From 8a1941fc586b2e04e378ad0563609da75b261ca4 Mon Sep 17 00:00:00 2001 From: Asara Date: Sat, 29 Aug 2020 20:25:30 -0400 Subject: [PATCH] Add nomad server/client, fix ansible policy to allow for cert creation --- .../roles/nomad_client/files/nomad.service | 21 ++++++ ansible/roles/nomad_client/handlers/main.yml | 10 +++ ansible/roles/nomad_client/tasks/main.yml | 73 +++++++++++++++++++ .../roles/nomad_client/templates/nomad.hcl.j2 | 10 +++ .../roles/nomad_server/files/nomad.service | 21 ++++++ ansible/roles/nomad_server/handlers/main.yml | 10 +++ ansible/roles/nomad_server/tasks/main.yml | 73 +++++++++++++++++++ .../roles/nomad_server/templates/nomad.hcl.j2 | 11 +++ vault/policies/ansible.hcl | 4 + 9 files changed, 233 insertions(+) create mode 100644 ansible/roles/nomad_client/files/nomad.service create mode 100644 ansible/roles/nomad_client/handlers/main.yml create mode 100644 ansible/roles/nomad_client/tasks/main.yml create mode 100644 ansible/roles/nomad_client/templates/nomad.hcl.j2 create mode 100644 ansible/roles/nomad_server/files/nomad.service create mode 100644 ansible/roles/nomad_server/handlers/main.yml create mode 100644 ansible/roles/nomad_server/tasks/main.yml create mode 100644 ansible/roles/nomad_server/templates/nomad.hcl.j2 diff --git a/ansible/roles/nomad_client/files/nomad.service b/ansible/roles/nomad_client/files/nomad.service new file mode 100644 index 0000000..d3ef33b --- /dev/null +++ b/ansible/roles/nomad_client/files/nomad.service @@ -0,0 +1,21 @@ +[Unit] +Description=Nomad +Documentation=https://nomadproject.io/docs/ +Wants=network-online.target +After=network-online.target + +[Service] +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d +KillMode=process +KillSignal=SIGINT +LimitNOFILE=infinity +LimitNPROC=infinity +Restart=on-failure +RestartSec=2 +StartLimitBurst=3 +StartLimitIntervalSec=10 +TasksMax=infinity + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/nomad_client/handlers/main.yml b/ansible/roles/nomad_client/handlers/main.yml new file mode 100644 index 0000000..625606d --- /dev/null +++ b/ansible/roles/nomad_client/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: daemon_reload + systemd: + daemon_reload: True + +- name: restart_nomad + systemd: + name: nomad + state: restarted +... diff --git a/ansible/roles/nomad_client/tasks/main.yml b/ansible/roles/nomad_client/tasks/main.yml new file mode 100644 index 0000000..9697510 --- /dev/null +++ b/ansible/roles/nomad_client/tasks/main.yml @@ -0,0 +1,73 @@ +--- +- name: ensure nomad group + group: + name: nomad + state: present + system: True + +- name: ensure nomad user + user: + name: nomad + state: present + group: nomad + system: True + +- name: ensure nomad config dir + file: + path: /etc/nomad.d/ + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: ensure nomad data dir + file: + path: /opt/nomad + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: check nomad version + shell: + cmd: "nomad --version | head -1 | cut -d'v' -f2" + args: + executable: /bin/bash + changed_when: False + register: installed_nomad_version + check_mode: False + +- name: get nomad + unarchive: + src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: root + remote_src: True + when: installed_nomad_version.stdout != nomad_version + +- name: copy nomad unit file + copy: + src: files/nomad.service + dest: /etc/systemd/system/nomad.service + mode: 0755 + owner: root + group: root + notify: daemon_reload + +- name: template nomad config + template: + src: templates/nomad.hcl.j2 + dest: /etc/nomad.d/nomad.hcl + owner: root + group: root + mode: 0755 + notify: restart_nomad + +- name: ensure nomad is started and enabled + systemd: + name: