RIP Nomad

This commit is contained in:
Amarpreet Minhas 2022-12-31 16:13:55 -05:00
parent b0b138a324
commit b08da75c28
26 changed files with 1 additions and 707 deletions

View file

@ -2,4 +2,4 @@
## Goals ## Goals
The goal of this is to keep it as barebones as possible and offload everything I can to nomad The goal of this is to keep it as barebones as possible and offload everything I can to k8s

View file

@ -59,10 +59,6 @@ vault_ca_cert_payload: |
KokuDezJFM7ie3d+EcBk1V9lHwOWdto= KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
-----END CERTIFICATE----- -----END CERTIFICATE-----
# nomad
nomad_version: 1.3.1
nomad_podman_driver_version: 0.3.0
# lnd # lnd
lnd_version: 0.15.4-beta lnd_version: 0.15.4-beta

View file

@ -1,7 +1,5 @@
--- ---
hashi_arch: arm hashi_arch: arm
consul_arch: arm64 consul_arch: arm64
nomad_arch: arm64
docker_arch: arm64
k3s_role: 'client' k3s_role: 'client'
k3s_server_hostname: hardtack1.minhas.io k3s_server_hostname: hardtack1.minhas.io

View file

@ -1,11 +0,0 @@
---
nomad_meta_values:
- { name: "storage_optimized", value: "true" }
- { name: "ram_optimized", value: "false" }
nomad_ug_map:
- { name: "jenkins", id: "15000" }
nomad_bind_mounts:
- { path: /opt/jenkins_home, owner: jenkins }
...

View file

@ -30,12 +30,6 @@ redwingcherokee.minhas.io
[docker_repo] [docker_repo]
sedan.minhas.io sedan.minhas.io
[nomad_client]
sedan.minhas.io
[nomad_server]
ranger.minhas.io
[vault_server] [vault_server]
ranger.minhas.io ranger.minhas.io
sedan.minhas.io sedan.minhas.io

View file

@ -1,5 +0,0 @@
---
- hosts: nexus:nomad_client
roles:
- role: docker
...

View file

@ -1,5 +0,0 @@
---
- hosts: nomad_client
roles:
- role: nomad_client
...

View file

@ -1,6 +0,0 @@
---
- hosts: nomad_server
serial: 1
roles:
- role: nomad_server
...

View file

@ -1,4 +0,0 @@
---
- import_playbook: nomad-server.yml
- import_playbook: nomad-client.yml
...

View file

@ -3,11 +3,8 @@
- import_playbook: consul-server.yml - import_playbook: consul-server.yml
- import_playbook: vault-server.yml - import_playbook: vault-server.yml
- import_playbook: consul-client.yml - import_playbook: consul-client.yml
- import_playbook: docker.yml
- import_playbook: nomad.yml
- import_playbook: k3s.yml - import_playbook: k3s.yml
- import_playbook: docker-repo.yml - import_playbook: docker-repo.yml
- import_playbook: lnd.yml - import_playbook: lnd.yml
- import_playbook: wekan.yml - import_playbook: wekan.yml
#- import_playbook: haproxy.yml
... ...

View file

@ -1,2 +0,0 @@
---
docker_arch: amd64

View file

@ -1,62 +0,0 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
=0YYh
-----END PGP PUBLIC KEY BLOCK-----

View file

@ -1,43 +0,0 @@
---
- name: install docker dependencies
apt:
state: present
name:
- apt-transport-https
- ca-certificates
- curl
- gnupg-agent
- software-properties-common
- name: add docker apt key
apt_key:
url: https://download.docker.com/linux/debian/gpg
state: present
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
- name: add docker repo
apt_repository:
repo: "deb [arch={{ docker_arch }}] https://download.docker.com/linux/debian bullseye stable"
state: present
mode: 0644
- name: install docker-ce
apt:
state: present
update_cache: True
name:
- docker-ce
- docker-ce-cli
- containerd.io
- name: ensure docker certs directory exists
file:
path: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082
state: directory
- name: symlink ca cert
file:
src: /etc/pki/certs/{{ vault_ca_cert_name }}
dest: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082/ca.crt
state: link
...

