diff --git a/ansible/README.md b/ansible/README.md index d314fa9..965908d 100644 --- a/ansible/README.md +++ b/ansible/README.md @@ -2,4 +2,4 @@ ## Goals -The goal of this is to keep it as barebones as possible and offload everything I can to nomad +The goal of this is to keep it as barebones as possible and offload everything I can to k8s diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index e101c9f..7e3eb0b 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -59,10 +59,6 @@ vault_ca_cert_payload: | KokuDezJFM7ie3d+EcBk1V9lHwOWdto= -----END CERTIFICATE----- -# nomad -nomad_version: 1.3.1 -nomad_podman_driver_version: 0.3.0 - # lnd lnd_version: 0.15.4-beta diff --git a/ansible/group_vars/hardtack/main.yml b/ansible/group_vars/hardtack/main.yml index 0fecdfa..49ffc87 100644 --- a/ansible/group_vars/hardtack/main.yml +++ b/ansible/group_vars/hardtack/main.yml @@ -1,7 +1,5 @@ --- hashi_arch: arm consul_arch: arm64 -nomad_arch: arm64 -docker_arch: arm64 k3s_role: 'client' k3s_server_hostname: hardtack1.minhas.io diff --git a/ansible/host_vars/sedan.minhas.io/nomad.yml b/ansible/host_vars/sedan.minhas.io/nomad.yml deleted file mode 100644 index 03f2883..0000000 --- a/ansible/host_vars/sedan.minhas.io/nomad.yml +++ /dev/null @@ -1,11 +0,0 @@ ---- -nomad_meta_values: - - { name: "storage_optimized", value: "true" } - - { name: "ram_optimized", value: "false" } - -nomad_ug_map: - - { name: "jenkins", id: "15000" } - -nomad_bind_mounts: - - { path: /opt/jenkins_home, owner: jenkins } -... diff --git a/ansible/inventory.txt b/ansible/inventory.txt index 2818822..bed7f67 100644 --- a/ansible/inventory.txt +++ b/ansible/inventory.txt @@ -30,12 +30,6 @@ redwingcherokee.minhas.io [docker_repo] sedan.minhas.io -[nomad_client] -sedan.minhas.io - -[nomad_server] -ranger.minhas.io - [vault_server] ranger.minhas.io sedan.minhas.io diff --git a/ansible/playbooks/docker.yml b/ansible/playbooks/docker.yml deleted file mode 100644 index db93e58..0000000 --- a/ansible/playbooks/docker.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: nexus:nomad_client - roles: - - role: docker -... diff --git a/ansible/playbooks/nomad-client.yml b/ansible/playbooks/nomad-client.yml deleted file mode 100644 index 4ff01fa..0000000 --- a/ansible/playbooks/nomad-client.yml +++ /dev/null @@ -1,5 +0,0 @@ ---- -- hosts: nomad_client - roles: - - role: nomad_client -... diff --git a/ansible/playbooks/nomad-server.yml b/ansible/playbooks/nomad-server.yml deleted file mode 100644 index be4862c..0000000 --- a/ansible/playbooks/nomad-server.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -- hosts: nomad_server - serial: 1 - roles: - - role: nomad_server -... diff --git a/ansible/playbooks/nomad.yml b/ansible/playbooks/nomad.yml deleted file mode 100644 index 29a666c..0000000 --- a/ansible/playbooks/nomad.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- import_playbook: nomad-server.yml -- import_playbook: nomad-client.yml -... diff --git a/ansible/playbooks/site.yml b/ansible/playbooks/site.yml index 30814e3..2c5433d 100644 --- a/ansible/playbooks/site.yml +++ b/ansible/playbooks/site.yml @@ -3,11 +3,8 @@ - import_playbook: consul-server.yml - import_playbook: vault-server.yml - import_playbook: consul-client.yml -- import_playbook: docker.yml -- import_playbook: nomad.yml - import_playbook: k3s.yml - import_playbook: docker-repo.yml - import_playbook: lnd.yml - import_playbook: wekan.yml - #- import_playbook: haproxy.yml ... diff --git a/ansible/roles/docker/defaults/main.yml b/ansible/roles/docker/defaults/main.yml deleted file mode 100644 index 2fef907..0000000 --- a/ansible/roles/docker/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -docker_arch: amd64 diff --git a/ansible/roles/docker/files/docker.gpg b/ansible/roles/docker/files/docker.gpg deleted file mode 100644 index ee7872e..0000000 --- a/ansible/roles/docker/files/docker.gpg +++ /dev/null @@ -1,62 +0,0 @@ ------BEGIN PGP PUBLIC KEY BLOCK----- - -mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth -lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh -38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq -L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7 -UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N -cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht -ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo -vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD -G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ -XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj -q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB -tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3 -BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO -v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd -tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk -jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m -6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P -XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc -FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8 -g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm -ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh -9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5 -G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW -FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB -EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF -M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx -Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu -w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk -z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8 -eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb -VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa -1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X -zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ -pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7 -ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ -BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY -1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp -YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI -mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES -KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7 -JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ -cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0 -6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5 -U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z -VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f -irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk -SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz -QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W -9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw -24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe -dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y -Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR -H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh -/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ -M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S -xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O -jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG -YT90qFF93M3v01BbxP+EIY2/9tiIPbrd -=0YYh ------END PGP PUBLIC KEY BLOCK----- diff --git a/ansible/roles/docker/tasks/main.yml b/ansible/roles/docker/tasks/main.yml deleted file mode 100644 index 6831d3a..0000000 --- a/ansible/roles/docker/tasks/main.yml +++ /dev/null @@ -1,43 +0,0 @@ ---- -- name: install docker dependencies - apt: - state: present - name: - - apt-transport-https - - ca-certificates - - curl - - gnupg-agent - - software-properties-common - -- name: add docker apt key - apt_key: - url: https://download.docker.com/linux/debian/gpg - state: present - id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88 - -- name: add docker repo - apt_repository: - repo: "deb [arch={{ docker_arch }}] https://download.docker.com/linux/debian bullseye stable" - state: present - mode: 0644 - -- name: install docker-ce - apt: - state: present - update_cache: True - name: - - docker-ce - - docker-ce-cli - - containerd.io - -- name: ensure docker certs directory exists - file: - path: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082 - state: directory - -- name: symlink ca cert - file: - src: /etc/pki/certs/{{ vault_ca_cert_name }} - dest: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082/ca.crt - state: link -... diff --git a/ansible/roles/nomad_client/defaults/main.yml b/ansible/roles/nomad_client/defaults/main.yml deleted file mode 100644 index f0ff545..0000000 --- a/ansible/roles/nomad_client/defaults/main.yml +++ /dev/null @@ -1,2 +0,0 @@ ---- -nomad_arch: amd64 diff --git a/ansible/roles/nomad_client/files/containers.conf b/ansible/roles/nomad_client/files/containers.conf deleted file mode 100644 