RIP Nomad

ansible/README.md

@@ -2,4 +2,4 @@
 
 ## Goals
 
-The goal of this is to keep it as barebones as possible and offload everything I can to nomad
+The goal of this is to keep it as barebones as possible and offload everything I can to k8s

ansible/group_vars/all/main.yml

@@ -59,10 +59,6 @@ vault_ca_cert_payload: |
   KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
   -----END CERTIFICATE-----
 
-# nomad
-nomad_version: 1.3.1
-nomad_podman_driver_version: 0.3.0
-
 # lnd
 lnd_version: 0.15.4-beta
 

ansible/group_vars/hardtack/main.yml

@@ -1,7 +1,5 @@
 ---
 hashi_arch: arm
 consul_arch: arm64
-nomad_arch: arm64
-docker_arch: arm64
 k3s_role: 'client'
 k3s_server_hostname: hardtack1.minhas.io

ansible/host_vars/sedan.minhas.io/nomad.yml

@@ -1,11 +0,0 @@
----
-nomad_meta_values:
-  - { name: "storage_optimized", value: "true" }
-  - { name: "ram_optimized", value: "false" }
-
-nomad_ug_map:
-  - { name: "jenkins", id: "15000" }
-
-nomad_bind_mounts:
-  - { path: /opt/jenkins_home, owner: jenkins }
-...

ansible/inventory.txt

@@ -30,12 +30,6 @@ redwingcherokee.minhas.io
 [docker_repo]
 sedan.minhas.io
 
-[nomad_client]
-sedan.minhas.io
-
-[nomad_server]
-ranger.minhas.io
-
 [vault_server]
 ranger.minhas.io
 sedan.minhas.io

ansible/playbooks/docker.yml

@@ -1,5 +0,0 @@
----
-- hosts: nexus:nomad_client
-  roles:
-    - role: docker
-...

ansible/playbooks/nomad-client.yml

@@ -1,5 +0,0 @@
----
-- hosts: nomad_client
-  roles:
-    - role: nomad_client
-...

ansible/playbooks/nomad-server.yml

@@ -1,6 +0,0 @@
----
-- hosts: nomad_server
-  serial: 1
-  roles:
-    - role: nomad_server
-...

ansible/playbooks/nomad.yml

@@ -1,4 +0,0 @@
----
-- import_playbook: nomad-server.yml
-- import_playbook: nomad-client.yml
-...

ansible/playbooks/site.yml

@@ -3,11 +3,8 @@
 - import_playbook: consul-server.yml
 - import_playbook: vault-server.yml
 - import_playbook: consul-client.yml
-- import_playbook: docker.yml
-- import_playbook: nomad.yml
 - import_playbook: k3s.yml
 - import_playbook: docker-repo.yml
 - import_playbook: lnd.yml
 - import_playbook: wekan.yml
-  #- import_playbook: haproxy.yml
 ...

ansible/roles/docker/defaults/main.yml

@@ -1,2 +0,0 @@
----
-docker_arch: amd64

ansible/roles/docker/files/docker.gpg

@@ -1,62 +0,0 @@
------BEGIN PGP PUBLIC KEY BLOCK-----
-
-mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
-lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
-38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
-L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
-UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
-cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
-ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
-vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
-G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
-XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
-q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
-tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
-BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
-v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
-tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
-jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
-6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
-XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
-FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
-g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
-ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
-9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
-G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
-FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
-EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
-M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
-Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
-w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
-z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
-eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
-VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
-1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
-zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
-pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
-ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
-BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
-1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
-YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
-mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
-KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
-JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
-cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
-6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
-U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
-VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
-irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
-SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
-QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
-9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
-24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
-dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
-Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
-H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
-/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
-M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
-xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
-jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
-YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
-=0YYh
------END PGP PUBLIC KEY BLOCK-----

ansible/roles/docker/tasks/main.yml

@@ -1,43 +0,0 @@
----
-- name: install docker dependencies
-  apt:
-    state: present
-    name:
-      - apt-transport-https
-      - ca-certificates
-      - curl
-      - gnupg-agent
-      - software-properties-common
-
-- name: add docker apt key
-  apt_key:
-    url: https://download.docker.com/linux/debian/gpg
-    state: present
-    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
-
-- name: add docker repo
-  apt_repository:
-    repo: "deb [arch={{ docker_arch }}] https://download.docker.com/linux/debian bullseye stable"
-    state: present
-    mode: 0644
-
-- name: install docker-ce
-  apt:
-    state: present
-    update_cache: True
-    name:
-      - docker-ce
-      - docker-ce-cli
-      - containerd.io
-
-- name: ensure docker certs directory exists
-  file:
-    path: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082
-    state: directory
-
-- name: symlink ca cert
-  file:
-    src: /etc/pki/certs/{{ vault_ca_cert_name }}
-    dest: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082/ca.crt
-    state: link
-...

