From 972fc4ea7c48db9dc0a2aad52f7966f0e3b26256 Mon Sep 17 00:00:00 2001
From: Alex Auvolat <alex@adnab.me>
Date: Sat, 20 Apr 2024 10:58:36 +0200
Subject: [PATCH] prod: nixos 23.11 and nomad 1.5

---
 cluster/prod/cluster.nix    | 5 +++--
 cluster/staging/cluster.nix | 1 -
 deploy_pki                  | 3 ---
 nix/deuxfleurs.nix          | 1 +
 upgrade_nixos               | 2 +-
 5 files changed, 5 insertions(+), 7 deletions(-)

diff --git a/cluster/prod/cluster.nix b/cluster/prod/cluster.nix
index ab3395e..52a9bd7 100644
--- a/cluster/prod/cluster.nix
+++ b/cluster/prod/cluster.nix
@@ -77,8 +77,9 @@
     };
   };
 
-  # Keep using Nomad 1.4
-  services.nomad.package = pkgs.nomad_1_4;
+  # Pin Nomad version
+  services.nomad.package = pkgs.nomad_1_5;
+  nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
 
   # Bootstrap IPs for Consul cluster,
   # these are IPs on the Wireguard overlay
diff --git a/cluster/staging/cluster.nix b/cluster/staging/cluster.nix
index b696ee5..184092f 100644
--- a/cluster/staging/cluster.nix
+++ b/cluster/staging/cluster.nix
@@ -109,7 +109,6 @@
   imports = [
     ## ---- Nix Nomad jobs using nomad-driver-nix2 ----
     ({ pkgs, ... }: {
-      services.nomad.dropPrivileges = false;
       services.nomad.extraSettingsPlugins = [
         (import ./nomad-driver-nix2.nix { inherit pkgs; })
       ];
diff --git a/deploy_pki b/deploy_pki
index 1ab2b35..af9e1da 100755
--- a/deploy_pki
+++ b/deploy_pki
@@ -27,9 +27,6 @@ for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
 do
 	if pass $PKI/$file >/dev/null; then
 		write_pass $PKI/$file /var/lib/nomad/pki/$file
-		if [ ! "$CLUSTER" = "staging" ]; then
-			cmd "chown \$(stat -c %u /var/lib/private/nomad/) /var/lib/nomad/pki/$file"
-		fi
 	fi
 done
 
diff --git a/nix/deuxfleurs.nix b/nix/deuxfleurs.nix
index 6020339..7b9065e 100644
--- a/nix/deuxfleurs.nix
+++ b/nix/deuxfleurs.nix
@@ -330,6 +330,7 @@ in
     };
 
     services.nomad.enable = true;
+    services.nomad.dropPrivileges = false;  # required starting with Nomad 1.5, otherwise Docker is not detected
     systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
     services.nomad.extraPackages = [
       pkgs.glibc
diff --git a/upgrade_nixos b/upgrade_nixos
index e3d753e..5f0ec3a 100755
--- a/upgrade_nixos
+++ b/upgrade_nixos
@@ -3,7 +3,7 @@
 if [ "$CLUSTER" = "staging" ]; then
 	cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
 else
-	cmd nix-channel --add https://nixos.org/channels/nixos-23.05 nixos
+	cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
 fi
 
 cmd nix-channel --update