prod: nixos 23.11 and nomad 1.5

cluster/prod/cluster.nix

@@ -77,8 +77,9 @@
     };
   };
 
-  # Keep using Nomad 1.4
+  # Pin Nomad version
-  services.nomad.package = pkgs.nomad_1_4;
+  services.nomad.package = pkgs.nomad_1_5;
+  nixpkgs.config.allowUnfree = true; # Accept nomad's BSL license
 
   # Bootstrap IPs for Consul cluster,
   # these are IPs on the Wireguard overlay

cluster/staging/cluster.nix

@@ -109,7 +109,6 @@
   imports = [
     ## ---- Nix Nomad jobs using nomad-driver-nix2 ----
     ({ pkgs, ... }: {
-      services.nomad.dropPrivileges = false;
       services.nomad.extraSettingsPlugins = [
         (import ./nomad-driver-nix2.nix { inherit pkgs; })
       ];

deploy_pki

@@ -27,9 +27,6 @@ for file in nomad-ca.crt nomad$YEAR.crt nomad$YEAR.key \
 do
 	if pass $PKI/$file >/dev/null; then
 		write_pass $PKI/$file /var/lib/nomad/pki/$file
-		if [ ! "$CLUSTER" = "staging" ]; then
-			cmd "chown \$(stat -c %u /var/lib/private/nomad/) /var/lib/nomad/pki/$file"
-		fi
 	fi
 done
 

nix/deuxfleurs.nix

@@ -330,6 +330,7 @@ in
     };
 
     services.nomad.enable = true;
+    services.nomad.dropPrivileges = false;  # required starting with Nomad 1.5, otherwise Docker is not detected
     systemd.services.nomad.after = [ "wg-quick-wg0.service" ];
     services.nomad.extraPackages = [
       pkgs.glibc

upgrade_nixos

@@ -3,7 +3,7 @@
 if [ "$CLUSTER" = "staging" ]; then
 	cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
 else
-	cmd nix-channel --add https://nixos.org/channels/nixos-23.05 nixos
+	cmd nix-channel --add https://nixos.org/channels/nixos-23.11 nixos
 fi
 
 cmd nix-channel --update