Adjust Consul networking

sorenisanerd · sorenisanerd · commit bb7c67c11a7e · 2026-01-28T11:32:03.000-08:00
Changing "static" to "to" for the http port means a dynamic port is
assigned and it's no longer exposed on port 8500 of the host.

Add a separate service for DNS that resolves to the host's IP.
diff --git a/mkosi.images/terraform/share/terraform/consul-service.tf b/mkosi.images/terraform/share/terraform/consul-service.tf
@@ -64,8 +64,12 @@ resource "consul_config_entry_service_intentions" "consul" {
 
 resource "nomad_job" "consul" {
   jobspec = file("${path.module}/consul.nomad")
+  hcl2 {
+    vars = {
+      namespace = nomad_namespace.admin.name
+    }
+  }
   depends_on = [
-    nomad_namespace.admin,
     vault_consul_secret_backend_role.consul-api,
     vault_jwt_auth_backend_role.consul,
     consul_acl_binding_rule.consul-service,
diff --git a/mkosi.images/terraform/share/terraform/consul.nomad b/mkosi.images/terraform/share/terraform/consul.nomad
@@ -1,20 +1,32 @@
+variable "namespace" {
+  type = string
+}
+
 job "consul" {
-  namespace = "admin"
+  namespace = var.namespace
 
   group "client" {
     service {
-      tags = ["api"]
-      name = "consul"
-      port = "http"
+      tags         = ["api"]
+      name         = "consul"
+      port         = "http"
+      address_mode = "alloc"
       connect {
         sidecar_service {}
       }
     }
 
+    service {
+      tags         = ["dns"]
+      name         = "consul"
+      port         = "dns"
+      address_mode = "host"
+    }
+
     network {
       mode = "bridge"
       port "http" {
-        static = 8500
+        to = 8500
       }
       port "dns" {
         static       = 8600
@@ -32,7 +44,7 @@ job "consul" {
       consul {}
 
       template {
-        data = <<-EOF
+        data        = <<-EOF
         encrypt   = "{{ with secret "secrets/mangos/consul/gossip" }}{{ .Data.encryption_key | trimSpace }}{{ end }}"
         addresses {
           dns = "0.0.0.0"
@@ -61,10 +73,12 @@ job "consul" {
 
       config {
         image = "hashicorp/consul"
-        args  = ["agent",
-                 "-retry-join", "${HOST_IP}",
-                 "-datacenter", "${NOMAD_REGION}-${NOMAD_DC}",
-                 "-config-file", "${NOMAD_SECRETS_DIR}/consul.hcl"]
+        args = [
+          "agent",
+          "-retry-join", "${HOST_IP}",
+          "-datacenter", "${NOMAD_REGION}-${NOMAD_DC}",
+          "-config-file", "${NOMAD_SECRETS_DIR}/consul.hcl"
+        ]
       }
     }
   }
