RIP Nomad
This commit is contained in:
parent
b0b138a324
commit
b08da75c28
26 changed files with 1 additions and 707 deletions
|
@ -2,4 +2,4 @@
|
||||||
|
|
||||||
## Goals
|
## Goals
|
||||||
|
|
||||||
The goal of this is to keep it as barebones as possible and offload everything I can to nomad
|
The goal of this is to keep it as barebones as possible and offload everything I can to k8s
|
||||||
|
|
|
@ -59,10 +59,6 @@ vault_ca_cert_payload: |
|
||||||
KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
|
KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
|
||||||
-----END CERTIFICATE-----
|
-----END CERTIFICATE-----
|
||||||
|
|
||||||
# nomad
|
|
||||||
nomad_version: 1.3.1
|
|
||||||
nomad_podman_driver_version: 0.3.0
|
|
||||||
|
|
||||||
# lnd
|
# lnd
|
||||||
lnd_version: 0.15.4-beta
|
lnd_version: 0.15.4-beta
|
||||||
|
|
||||||
|
|
|
@ -1,7 +1,5 @@
|
||||||
---
|
---
|
||||||
hashi_arch: arm
|
hashi_arch: arm
|
||||||
consul_arch: arm64
|
consul_arch: arm64
|
||||||
nomad_arch: arm64
|
|
||||||
docker_arch: arm64
|
|
||||||
k3s_role: 'client'
|
k3s_role: 'client'
|
||||||
k3s_server_hostname: hardtack1.minhas.io
|
k3s_server_hostname: hardtack1.minhas.io
|
||||||
|
|
|
@ -1,11 +0,0 @@
|
||||||
---
|
|
||||||
nomad_meta_values:
|
|
||||||
- { name: "storage_optimized", value: "true" }
|
|
||||||
- { name: "ram_optimized", value: "false" }
|
|
||||||
|
|
||||||
nomad_ug_map:
|
|
||||||
- { name: "jenkins", id: "15000" }
|
|
||||||
|
|
||||||
nomad_bind_mounts:
|
|
||||||
- { path: /opt/jenkins_home, owner: jenkins }
|
|
||||||
...
|
|
|
@ -30,12 +30,6 @@ redwingcherokee.minhas.io
|
||||||
[docker_repo]
|
[docker_repo]
|
||||||
sedan.minhas.io
|
sedan.minhas.io
|
||||||
|
|
||||||
[nomad_client]
|
|
||||||
sedan.minhas.io
|
|
||||||
|
|
||||||
[nomad_server]
|
|
||||||
ranger.minhas.io
|
|
||||||
|
|
||||||
[vault_server]
|
[vault_server]
|
||||||
ranger.minhas.io
|
ranger.minhas.io
|
||||||
sedan.minhas.io
|
sedan.minhas.io
|
||||||
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: nexus:nomad_client
|
|
||||||
roles:
|
|
||||||
- role: docker
|
|
||||||
...
|
|
|
@ -1,5 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: nomad_client
|
|
||||||
roles:
|
|
||||||
- role: nomad_client
|
|
||||||
...
|
|
|
@ -1,6 +0,0 @@
|
||||||
---
|
|
||||||
- hosts: nomad_server
|
|
||||||
serial: 1
|
|
||||||
roles:
|
|
||||||
- role: nomad_server
|
|
||||||
...
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
- import_playbook: nomad-server.yml
|
|
||||||
- import_playbook: nomad-client.yml
|
|
||||||
...
|
|
|
@ -3,11 +3,8 @@
|
||||||
- import_playbook: consul-server.yml
|
- import_playbook: consul-server.yml
|
||||||
- import_playbook: vault-server.yml
|
- import_playbook: vault-server.yml
|
||||||
- import_playbook: consul-client.yml
|
- import_playbook: consul-client.yml
|
||||||
- import_playbook: docker.yml
|
|
||||||
- import_playbook: nomad.yml
|
|
||||||
- import_playbook: k3s.yml
|
- import_playbook: k3s.yml
|
||||||
- import_playbook: docker-repo.yml
|
- import_playbook: docker-repo.yml
|
||||||
- import_playbook: lnd.yml
|
- import_playbook: lnd.yml
|
||||||
- import_playbook: wekan.yml
|
- import_playbook: wekan.yml
|
||||||
#- import_playbook: haproxy.yml
|
|
||||||
...
|
...
