lidarr.tf
+++ b/services/lidarr.tf
@@ -6,6 +6,7 @@ module "lidarr" {
 
   ingress      = true
   service_port = 8686
+  use_wesher   = var.use_wesher
 
   use_postgres = true
   postgres_bootstrap = {
diff --git a/services/main.tf b/services/main.tf
index 9000370..120eaf6 100644
--- a/services/main.tf
+++ b/services/main.tf
@@ -1,7 +1,5 @@
-module "backups" {
-  source = "./backups"
-}
-
 resource "nomad_job" "ipdvr" {
-  jobspec = file("${path.module}/ip-dvr.nomad")
+  jobspec = templatefile("${path.module}/ip-dvr.nomad", {
+    use_wesher = var.use_wesher,
+  })
 }
diff --git a/services/media-library.tf b/services/media-library.tf
index 5bfd517..575c009 100644
--- a/services/media-library.tf
+++ b/services/media-library.tf
@@ -6,6 +6,8 @@ module "media-library" {
   args         = ["caddy", "file-server", "--root", "/mnt/media", "--browse"]
   ingress      = true
   service_port = 80
+  use_wesher   = var.use_wesher
+
   host_volumes = [
     {
       name      = "media-read"
diff --git a/services/minitor.tf b/services/minitor.tf
index d9433b7..a5b1f7c 100644
--- a/services/minitor.tf
+++ b/services/minitor.tf
@@ -5,6 +5,7 @@ module "minitor" {
   image        = "iamthefij/minitor-go:1.4.1"
   args         = ["-metrics", "-config=$${NOMAD_TASK_DIR}/config.yml"]
   service_port = 8080
+  use_wesher   = var.use_wesher
   prometheus   = true
 
   env = {
diff --git a/services/photoprism.tf b/services/photoprism.tf
index e4c7cf6..5163d0a 100644
--- a/services/photoprism.tf
+++ b/services/photoprism.tf
@@ -39,6 +39,7 @@ module "photoprism_module" {
 
   ingress      = true
   service_port = 2342
+  use_wesher   = var.use_wesher
   ingress_middlewares = [
     "authelia@nomad"
   ]
diff --git a/services/service/main.tf b/services/service/main.tf
index 6070060..634fa17 100644
--- a/services/service/main.tf
+++ b/services/service/main.tf
@@ -20,6 +20,7 @@ resource "nomad_job" "service" {
     stunnel_resources   = var.stunnel_resources
     service_tags        = var.service_tags
     custom_services     = var.custom_services
+    use_wesher          = var.use_wesher
 
     ingress             = var.ingress
     ingress_rule        = var.ingress_rule
diff --git a/services/service/service_template.nomad b/services/service/service_template.nomad
index 49fe50d..554fce1 100644
--- a/services/service/service_template.nomad
+++ b/services/service/service_template.nomad
@@ -12,7 +12,9 @@ job "${name}" {
       mode = "bridge"
       %{ if service_port != null ~}
       port "main" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         %{ if service_port_static ~}
         static = ${service_port}
         %{ else ~}
diff --git a/services/service/vars.tf b/services/service/vars.tf
index 43b1090..b55d582 100644
--- a/services/service/vars.tf
+++ b/services/service/vars.tf
@@ -239,3 +239,9 @@ variable "custom_services" {
 
   default = []
 }
+
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}
diff --git a/services/vars.tf b/services/vars.tf
new file mode 100644
index 0000000..aa5858a
--- /dev/null
+++ b/services/vars.tf
@@ -0,0 +1,5 @@
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}
diff --git a/services/whoami.nomad b/services/whoami.nomad
index bc9402c..26108be 100644
--- a/services/whoami.nomad
+++ b/services/whoami.nomad
@@ -15,7 +15,9 @@ job "whoami" {
     network {
       mode = "bridge"
       port "web" {
+        %{~ if use_wesher ~}
         host_network = "wesher"
+        %{~ endif ~}
         to = 80
       }
     }
@@ -45,7 +47,7 @@ job "whoami" {
       config {
         image = "containous/whoami:latest"
         ports = ["web"]
-        args = ["--port", "${NOMAD_PORT_web}"]
+        args = ["--port", "$${NOMAD_PORT_web}"]
       }
 
       resources {
diff --git a/services/whoami.tf b/services/whoami.tf
index b68bbaf..e087065 100644
--- a/services/whoami.tf
+++ b/services/whoami.tf
@@ -6,5 +6,7 @@ resource "nomad_job" "whoami" {
     }
   }
 
-  jobspec = file("${path.module}/whoami.nomad")
+  jobspec = templatefile("${path.module}/whoami.nomad", {
+    use_wesher = var.use_wesher
+  })
 }
diff --git a/vars.tf b/vars.tf
index 6702560..5cb1153 100644
--- a/vars.tf
+++ b/vars.tf
@@ -15,3 +15,9 @@ variable "nomad_secret_id" {
   sensitive   = true
   default     = ""
 }
+
+variable "use_wesher" {
+  type        = bool
+  description = "Indicates whether or not services should expose themselves on the wesher network"
+  default     = true
+}