Add nomad server/client, fix ansible policy to allow for cert creation

ansible/roles/nomad_client/files/nomad.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Nomad
+Documentation=https://nomadproject.io/docs/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=infinity
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+StartLimitBurst=3
+StartLimitIntervalSec=10
+TasksMax=infinity
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/nomad_client/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: daemon_reload
+  systemd:
+    daemon_reload: True
+
+- name: restart_nomad
+  systemd:
+    name: nomad
+    state: restarted
+...

ansible/roles/nomad_client/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+- name: ensure nomad group
+  group:
+    name: nomad
+    state: present
+    system: True
+
+- name: ensure nomad user
+  user:
+    name: nomad
+    state: present
+    group: nomad
+    system: True
+
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: ensure nomad data dir
+  file:
+    path: /opt/nomad
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check nomad version
+  shell:
+    cmd: "nomad --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_nomad_version
+  check_mode: False
+
+- name: get nomad
+  unarchive:
+    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_nomad_version.stdout != nomad_version
+
+- name: copy nomad unit file
+  copy:
+    src: files/nomad.service
+    dest: /etc/systemd/system/nomad.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template nomad config
+  template:
+    src: templates/nomad.hcl.j2
+    dest: /etc/nomad.d/nomad.hcl
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart_nomad
+
+- name: ensure nomad is started and enabled
+  systemd:
+    name: nomad
+    state: started
+    enabled: True
+...

ansible/roles/nomad_client/templates/nomad.hcl.j2

@@ -0,0 +1,10 @@
+datacenter = "{{ main_dc_name }}"
+data_dir = "/opt/nomad"
+
+client {
+  enabled   = true
+}
+
+consul {
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
+}

ansible/roles/nomad_server/files/nomad.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Nomad
+Documentation=https://nomadproject.io/docs/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=infinity
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+StartLimitBurst=3
+StartLimitIntervalSec=10
+TasksMax=infinity
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/nomad_server/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: daemon_reload
+  systemd:
+    daemon_reload: True
+
+- name: restart_nomad
+  systemd:
+    name: nomad
+    state: restarted
+...

ansible/roles/nomad_server/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+- name: ensure nomad group
+  group:
+    name: nomad
+    state: present
+    system: True
+
+- name: ensure nomad user
+  user:
+    name: nomad
+    state: present
+    group: nomad
+    system: True
+
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: ensure nomad data dir
+  file:
+    path: /opt/nomad
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check nomad version
+  shell:
+    cmd: "nomad --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_nomad_version
+  check_mode: False
+
+- name: get nomad
+  unarchive:
+    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_nomad_version.stdout != nomad_version
+
+- name: copy nomad unit file
+  copy:
+    src: files/nomad.service
+    dest: /etc/systemd/system/nomad.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template nomad config
+  template:
+    src: templates/nomad.hcl.j2
+    dest: /etc/nomad.d/nomad.hcl
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart_nomad
+
+- name: ensure nomad is started and enabled
+  systemd:
+    name: nomad
+    state: started
+    enabled: True
+...

ansible/roles/nomad_server/templates/nomad.hcl.j2

@@ -0,0 +1,11 @@
+datacenter = "{{ main_dc_name }}"
+data_dir = "/opt/nomad"
+
+server {
+  enabled = true
+  bootstrap_expect = 1
+}
+
+consul {
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
+}

vault/policies/ansible.hcl

@@ -1,3 +1,7 @@
 path "kv/*" {
   capabilities = ["list", "read"]
 }
+
+path "pki_int/issue/masked-dot-name" {
+  capabilities = [ "create", "read", "list", "update" ]
+}