ansible/roles/nomad_client/defaults/main.yml

@@ -1,2 +0,0 @@
----
-nomad_arch: amd64

ansible/roles/nomad_client/files/containers.conf

@@ -1,29 +0,0 @@
-[containers]
-default_capabilities = [
-    "CHOWN",
-    "DAC_OVERRIDE",
-    "FOWNER",
-    "FSETID",
-    "KILL",
-    "NET_BIND_SERVICE",
-    "SETFCAP",
-    "SETGID",
-    "SETPCAP",
-    "SETUID",
-    "SYS_CHROOT"
-]
-
-default_sysctls = [
- "net.ipv4.ping_group_range=0 1",
-]
-
-[engine]
-runtime = "crun"
-cgroup_manager = "cgroupfs"
-events_logger = "journald"
-
-#[storage]
-#driver = "overlay"
-#
-#[storage.options]
-#mount_program = "/usr/bin/fuse-overlayfs"

ansible/roles/nomad_client/files/nomad.service

@@ -1,21 +0,0 @@
-[Unit]
-Description=Nomad
-Documentation=https://nomadproject.io/docs/
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-ExecReload=/bin/kill -HUP $MAINPID
-ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
-KillMode=process
-KillSignal=SIGINT
-LimitNOFILE=infinity
-LimitNPROC=infinity
-Restart=on-failure
-RestartSec=2
-StartLimitBurst=3
-StartLimitIntervalSec=10
-TasksMax=infinity
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/nomad_client/handlers/main.yml

@@ -1,15 +0,0 @@
----
-- name: daemon_reload
-  systemd:
-    daemon_reload: True
-
-- name: reload_nomad
-  systemd:
-    name: nomad
-    state: reloaded
-
-- name: restart_nomad
-  systemd:
-    name: nomad
-    state: restarted
-...

ansible/roles/nomad_client/tasks/client_setup.yml

@@ -1,27 +0,0 @@
----
-- name: setup group mappings
-  group:
-    name: "{{ item.name }}"
-    gid: "{{ item.id }}"
-    system: True
-  loop: "{{ nomad_ug_map }}"
-  when: nomad_ug_map is defined
-
-- name: setup user mappings
-  user:
-    name: "{{ item.name }}"
-    uid: "{{ item.id }}"
-    system: True
-  loop: "{{ nomad_ug_map }}"
-  when: nomad_ug_map is defined
-
-- name: ensure mounts
-  file:
-    state: directory
-    path: "{{ item.path }}"
-    owner: "{{ item.owner }}"
-    group: "{{ item.owner }}"
-    mode: 0755
-  loop: "{{ nomad_bind_mounts }}"
-  when: nomad_bind_mounts is defined
-...

ansible/roles/nomad_client/tasks/main.yml

@@ -1,4 +0,0 @@
----
-- import_tasks: nomad.yml
-- import_tasks: client_setup.yml
-...