View file

@ -1,2 +0,0 @@
---
nomad_arch: amd64

View file

@ -1,29 +0,0 @@
[containers]
default_capabilities = [
"CHOWN",
"DAC_OVERRIDE",
"FOWNER",
"FSETID",
"KILL",
"NET_BIND_SERVICE",
"SETFCAP",
"SETGID",
"SETPCAP",
"SETUID",
"SYS_CHROOT"
]
default_sysctls = [
"net.ipv4.ping_group_range=0 1",
]
[engine]
runtime = "crun"
cgroup_manager = "cgroupfs"
events_logger = "journald"
#[storage]
#driver = "overlay"
#
#[storage.options]
#mount_program = "/usr/bin/fuse-overlayfs"

View file

@ -1,21 +0,0 @@
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.target

View file

@ -1,15 +0,0 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: reload_nomad
systemd:
name: nomad
state: reloaded
- name: restart_nomad
systemd:
name: nomad
state: restarted
...

View file

@ -1,27 +0,0 @@
---
- name: setup group mappings
group:
name: "{{ item.name }}"
gid: "{{ item.id }}"
system: True
loop: "{{ nomad_ug_map }}"
when: nomad_ug_map is defined
- name: setup user mappings
user:
name: "{{ item.name }}"
uid: "{{ item.id }}"
system: True
loop: "{{ nomad_ug_map }}"
when: nomad_ug_map is defined
- name: ensure mounts
file:
state: directory
path: "{{ item.path }}"
owner: "{{ item.owner }}"
group: "{{ item.owner }}"
mode: 0755
loop: "{{ nomad_bind_mounts }}"
when: nomad_bind_mounts is defined
...

View file

@ -1,4 +0,0 @@
---
- import_tasks: nomad.yml
- import_tasks: client_setup.yml
...

View file

@ -1,147 +0,0 @@
---
- name: ensure nomad group
group:
name: nomad
state: present
system: True
- name: ensure nomad user
user:
name: nomad
state: present
group: nomad
groups:
- podman
append: True
system: True
- name: ensure nomad config dir
file:
path: /etc/nomad.d/
state: directory
owner: nomad
group: nomad
mode: 0755
- name: ensure nomad data dir
file:
path: /opt/nomad
state: directory
owner: nomad
group: nomad
mode: 0755
- name: check nomad version
shell:
cmd: "nomad --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_nomad_version
check_mode: False
- name: get nomad
unarchive:
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{ nomad_arch }}.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_nomad_version.stdout != nomad_version
- name: copy nomad unit file
copy:
src: files/nomad.service
dest: /etc/systemd/system/nomad.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: get podman from passwd
getent:
database: passwd
key: podman
- name: template nomad config
template:
src: templates/nomad.hcl.j2
dest: /etc/nomad.d/nomad.hcl
owner: root
group: root
mode: 0755
notify: restart_nomad
- name: ensure nomad plugins dir
file:
path: /opt/nomad_plugins
state: directory
owner: nomad
group: nomad
mode: 0755
- name: get nomad podman plugins
unarchive:
src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_{{ nomad_arch }}.zip"
dest: /opt/nomad_plugins/
mode: 0755
owner: nomad
group: nomad
remote_src: True
- name: ensure nomad config dir
file:
path: /etc/nomad.d/certs/
state: directory
owner: nomad
group: nomad
mode: 0755
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: https://vault.service.masked.name:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
notify: reload_nomad
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/nomad.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: nomad
group: nomad
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "nomad.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "nomad.key",
mode: "0600"
}
- name: ensure nomad is started and enabled
systemd:
name: nomad
state: started
enabled: True
...

View file

@ -1,72 +0,0 @@
---
- name: ensure podman group
group:
name: podman
state: present
system: True
- name: ensure podman user
user:
name: podman
state: present
group: podman
system: True
- name: ensure podman is installed
apt:
name:
- catatonit
- fuse-overlayfs
- podman
- slirp4netns
- uidmap
state: present
- name: ensure containers.conf is configured
copy:
src: containers.conf
dest: /etc/containers/containers.conf
owner: root
group: root
mode: 0644
- name: Check if podman lingers
stat: path=/var/lib/systemd/linger/podman
register: linger
- name: enable lingering for podman
command: loginctl enable-linger podman
when: not linger.stat.exists
- name: enable podman
systemd:
name: podman
state: started
enabled: True
scope: user
changed_when: False
become: True
become_user: podman
- name: check if subuid is configured
shell: grep podman /etc/subuid
register: subuid
changed_when: False
check_mode: False
failed_when: False
- name: check if subgid is configured
shell: grep podman /etc/subgid
register: subgid
changed_when: False
check_mode: False
failed_when: False
- name: configure subuid
shell: usermod --add-subuids 200000-201000 podman
when: subuid.rc != 0
- name: configure subgid
shell: usermod --add-subgids 200000-201000 podman
when: subgid.rc != 0
...

