make jobs bound ports only listen on internal network

i.e. if you request a port in the nomad job spec it will listen on 10.83.0.X:Y instead of the public ip address now we can actually have systems that are only reachable from other jobs and not the whole internet
datasektionen · Dec 13, 2024 · 9e79c8e · 9e79c8e
1 parent a1e495d
commit 9e79c8e
Showing 1 changed file with 4 additions and 5 deletions.
diff --git a/profiles/nomad/client.nix b/profiles/nomad/client.nix
@@ -5,11 +5,10 @@
   services.nomad = {
     dropPrivileges = false;
     enableDocker = true;
-    settings = {
-      client = {
-        enabled = true;
-        server_join.retry_join = config.dsekt.addresses.groups.cluster-servers;
-      };
+    settings.client = {
+      enabled = true;
+      server_join.retry_join = config.dsekt.addresses.groups.cluster-servers;
+      network_interface = "{{ GetPrivateInterfaces | include `address` `10[.]83[.]` | attr `name` }}";
     };
   };
 }