From 7ee6a14bb740301dc995227d6d166162ff3c53d4 Mon Sep 17 00:00:00 2001
From: Mathias Magnusson <mathias@magnusson.space>
Date: Thu, 21 Nov 2024 21:36:18 +0100
Subject: [PATCH] use internal addresses to speak with nomad

---
 env.example               | 7 +++++--
 profiles/nomad/shared.nix | 2 +-
 profiles/traefik.nix      | 7 +++++--
 3 files changed, 11 insertions(+), 5 deletions(-)

diff --git a/env.example b/env.example
index e1d7d77..72aecf6 100644
--- a/env.example
+++ b/env.example
@@ -8,6 +8,9 @@ NOMAD_ADDR=https://nomad.datasektionen.se
 NOMAD_TOKEN=
 AGE_IDENTITY=$PWD/secrets/identity.txt
 
-# If traefik breaks, this can be used (but doesn't work well with `nomad ui -authentiate`):
-# NOMAD_ADDR=https://zeus.datasektionen.se:4646
+# If traefik breaks, you can run `ssh -L4646:ares.dsekt.internal:4646 ares` and
+# uncomment these (but doesn't work very well with `nomad ui -authentiate`) to
+# contact nomad's api:
+#
+# NOMAD_ADDR=https://127.0.0.1:4646
 # NOMAD_CACERT=/home/mathias/code/dsekt/infra/files/nomad-agent-ca.pem
diff --git a/profiles/nomad/shared.nix b/profiles/nomad/shared.nix
index d6eb8ad..d629cca 100644
--- a/profiles/nomad/shared.nix
+++ b/profiles/nomad/shared.nix
@@ -3,7 +3,7 @@
   services.nomad = {
     enable = true;
     settings = {
-      bind_addr = "0.0.0.0";
+      bind_addr = config.dsekt.addresses.hosts.self;
       advertise =
         let
           addr = config.dsekt.addresses.hosts.self;
diff --git a/profiles/traefik.nix b/profiles/traefik.nix
index 5ad1250..8d9a8fe 100644
--- a/profiles/traefik.nix
+++ b/profiles/traefik.nix
@@ -37,7 +37,10 @@
       providers.nomad = {
         exposedByDefault = false;
         endpoint = {
-          address = "https://127.0.0.1:4646";
+          # We're making nomad bind to the internal IP address so we can't use
+          # 127.0.0.1. We also can't use ${config.dsekt.addresses.hosts.self}
+          # since the certificate isn't valid for that address.
+          address = "https://${config.networking.hostName}.dsekt.internal:4646";
           token = "\${NOMAD_TOKEN}";
           tls.ca = "${../files/nomad-agent-ca.pem}";
         };
@@ -79,7 +82,7 @@
           tls.certresolver = "default";
         };
         services.nomad.loadBalancer = {
-          servers = [ { url = "https://127.0.0.1:4646"; } ];
+          servers = [ { url = "https://${config.networking.hostName}.dsekt.internal:4646"; } ];
           serversTransport = "nomadTransport";
         };
         serversTransports.nomadTransport.rootCAs = "${../files/nomad-agent-ca.pem}";