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
---
|
|
||||||
docker_arch: amd64
|
|
|
@ -1,62 +0,0 @@
|
||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
|
||||||
|
|
||||||
mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
|
|
||||||
lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
|
|
||||||
38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
|
|
||||||
L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
|
|
||||||
UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
|
|
||||||
cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
|
|
||||||
ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
|
|
||||||
vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
|
|
||||||
G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
|
|
||||||
XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
|
|
||||||
q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
|
|
||||||
tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
|
|
||||||
BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
|
|
||||||
v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
|
|
||||||
tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
|
|
||||||
jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
|
|
||||||
6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
|
|
||||||
XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
|
|
||||||
FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
|
|
||||||
g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
|
|
||||||
ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
|
|
||||||
9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
|
|
||||||
G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
|
|
||||||
FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
|
|
||||||
EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
|
|
||||||
M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
|
|
||||||
Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
|
|
||||||
w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
|
|
||||||
z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
|
|
||||||
eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
|
|
||||||
VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
|
|
||||||
1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
|
|
||||||
zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
|
|
||||||
pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
|
|
||||||
ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
|
|
||||||
BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
|
|
||||||
1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
|
|
||||||
YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
|
|
||||||
mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
|
|
||||||
KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
|
|
||||||
JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
|
|
||||||
cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
|
|
||||||
6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
|
|
||||||
U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
|
|
||||||
VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
|
|
||||||
irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
|
|
||||||
SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
|
|
||||||
QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
|
|
||||||
9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
|
|
||||||
24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
|
|
||||||
dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
|
|
||||||
Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
|
|
||||||
H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
|
|
||||||
/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
|
|
||||||
M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
|
|
||||||
xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
|
|
||||||
jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
|
|
||||||
YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
|
|
||||||
=0YYh
|
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
|
|
@ -1,43 +0,0 @@
|
||||||
---
|
|
||||||
- name: install docker dependencies
|
|
||||||
apt:
|
|
||||||
state: present
|
|
||||||
name:
|
|
||||||
- apt-transport-https
|
|
||||||
- ca-certificates
|
|
||||||
- curl
|
|
||||||
- gnupg-agent
|
|
||||||
- software-properties-common
|
|
||||||
|
|
||||||
- name: add docker apt key
|
|
||||||
apt_key:
|
|
||||||
url: https://download.docker.com/linux/debian/gpg
|
|
||||||
state: present
|
|
||||||
id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
|
|
||||||
|
|
||||||
- name: add docker repo
|
|
||||||
apt_repository:
|
|
||||||
repo: "deb [arch={{ docker_arch }}] https://download.docker.com/linux/debian bullseye stable"
|
|
||||||
state: present
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: install docker-ce
|
|
||||||
apt:
|
|
||||||
state: present
|
|
||||||
update_cache: True
|
|
||||||
name:
|
|
||||||
- docker-ce
|
|
||||||
- docker-ce-cli
|
|
||||||
- containerd.io
|
|
||||||
|
|
||||||
- name: ensure docker certs directory exists
|
|
||||||
file:
|
|
||||||
path: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082
|
|
||||||
state: directory
|
|
||||||
|
|
||||||
- name: symlink ca cert
|
|
||||||
file:
|
|
||||||
src: /etc/pki/certs/{{ vault_ca_cert_name }}
|
|
||||||
dest: /etc/docker/certs.d/docker.service.{{ consul_domain }}:8082/ca.crt
|
|
||||||
state: link
|
|
||||||
...
|
|
|
@ -1,2 +0,0 @@
|
||||||
---
|
|
||||||
nomad_arch: amd64
|
|
|
@ -1,29 +0,0 @@
|
||||||
[containers]
|
|
||||||
default_capabilities = [
|
|
||||||
"CHOWN",
|
|
||||||
"DAC_OVERRIDE",
|
|
||||||
"FOWNER",
|
|
||||||
"FSETID",
|
|
||||||
"KILL",
|
|
||||||
"NET_BIND_SERVICE",
|
|
||||||
"SETFCAP",
|
|
||||||
"SETGID",
|
|
||||||
"SETPCAP",
|
|
||||||
"SETUID",
|
|
||||||
"SYS_CHROOT"
|
|
||||||
]
|
|
||||||
|
|
||||||
default_sysctls = [
|
|
||||||
"net.ipv4.ping_group_range=0 1",
|
|
||||||
]
|
|
||||||
|
|
||||||
[engine]
|
|
||||||
runtime = "crun"
|
|
||||||
cgroup_manager = "cgroupfs"
|
|
||||||
events_logger = "journald"
|
|
||||||
|
|
||||||
#[storage]
|
|
||||||
#driver = "overlay"
|
|
||||||
#
|
|
||||||
#[storage.options]
|
|
||||||
#mount_program = "/usr/bin/fuse-overlayfs"
|
|
|
@ -1,21 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Nomad
|
|
||||||
Documentation=https://nomadproject.io/docs/
|
|
||||||
Wants=network-online.target
|
|
||||||
After=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
|
|
||||||
KillMode=process
|
|
||||||
KillSignal=SIGINT
|
|
||||||
LimitNOFILE=infinity
|
|
||||||
LimitNPROC=infinity
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=2
|
|
||||||
StartLimitBurst=3
|
|
||||||
StartLimitIntervalSec=10
|
|
||||||
TasksMax=infinity
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
- name: daemon_reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: True
|
|
||||||
|
|
||||||
- name: reload_nomad
|
|
||||||
systemd:
|
|
||||||
name: nomad
|
|
||||||
state: reloaded
|
|
||||||
|
|
||||||
- name: restart_nomad
|
|
||||||
systemd:
|
|
||||||
name: nomad
|
|
||||||
state: restarted
|
|
||||||
...