nomad + state: started + enabled: True +... diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2 new file mode 100644 index 0000000..f61f8d3 --- /dev/null +++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2 @@ -0,0 +1,10 @@ +datacenter = "{{ main_dc_name }}" +data_dir = "/opt/nomad" + +client { + enabled = true +} + +consul { + token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}" +} diff --git a/ansible/roles/nomad_server/files/nomad.service b/ansible/roles/nomad_server/files/nomad.service new file mode 100644 index 0000000..d3ef33b --- /dev/null +++ b/ansible/roles/nomad_server/files/nomad.service @@ -0,0 +1,21 @@ +[Unit] +Description=Nomad +Documentation=https://nomadproject.io/docs/ +Wants=network-online.target +After=network-online.target + +[Service] +ExecReload=/bin/kill -HUP $MAINPID +ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d +KillMode=process +KillSignal=SIGINT +LimitNOFILE=infinity +LimitNPROC=infinity +Restart=on-failure +RestartSec=2 +StartLimitBurst=3 +StartLimitIntervalSec=10 +TasksMax=infinity + +[Install] +WantedBy=multi-user.target diff --git a/ansible/roles/nomad_server/handlers/main.yml b/ansible/roles/nomad_server/handlers/main.yml new file mode 100644 index 0000000..625606d --- /dev/null +++ b/ansible/roles/nomad_server/handlers/main.yml @@ -0,0 +1,10 @@ +--- +- name: daemon_reload + systemd: + daemon_reload: True + +- name: restart_nomad + systemd: + name: nomad + state: restarted +... diff --git a/ansible/roles/nomad_server/tasks/main.yml b/ansible/roles/nomad_server/tasks/main.yml new file mode 100644 index 0000000..9697510 --- /dev/null +++ b/ansible/roles/nomad_server/tasks/main.yml @@ -0,0 +1,73 @@ +--- +- name: ensure nomad group + group: + name: nomad + state: present + system: True + +- name: ensure nomad user + user: + name: nomad + state: present + group: nomad + system: True + +- name: ensure nomad config dir + file: + path: /etc/nomad.d/ + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: ensure nomad data dir + file: + path: /opt/nomad + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: check nomad version + shell: + cmd: "nomad --version | head -1 | cut -d'v' -f2" + args: + executable: /bin/bash + changed_when: False + register: installed_nomad_version + check_mode: False + +- name: get nomad + unarchive: + src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: root + remote_src: True + when: installed_nomad_version.stdout != nomad_version + +- name: copy nomad unit file + copy: + src: files/nomad.service + dest: /etc/systemd/system/nomad.service + mode: 0755 + owner: root + group: root + notify: daemon_reload + +- name: template nomad config + template: + src: templates/nomad.hcl.j2 + dest: /etc/nomad.d/nomad.hcl + owner: root + group: root + mode: 0755 + notify: restart_nomad + +- name: ensure nomad is started and enabled + systemd: + name: nomad + state: started + enabled: True +... diff --git a/ansible/roles/nomad_server/templates/nomad.hcl.j2 b/ansible/roles/nomad_server/templates/nomad.hcl.j2 new file mode 100644 index 0000000..782df9d --- /dev/null +++ b/ansible/roles/nomad_server/templates/nomad.hcl.j2 @@ -0,0 +1,11 @@ +datacenter = "{{ main_dc_name }}" +data_dir = "/opt/nomad" + +server { + enabled = true + bootstrap_expect = 1 +} + +consul { + token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}" +} diff --git a/vault/policies/ansible.hcl b/vault/policies/ansible.hcl index f505543..01382c7 100644 --- a/vault/policies/ansible.hcl +++ b/vault/policies/ansible.hcl @@ -1,3 +1,7 @@ path "kv/*" { capabilities = ["list", "read"] } + +path "pki_int/issue/masked-dot-name" { + capabilities = [ "create", "read", "list", "update" ] +}