Talos is a minimal OS with just enough functionality to run a Kubernetes cluster. The root filesystem is immutable and doesn’t even include /bin/sh. It provides an API for managing the nodes and bootstrapping the cluster. The mutable partitions on the system disk are considered ephemeral and they are wiped during OS updates. (The system prevents doing that to a node if it would result in etcd losing quorum.)
It would be very nice to have that, but for Nomad. I’m imagining a variant of Talos which sets up the PKI for Nomad+Consul+Vault and supervises them.
Sadly, I don’t have the energy to make that happen personally, but I figured I would put a bug about this into the ear of both the people behind Nomad and behind Talos. I am not affiliated with Talos, I’m just a user.