ansible/roles/nomad_client/tasks/nomad.yml

@@ -1,147 +0,0 @@
----
-- name: ensure nomad group
-  group:
-    name: nomad
-    state: present
-    system: True
-
-- name: ensure nomad user
-  user:
-    name: nomad
-    state: present
-    group: nomad
-    groups:
-      - podman
-    append: True
-    system: True
-
-- name: ensure nomad config dir
-  file:
-    path: /etc/nomad.d/
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: ensure nomad data dir
-  file:
-    path: /opt/nomad
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: check nomad version
-  shell:
-    cmd: "nomad --version | head -1 | cut -d'v' -f2"
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: installed_nomad_version
-  check_mode: False
-
-- name: get nomad
-  unarchive:
-    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{ nomad_arch }}.zip"
-    dest: /usr/local/bin/
-    mode: 0755
-    owner: root
-    group: root
-    remote_src: True
-  when: installed_nomad_version.stdout != nomad_version
-
-- name: copy nomad unit file
-  copy:
-    src: files/nomad.service
-    dest: /etc/systemd/system/nomad.service
-    mode: 0755
-    owner: root
-    group: root
-  notify: daemon_reload
-
-- name: get podman from passwd
-  getent:
-    database: passwd
-    key: podman
-
-- name: template nomad config
-  template:
-    src: templates/nomad.hcl.j2
-    dest: /etc/nomad.d/nomad.hcl
-    owner: root
-    group: root
-    mode: 0755
-  notify: restart_nomad
-
-- name: ensure nomad plugins dir
-  file:
-    path: /opt/nomad_plugins
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: get nomad podman plugins
-  unarchive:
-    src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_{{ nomad_arch }}.zip"
-    dest: /opt/nomad_plugins/
-    mode: 0755
-    owner: nomad
-    group: nomad
-    remote_src: True
-
-- name: ensure nomad config dir
-  file:
-    path: /etc/nomad.d/certs/
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: check if server cert is expiring in the next 5 days
-  shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
-  args:
-    executable: /bin/bash
-  failed_when: False
-  check_mode: False
-  changed_when: False
-  register: exp
-
-- name: get cert
-  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
-  args:
-    executable: /bin/bash
-  environment:
-    VAULT_ADDR: https://vault.service.masked.name:8200
-    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
-    VAULT_FORMAT: json
-  register: cert_data
-  when: exp.rc != 0
-  notify: reload_nomad
-
-- name: write cert data to server
-  copy:
-    content: "{{ item.content }}"
-    dest: "/etc/nomad.d/certs/{{ item.path }}"
-    mode: '{{ item.mode }}'
-    owner: nomad
-    group: nomad
-  when: cert_data.changed
-  loop:
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-        path: "nomad.pem",
-        mode: "0755"
-    }
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-        path: "nomad.key",
-        mode: "0600"
-    }
-
-- name: ensure nomad is started and enabled
-  systemd:
-    name: nomad
-    state: started
-    enabled: True
-...

ansible/roles/nomad_client/tasks/podman.yml

@@ -1,72 +0,0 @@
----
-- name: ensure podman group
-  group:
-    name: podman
-    state: present
-    system: True
-
-- name: ensure podman user
-  user:
-    name: podman
-    state: present
-    group: podman
-    system: True
-
-- name: ensure podman is installed
-  apt:
-    name:
-      - catatonit
-      - fuse-overlayfs
-      - podman
-      - slirp4netns
-      - uidmap
-    state: present
-
-- name: ensure containers.conf is configured
-  copy:
-    src: containers.conf
-    dest: /etc/containers/containers.conf
-    owner: root
-    group: root
-    mode: 0644
-
-- name: Check if podman lingers
-  stat: path=/var/lib/systemd/linger/podman
-  register: linger
-
-- name: enable lingering for podman
-  command: loginctl enable-linger podman
-  when: not linger.stat.exists
-
-- name: enable podman
-  systemd:
-    name: podman
-    state: started
-    enabled: True
-    scope: user
-  changed_when: False
-  become: True
-  become_user: podman
-
-- name: check if subuid is configured
-  shell: grep podman /etc/subuid
-  register: subuid
-  changed_when: False
-  check_mode: False
-  failed_when: False
-
-- name: check if subgid is configured
-  shell: grep podman /etc/subgid
-  register: subgid
-  changed_when: False
-  check_mode: False
-  failed_when: False
-
-- name: configure subuid
-  shell: usermod --add-subuids 200000-201000 podman
-  when: subuid.rc != 0
-
-- name: configure subgid
-  shell: usermod --add-subgids 200000-201000 podman
-  when: subgid.rc != 0
-...

ansible/roles/nomad_client/templates/nomad.hcl.j2

@@ -1,44 +0,0 @@
-datacenter = "{{ main_dc_name }}"
-data_dir = "/opt/nomad"
-
-client {
-  enabled   = true
-  options {
-    "docker.volumes.enabled"    = true
-  }
-  meta {
-{% for nomad_meta in nomad_meta_values %}
-    "{{ nomad_meta.name }}"     = "{{ nomad_meta.value }}"
-{% endfor %}
-  }
-}
-
-consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
-}
-
-vault {
-  enabled           = true
-  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
-  address           = "https://vault.service.{{ consul_domain }}:8200"
-  create_from_role  = "nomad-cluster"
-  unwrap_token      = true
-}
-
-tls {
-  http      = true
-  rpc       = true
-  ca_file   = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  cert_file = "/etc/nomad.d/certs/nomad.pem"
-  key_file  = "/etc/nomad.d/certs/nomad.key"
-}
-
-plugin_dir = "/opt/nomad_plugins"
-
-plugin "nomad-driver-podman" {
-  enabled   = true
-  config {
-    socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock"
-  }
-}