index 26bc503..0000000 --- a/ansible/roles/nomad_client/files/containers.conf +++ /dev/null @@ -1,29 +0,0 @@ -[containers] -default_capabilities = [ - "CHOWN", - "DAC_OVERRIDE", - "FOWNER", - "FSETID", - "KILL", - "NET_BIND_SERVICE", - "SETFCAP", - "SETGID", - "SETPCAP", - "SETUID", - "SYS_CHROOT" -] - -default_sysctls = [ - "net.ipv4.ping_group_range=0 1", -] - -[engine] -runtime = "crun" -cgroup_manager = "cgroupfs" -events_logger = "journald" - -#[storage] -#driver = "overlay" -# -#[storage.options] -#mount_program = "/usr/bin/fuse-overlayfs" diff --git a/ansible/roles/nomad_client/files/nomad.service b/ansible/roles/nomad_client/files/nomad.service deleted file mode 100644 index d3ef33b..0000000 --- a/ansible/roles/nomad_client/files/nomad.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=Nomad -Documentation=https://nomadproject.io/docs/ -Wants=network-online.target -After=network-online.target - -[Service] -ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d -KillMode=process -KillSignal=SIGINT -LimitNOFILE=infinity -LimitNPROC=infinity -Restart=on-failure -RestartSec=2 -StartLimitBurst=3 -StartLimitIntervalSec=10 -TasksMax=infinity - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/nomad_client/handlers/main.yml b/ansible/roles/nomad_client/handlers/main.yml deleted file mode 100644 index fee20a3..0000000 --- a/ansible/roles/nomad_client/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: daemon_reload - systemd: - daemon_reload: True - -- name: reload_nomad - systemd: - name: nomad - state: reloaded - -- name: restart_nomad - systemd: - name: nomad - state: restarted -... diff --git a/ansible/roles/nomad_client/tasks/client_setup.yml b/ansible/roles/nomad_client/tasks/client_setup.yml deleted file mode 100644 index faa31f6..0000000 --- a/ansible/roles/nomad_client/tasks/client_setup.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- -- name: setup group mappings - group: - name: "{{ item.name }}" - gid: "{{ item.id }}" - system: True - loop: "{{ nomad_ug_map }}" - when: nomad_ug_map is defined - -- name: setup user mappings - user: - name: "{{ item.name }}" - uid: "{{ item.id }}" - system: True - loop: "{{ nomad_ug_map }}" - when: nomad_ug_map is defined - -- name: ensure mounts - file: - state: directory - path: "{{ item.path }}" - owner: "{{ item.owner }}" - group: "{{ item.owner }}" - mode: 0755 - loop: "{{ nomad_bind_mounts }}" - when: nomad_bind_mounts is defined -... diff --git a/ansible/roles/nomad_client/tasks/main.yml b/ansible/roles/nomad_client/tasks/main.yml deleted file mode 100644 index 88eb79f..0000000 --- a/ansible/roles/nomad_client/tasks/main.yml +++ /dev/null @@ -1,4 +0,0 @@ ---- -- import_tasks: nomad.yml -- import_tasks: client_setup.yml -... diff --git a/ansible/roles/nomad_client/tasks/nomad.yml b/ansible/roles/nomad_client/tasks/nomad.yml deleted file mode 100644 index c8e354e..0000000 --- a/ansible/roles/nomad_client/tasks/nomad.yml +++ /dev/null @@ -1,147 +0,0 @@ ---- -- name: ensure nomad group - group: - name: nomad - state: present - system: True - -- name: ensure nomad user - user: - name: nomad - state: present - group: nomad - groups: - - podman - append: True - system: True - -- name: ensure nomad config dir - file: - path: /etc/nomad.d/ - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: ensure nomad data dir - file: - path: /opt/nomad - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: check nomad version - shell: - cmd: "nomad --version | head -1 | cut -d'v' -f2" - args: - executable: /bin/bash - changed_when: False - register: installed_nomad_version - check_mode: False - -- name: get nomad - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{ nomad_arch }}.zip" - dest: /usr/local/bin/ - mode: 0755 - owner: root - group: root - remote_src: True - when: installed_nomad_version.stdout != nomad_version - -- name: copy nomad unit file - copy: - src: files/nomad.service - dest: /etc/systemd/system/nomad.service - mode: 0755 - owner: root - group: root - notify: daemon_reload - -- name: get podman from passwd - getent: - database: passwd - key: podman - -- name: template nomad config - template: - src: templates/nomad.hcl.j2 - dest: /etc/nomad.d/nomad.hcl - owner: root - group: root - mode: 0755 - notify: restart_nomad - -- name: ensure nomad plugins dir - file: - path: /opt/nomad_plugins - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: get nomad podman plugins - unarchive: - src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_{{ nomad_arch }}.zip" - dest: /opt/nomad_plugins/ - mode: 0755 - owner: nomad - group: nomad - remote_src: True - -- name: ensure nomad config dir - file: - path: /etc/nomad.d/certs/ - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: check if server cert is expiring in the next 5 days - shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem" - args: - executable: /bin/bash - failed_when: False - check_mode: False - changed_when: False - register: exp - -- name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m" - args: - executable: /bin/bash - environment: - VAULT_ADDR: https://vault.service.masked.name:8200 - VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" - VAULT_FORMAT: json - register: cert_data - when: exp.rc != 0 - notify: reload_nomad - -- name: write cert data to server - copy: - content: "{{ item.content }}" - dest: "/etc/nomad.d/certs/{{ item.path }}" - mode: '{{ item.mode }}' - owner: nomad - group: nomad - when: cert_data.changed - loop: - - { - content: "{{ (cert_data.stdout | from_json).data.certificate }}", - path: "nomad.pem", - mode: "0755" - } - - { - content: "{{ (cert_data.stdout | from_json).data.private_key }}", - path: "nomad.key", - mode: "0600" - } - -- name: ensure nomad is started and enabled - systemd: - name: nomad - state: started - enabled: True -... diff --git a/ansible/roles/nomad_client/tasks/podman.yml b/ansible/roles/nomad_client/tasks/podman.yml deleted file mode 100644 index 84561a3..0000000 --- a/ansible/roles/nomad_client/tasks/podman.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -- name: ensure podman group - group: - name: podman - state: present - system: True - -- name: ensure podman user - user: - name: podman - state: present - group: podman - system: True - -- name: ensure podman is installed - apt: - name: - - catatonit - - fuse-overlayfs - - podman - - slirp4netns - - uidmap - state: present - -- name: ensure containers.conf is configured - copy: - src: containers.conf - dest: /etc/containers/containers.conf - owner: root - group: root - mode: 0644 - -- name: Check if podman lingers - stat: path=/var/lib/systemd/linger/podman - register: linger - -- name: enable lingering for podman - command: loginctl enable-linger podman - when: not linger.stat.exists - -- name: enable podman - systemd: - name: podman - state: started - enabled: True - scope: user - changed_when: False - become: True - become_user: podman - -- name: check if subuid is configured - shell: grep podman /etc/subuid - register: subuid - changed_when: False - check_mode: False - failed_when: False - -- name: check if subgid is configured - shell: grep podman /etc/subgid - register: subgid - changed_when: False - check_mode: False - failed_when: False - -- name: configure subuid - shell: usermod --add-subuids 200000-201000 podman - when: subuid.rc != 0 - -- name: configure subgid - shell: usermod --add-subgids 200000-201000 podman - when: subgid.rc != 0 -... diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2 deleted file mode 100644 index afeb3cf..0000000 --- a/ansible/roles/nomad_client/templates/nomad.hcl.j2 +++ /dev/null @@ -1,44 +0,0 @@ -datacenter = "{{ main_dc_name }}" -data_dir = "/opt/nomad" - -client { - enabled = true - options { - "docker.volumes.enabled" = true - } - meta { -{% for nomad_meta in nomad_meta_values %} - "{{ nomad_meta.name }}" = "{{ nomad_meta.value }}" -{% endfor %} - } -} - -consul { - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" -} - -vault { - enabled = true - ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" - address = "https://vault.service.{{ consul_domain }}:8200" - create_from_role = "nomad-cluster" - unwrap_token = true -} - -tls { - http = true - rpc = true - ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - cert_file = "/etc/nomad.d/certs/nomad.pem" - key_file = "/etc/nomad.d/certs/nomad.key" -} - -plugin_dir = "/opt/nomad_plugins" - -plugin "nomad-driver-podman" { - enabled = true - config { - socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock" - } -} diff --git a/ansible/roles/nomad_server/files/nomad.service b/ansible/roles/nomad_server/files/nomad.service deleted file mode 100644 index d3ef33b..0000000 --- a/ansible/roles/nomad_server/files/nomad.service +++ /dev/null @@ -1,21 +0,0 @@ -[Unit] -Description=Nomad -Documentation=https://nomadproject.io/docs/ -Wants=network-online.target -After=network-online.target - -[Service] -ExecReload=/bin/kill -HUP $MAINPID -ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d -KillMode=process -KillSignal=SIGINT -LimitNOFILE=infinity -LimitNPROC=infinity -Restart=on-failure -RestartSec=2 -StartLimitBurst=3 -StartLimitIntervalSec=10 -TasksMax=infinity - -[Install] -WantedBy=multi-user.target diff --git a/ansible/roles/nomad_server/handlers/main.yml b/ansible/roles/nomad_server/handlers/main.yml deleted file mode 100644 index fee20a3..0000000 --- a/ansible/roles/nomad_server/handlers/main.