|
|
|
@ -1,27 +0,0 @@
|
||||||
---
|
|
||||||
- name: setup group mappings
|
|
||||||
group:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
gid: "{{ item.id }}"
|
|
||||||
system: True
|
|
||||||
loop: "{{ nomad_ug_map }}"
|
|
||||||
when: nomad_ug_map is defined
|
|
||||||
|
|
||||||
- name: setup user mappings
|
|
||||||
user:
|
|
||||||
name: "{{ item.name }}"
|
|
||||||
uid: "{{ item.id }}"
|
|
||||||
system: True
|
|
||||||
loop: "{{ nomad_ug_map }}"
|
|
||||||
when: nomad_ug_map is defined
|
|
||||||
|
|
||||||
- name: ensure mounts
|
|
||||||
file:
|
|
||||||
state: directory
|
|
||||||
path: "{{ item.path }}"
|
|
||||||
owner: "{{ item.owner }}"
|
|
||||||
group: "{{ item.owner }}"
|
|
||||||
mode: 0755
|
|
||||||
loop: "{{ nomad_bind_mounts }}"
|
|
||||||
when: nomad_bind_mounts is defined
|
|
||||||
...
|
|
|
@ -1,4 +0,0 @@
|
||||||
---
|
|
||||||
- import_tasks: nomad.yml
|
|
||||||
- import_tasks: client_setup.yml
|
|
||||||
...
|
|
|
@ -1,147 +0,0 @@
|
||||||
---
|
|
||||||
- name: ensure nomad group
|
|
||||||
group:
|
|
||||||
name: nomad
|
|
||||||
state: present
|
|
||||||
system: True
|
|
||||||
|
|
||||||
- name: ensure nomad user
|
|
||||||
user:
|
|
||||||
name: nomad
|
|
||||||
state: present
|
|
||||||
group: nomad
|
|
||||||
groups:
|
|
||||||
- podman
|
|
||||||
append: True
|
|
||||||
system: True
|
|
||||||
|
|
||||||
- name: ensure nomad config dir
|
|
||||||
file:
|
|
||||||
path: /etc/nomad.d/
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: ensure nomad data dir
|
|
||||||
file:
|
|
||||||
path: /opt/nomad
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: check nomad version
|
|
||||||
shell:
|
|
||||||
cmd: "nomad --version | head -1 | cut -d'v' -f2"
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
changed_when: False
|
|
||||||
register: installed_nomad_version
|
|
||||||
check_mode: False
|
|
||||||
|
|
||||||
- name: get nomad
|
|
||||||
unarchive:
|
|
||||||
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{ nomad_arch }}.zip"
|
|
||||||
dest: /usr/local/bin/
|
|
||||||
mode: 0755
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
remote_src: True
|
|
||||||
when: installed_nomad_version.stdout != nomad_version
|
|
||||||
|
|
||||||
- name: copy nomad unit file
|
|
||||||
copy:
|
|
||||||
src: files/nomad.service
|
|
||||||
dest: /etc/systemd/system/nomad.service
|
|
||||||
mode: 0755
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
notify: daemon_reload
|
|
||||||
|
|
||||||
- name: get podman from passwd
|
|
||||||
getent:
|
|
||||||
database: passwd
|
|
||||||
key: podman
|
|
||||||
|
|
||||||
- name: template nomad config
|
|
||||||
template:
|
|
||||||
src: templates/nomad.hcl.j2
|
|
||||||
dest: /etc/nomad.d/nomad.hcl
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
notify: restart_nomad
|
|
||||||
|
|
||||||
- name: ensure nomad plugins dir
|
|
||||||
file:
|
|
||||||
path: /opt/nomad_plugins
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: get nomad podman plugins
|
|
||||||
unarchive:
|
|
||||||
src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_{{ nomad_arch }}.zip"
|
|
||||||
dest: /opt/nomad_plugins/
|
|
||||||
mode: 0755
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
remote_src: True
|
|
||||||
|
|
||||||
- name: ensure nomad config dir
|
|
||||||
file:
|
|
||||||
path: /etc/nomad.d/certs/