View file

@ -1,44 +0,0 @@
datacenter = "{{ main_dc_name }}"
data_dir = "/opt/nomad"
client {
enabled = true
options {
"docker.volumes.enabled" = true
}
meta {
{% for nomad_meta in nomad_meta_values %}
"{{ nomad_meta.name }}" = "{{ nomad_meta.value }}"
{% endfor %}
}
}
consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
}
vault {
enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster"
unwrap_token = true
}
tls {
http = true
rpc = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file = "/etc/nomad.d/certs/nomad.pem"
key_file = "/etc/nomad.d/certs/nomad.key"
}
plugin_dir = "/opt/nomad_plugins"
plugin "nomad-driver-podman" {
enabled = true
config {
socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock"
}
}

View file

@ -1,21 +0,0 @@
[Unit]
Description=Nomad
Documentation=https://nomadproject.io/docs/
Wants=network-online.target
After=network-online.target
[Service]
ExecReload=/bin/kill -HUP $MAINPID
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
KillMode=process
KillSignal=SIGINT
LimitNOFILE=infinity
LimitNPROC=infinity
Restart=on-failure
RestartSec=2
StartLimitBurst=3
StartLimitIntervalSec=10
TasksMax=infinity
[Install]
WantedBy=multi-user.target

View file

@ -1,15 +0,0 @@
---
- name: daemon_reload
systemd:
daemon_reload: True
- name: reload_nomad
systemd:
name: nomad
state: reloaded
- name: restart_nomad
systemd:
name: nomad
state: restarted
...

View file

@ -1,128 +0,0 @@
---
- name: ensure nomad group
group:
name: nomad
state: present
system: True
- name: ensure nomad user
user:
name: nomad
state: present
group: nomad
system: True
- name: ensure nomad config dir
file:
path: /etc/nomad.d/
state: directory
owner: nomad
group: nomad
mode: 0755
- name: ensure nomad data dir
file:
path: /opt/nomad
state: directory
owner: nomad
group: nomad
mode: 0755
- name: check nomad version
shell:
cmd: "nomad --version | head -1 | cut -d'v' -f2"
args:
executable: /bin/bash
changed_when: False
register: installed_nomad_version
check_mode: False
- name: get nomad
unarchive:
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
dest: /usr/local/bin/
mode: 0755
owner: root
group: root
remote_src: True
when: installed_nomad_version.stdout != nomad_version
- name: copy nomad unit file
copy:
src: files/nomad.service
dest: /etc/systemd/system/nomad.service
mode: 0755
owner: root
group: root
notify: daemon_reload
- name: template nomad config
template:
src: templates/nomad.hcl.j2
dest: /etc/nomad.d/nomad.hcl
owner: root
group: root
mode: 0755
notify: restart_nomad
- name: ensure nomad config dir
file:
path: /etc/nomad.d/certs/
state: directory
owner: nomad
group: nomad
mode: 0755
- name: check if server cert is expiring in the next 5 days
shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
args:
executable: /bin/bash
failed_when: False
check_mode: False
changed_when: False
register: exp
- name: get cert
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
args:
executable: /bin/bash
environment:
VAULT_ADDR: https://vault.service.masked.name:8200
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
VAULT_FORMAT: json
register: cert_data
when: exp.rc != 0
notify: reload_nomad
- name: write cert data to server
copy:
content: "{{ item.content }}"
dest: "/etc/nomad.d/certs/{{ item.path }}"
mode: '{{ item.mode }}'
owner: nomad
group: nomad
when: cert_data.changed
loop:
- {
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
path: "nomad.pem",
mode: "0755"
}
- {
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
path: "nomad.key",
mode: "0600"
}
- name: append cacert to vault cert
blockinfile:
path: /etc/nomad.d/certs/nomad.pem
block: |
{{ vault_ca_cert_payload }}
- name: ensure nomad is started and enabled
systemd:
name: nomad
state: started
enabled: True
...

View file

@ -1,28 +0,0 @@
datacenter = "{{ main_dc_name }}"
data_dir = "/opt/nomad"
server {
enabled = true
bootstrap_expect = 1
}
vault {
enabled = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
address = "https://vault.service.{{ consul_domain }}:8200"
create_from_role = "nomad-cluster"
unwrap_token = true
}
consul {
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
}
tls {
http = true
rpc = true
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
cert_file = "/etc/nomad.d/certs/nomad.pem"
key_file = "/etc/nomad.d/certs/nomad.key"
}