ansible/roles/nomad_server/files/nomad.service

@@ -1,21 +0,0 @@
-[Unit]
-Description=Nomad
-Documentation=https://nomadproject.io/docs/
-Wants=network-online.target
-After=network-online.target
-
-[Service]
-ExecReload=/bin/kill -HUP $MAINPID
-ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
-KillMode=process
-KillSignal=SIGINT
-LimitNOFILE=infinity
-LimitNPROC=infinity
-Restart=on-failure
-RestartSec=2
-StartLimitBurst=3
-StartLimitIntervalSec=10
-TasksMax=infinity
-
-[Install]
-WantedBy=multi-user.target

ansible/roles/nomad_server/handlers/main.yml

@@ -1,15 +0,0 @@
----
-- name: daemon_reload
-  systemd:
-    daemon_reload: True
-
-- name: reload_nomad
-  systemd:
-    name: nomad
-    state: reloaded
-
-- name: restart_nomad
-  systemd:
-    name: nomad
-    state: restarted
-...

ansible/roles/nomad_server/tasks/main.yml

@@ -1,128 +0,0 @@
----
-- name: ensure nomad group
-  group:
-    name: nomad
-    state: present
-    system: True
-
-- name: ensure nomad user
-  user:
-    name: nomad
-    state: present
-    group: nomad
-    system: True
-
-- name: ensure nomad config dir
-  file:
-    path: /etc/nomad.d/
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: ensure nomad data dir
-  file:
-    path: /opt/nomad
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: check nomad version
-  shell:
-    cmd: "nomad --version | head -1 | cut -d'v' -f2"
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: installed_nomad_version
-  check_mode: False
-
-- name: get nomad
-  unarchive:
-    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
-    dest: /usr/local/bin/
-    mode: 0755
-    owner: root
-    group: root
-    remote_src: True
-  when: installed_nomad_version.stdout != nomad_version
-
-- name: copy nomad unit file
-  copy:
-    src: files/nomad.service
-    dest: /etc/systemd/system/nomad.service
-    mode: 0755
-    owner: root
-    group: root
-  notify: daemon_reload
-
-- name: template nomad config
-  template:
-    src: templates/nomad.hcl.j2
-    dest: /etc/nomad.d/nomad.hcl
-    owner: root
-    group: root
-    mode: 0755
-  notify: restart_nomad
-
-- name: ensure nomad config dir
-  file:
-    path: /etc/nomad.d/certs/
-    state: directory
-    owner: nomad
-    group: nomad
-    mode: 0755
-
-- name: check if server cert is expiring in the next 5 days
-  shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
-  args:
-    executable: /bin/bash
-  failed_when: False
-  check_mode: False
-  changed_when: False
-  register: exp
-
-- name: get cert
-  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
-  args:
-    executable: /bin/bash
-  environment:
-    VAULT_ADDR: https://vault.service.masked.name:8200
-    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
-    VAULT_FORMAT: json
-  register: cert_data
-  when: exp.rc != 0
-  notify: reload_nomad
-
-- name: write cert data to server
-  copy:
-    content: "{{ item.content }}"
-    dest: "/etc/nomad.d/certs/{{ item.path }}"
-    mode: '{{ item.mode }}'
-    owner: nomad
-    group: nomad
-  when: cert_data.changed
-  loop:
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-        path: "nomad.pem",
-        mode: "0755"
-    }
-    - {
-        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-        path: "nomad.key",
-        mode: "0600"
-    }
-
-- name: append cacert to vault cert
-  blockinfile:
-    path: /etc/nomad.d/certs/nomad.pem
-    block: |
-      {{ vault_ca_cert_payload }}
-
-- name: ensure nomad is started and enabled
-  systemd:
-    name: nomad
-    state: started
-    enabled: True
-...

ansible/roles/nomad_server/templates/nomad.hcl.j2

@@ -1,28 +0,0 @@
-datacenter = "{{ main_dc_name }}"
-data_dir = "/opt/nomad"
-
-server {
-  enabled = true
-  bootstrap_expect = 1
-}
-
-vault {
-  enabled           = true
-  ca_file           = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  token             = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
-  address           = "https://vault.service.{{ consul_domain }}:8200"
-  create_from_role  = "nomad-cluster"
-  unwrap_token      = true
-}
-
-consul {
-  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
-}
-
-tls {
-  http      = true
-  rpc       = true
-  ca_file   = "/etc/pki/certs/{{ vault_ca_cert_name }}"
-  cert_file = "/etc/nomad.d/certs/nomad.pem"
-  key_file  = "/etc/nomad.d/certs/nomad.key"
-}