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: check if server cert is expiring in the next 5 days
|
|
||||||
shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
failed_when: False
|
|
||||||
check_mode: False
|
|
||||||
changed_when: False
|
|
||||||
register: exp
|
|
||||||
|
|
||||||
- name: get cert
|
|
||||||
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
environment:
|
|
||||||
VAULT_ADDR: https://vault.service.masked.name:8200
|
|
||||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
|
||||||
VAULT_FORMAT: json
|
|
||||||
register: cert_data
|
|
||||||
when: exp.rc != 0
|
|
||||||
notify: reload_nomad
|
|
||||||
|
|
||||||
- name: write cert data to server
|
|
||||||
copy:
|
|
||||||
content: "{{ item.content }}"
|
|
||||||
dest: "/etc/nomad.d/certs/{{ item.path }}"
|
|
||||||
mode: '{{ item.mode }}'
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
when: cert_data.changed
|
|
||||||
loop:
|
|
||||||
- {
|
|
||||||
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
|
||||||
path: "nomad.pem",
|
|
||||||
mode: "0755"
|
|
||||||
}
|
|
||||||
- {
|
|
||||||
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
|
|
||||||
path: "nomad.key",
|
|
||||||
mode: "0600"
|
|
||||||
}
|
|
||||||
|
|
||||||
- name: ensure nomad is started and enabled
|
|
||||||
systemd:
|
|
||||||
name: nomad
|
|
||||||
state: started
|
|
||||||
enabled: True
|
|
||||||
...
|
|
|
@ -1,72 +0,0 @@
|
||||||
---
|
|
||||||
- name: ensure podman group
|
|
||||||
group:
|
|
||||||
name: podman
|
|
||||||
state: present
|
|
||||||
system: True
|
|
||||||
|
|
||||||
- name: ensure podman user
|
|
||||||
user:
|
|
||||||
name: podman
|
|
||||||
state: present
|
|
||||||
group: podman
|
|
||||||
system: True
|
|
||||||
|
|
||||||
- name: ensure podman is installed
|
|
||||||
apt:
|
|
||||||
name:
|
|
||||||
- catatonit
|
|
||||||
- fuse-overlayfs
|
|
||||||
- podman
|
|
||||||
- slirp4netns
|
|
||||||
- uidmap
|
|
||||||
state: present
|
|
||||||
|
|
||||||
- name: ensure containers.conf is configured
|
|
||||||
copy:
|
|
||||||
src: containers.conf
|
|
||||||
dest: /etc/containers/containers.conf
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0644
|
|
||||||
|
|
||||||
- name: Check if podman lingers
|
|
||||||
stat: path=/var/lib/systemd/linger/podman
|
|
||||||
register: linger
|
|
||||||
|
|
||||||
- name: enable lingering for podman
|
|
||||||
command: loginctl enable-linger podman
|
|
||||||
when: not linger.stat.exists
|
|
||||||
|
|
||||||
- name: enable podman
|
|
||||||
systemd:
|
|
||||||
name: podman
|
|
||||||
state: started
|
|
||||||
enabled: True
|
|
||||||
scope: user
|
|
||||||
changed_when: False
|
|
||||||
become: True
|
|
||||||
become_user: podman
|
|
||||||
|
|
||||||
- name: check if subuid is configured
|
|
||||||
shell: grep podman /etc/subuid
|
|
||||||
register: subuid
|
|
||||||
changed_when: False
|
|
||||||
check_mode: False
|
|
||||||
failed_when: False
|
|
||||||
|
|
||||||
- name: check if subgid is configured
|
|
||||||
shell: grep podman /etc/subgid
|
|
||||||
register: subgid
|
|
||||||
changed_when: False
|
|
||||||
check_mode: False
|
|
||||||
failed_when: False
|
|
||||||
|
|
||||||
- name: configure subuid
|
|
||||||
shell: usermod --add-subuids 200000-201000 podman
|
|
||||||
when: subuid.rc != 0
|
|
||||||
|
|
||||||
- name: configure subgid
|
|
||||||
shell: usermod --add-subgids 200000-201000 podman
|
|
||||||
when: subgid.rc != 0
|
|
||||||
...