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- -- name: daemon_reload - systemd: - daemon_reload: True - -- name: reload_nomad - systemd: - name: nomad - state: reloaded - -- name: restart_nomad - systemd: - name: nomad - state: restarted -... diff --git a/ansible/roles/nomad_server/tasks/main.yml b/ansible/roles/nomad_server/tasks/main.yml deleted file mode 100644 index 5f7fa85..0000000 --- a/ansible/roles/nomad_server/tasks/main.yml +++ /dev/null @@ -1,128 +0,0 @@ ---- -- name: ensure nomad group - group: - name: nomad - state: present - system: True - -- name: ensure nomad user - user: - name: nomad - state: present - group: nomad - system: True - -- name: ensure nomad config dir - file: - path: /etc/nomad.d/ - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: ensure nomad data dir - file: - path: /opt/nomad - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: check nomad version - shell: - cmd: "nomad --version | head -1 | cut -d'v' -f2" - args: - executable: /bin/bash - changed_when: False - register: installed_nomad_version - check_mode: False - -- name: get nomad - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" - dest: /usr/local/bin/ - mode: 0755 - owner: root - group: root - remote_src: True - when: installed_nomad_version.stdout != nomad_version - -- name: copy nomad unit file - copy: - src: files/nomad.service - dest: /etc/systemd/system/nomad.service - mode: 0755 - owner: root - group: root - notify: daemon_reload - -- name: template nomad config - template: - src: templates/nomad.hcl.j2 - dest: /etc/nomad.d/nomad.hcl - owner: root - group: root - mode: 0755 - notify: restart_nomad - -- name: ensure nomad config dir - file: - path: /etc/nomad.d/certs/ - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: check if server cert is expiring in the next 5 days - shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem" - args: - executable: /bin/bash - failed_when: False - check_mode: False - changed_when: False - register: exp - -- name: get cert - shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m" - args: - executable: /bin/bash - environment: - VAULT_ADDR: https://vault.service.masked.name:8200 - VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}" - VAULT_FORMAT: json - register: cert_data - when: exp.rc != 0 - notify: reload_nomad - -- name: write cert data to server - copy: - content: "{{ item.content }}" - dest: "/etc/nomad.d/certs/{{ item.path }}" - mode: '{{ item.mode }}' - owner: nomad - group: nomad - when: cert_data.changed - loop: - - { - content: "{{ (cert_data.stdout | from_json).data.certificate }}", - path: "nomad.pem", - mode: "0755" - } - - { - content: "{{ (cert_data.stdout | from_json).data.private_key }}", - path: "nomad.key", - mode: "0600" - } - -- name: append cacert to vault cert - blockinfile: - path: /etc/nomad.d/certs/nomad.pem - block: | - {{ vault_ca_cert_payload }} - -- name: ensure nomad is started and enabled - systemd: - name: nomad - state: started - enabled: True -... diff --git a/ansible/roles/nomad_server/templates/nomad.hcl.j2 b/ansible/roles/nomad_server/templates/nomad.hcl.j2 deleted file mode 100644 index dca0bbc..0000000 --- a/ansible/roles/nomad_server/templates/nomad.hcl.j2 +++ /dev/null @@ -1,28 +0,0 @@ -datacenter = "{{ main_dc_name }}" -data_dir = "/opt/nomad" - -server { - enabled = true - bootstrap_expect = 1 -} - -vault { - enabled = true - ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" - address = "https://vault.service.{{ consul_domain }}:8200" - create_from_role = "nomad-cluster" - unwrap_token = true -} - -consul { - token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}" -} - -tls { - http = true - rpc = true - ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}" - cert_file = "/etc/nomad.d/certs/nomad.pem" - key_file = "/etc/nomad.d/certs/nomad.key" -}