|
|
|
@ -1,44 +0,0 @@
|
||||||
datacenter = "{{ main_dc_name }}"
|
|
||||||
data_dir = "/opt/nomad"
|
|
||||||
|
|
||||||
client {
|
|
||||||
enabled = true
|
|
||||||
options {
|
|
||||||
"docker.volumes.enabled" = true
|
|
||||||
}
|
|
||||||
meta {
|
|
||||||
{% for nomad_meta in nomad_meta_values %}
|
|
||||||
"{{ nomad_meta.name }}" = "{{ nomad_meta.value }}"
|
|
||||||
{% endfor %}
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
consul {
|
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-client ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
|
||||||
}
|
|
||||||
|
|
||||||
vault {
|
|
||||||
enabled = true
|
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
|
||||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
|
||||||
create_from_role = "nomad-cluster"
|
|
||||||
unwrap_token = true
|
|
||||||
}
|
|
||||||
|
|
||||||
tls {
|
|
||||||
http = true
|
|
||||||
rpc = true
|
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
|
||||||
cert_file = "/etc/nomad.d/certs/nomad.pem"
|
|
||||||
key_file = "/etc/nomad.d/certs/nomad.key"
|
|
||||||
}
|
|
||||||
|
|
||||||
plugin_dir = "/opt/nomad_plugins"
|
|
||||||
|
|
||||||
plugin "nomad-driver-podman" {
|
|
||||||
enabled = true
|
|
||||||
config {
|
|
||||||
socket_path = "unix:///run/user/{{ getent_passwd.podman[1] }}/podman/podman.sock"
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -1,21 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Nomad
|
|
||||||
Documentation=https://nomadproject.io/docs/
|
|
||||||
Wants=network-online.target
|
|
||||||
After=network-online.target
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
|
|
||||||
KillMode=process
|
|
||||||
KillSignal=SIGINT
|
|
||||||
LimitNOFILE=infinity
|
|
||||||
LimitNPROC=infinity
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=2
|
|
||||||
StartLimitBurst=3
|
|
||||||
StartLimitIntervalSec=10
|
|
||||||
TasksMax=infinity
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
|
@ -1,15 +0,0 @@
|
||||||
---
|
|
||||||
- name: daemon_reload
|
|
||||||
systemd:
|
|
||||||
daemon_reload: True
|
|
||||||
|
|
||||||
- name: reload_nomad
|
|
||||||
systemd:
|
|
||||||
name: nomad
|
|
||||||
state: reloaded
|
|
||||||
|
|
||||||
- name: restart_nomad
|
|
||||||
systemd:
|
|
||||||
name: nomad
|
|
||||||
state: restarted
|
|
||||||
...
|
|
|
@ -1,128 +0,0 @@
|
||||||
---
|
|
||||||
- name: ensure nomad group
|
|
||||||
group:
|
|
||||||
name: nomad
|
|
||||||
state: present
|
|
||||||
system: True
|
|
||||||
|
|
||||||
- name: ensure nomad user
|
|
||||||
user:
|
|
||||||
name: nomad
|
|
||||||
state: present
|
|
||||||
group: nomad
|
|
||||||
system: True
|
|
||||||
|
|
||||||
- name: ensure nomad config dir
|
|
||||||
file:
|
|
||||||
path: /etc/nomad.d/
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: ensure nomad data dir
|
|
||||||
file:
|
|
||||||
path: /opt/nomad
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: check nomad version
|
|
||||||
shell:
|
|
||||||
cmd: "nomad --version | head -1 | cut -d'v' -f2"
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
changed_when: False
|
|
||||||
register: installed_nomad_version
|
|
||||||
check_mode: False
|
|
||||||
|
|
||||||
- name: get nomad
|
|
||||||
unarchive:
|
|
||||||
src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
|
|
||||||
dest: /usr/local/bin/
|
|
||||||
mode: 0755
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
remote_src: True
|
|
||||||
when: installed_nomad_version.stdout != nomad_version
|
|
||||||
|
|
||||||
- name: copy nomad unit file
|
|
||||||
copy:
|
|
||||||
src: files/nomad.service
|
|
||||||
dest: /etc/systemd/system/nomad.service
|
|
||||||
mode: 0755
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
notify: daemon_reload
|
|
||||||
|
|
||||||
- name: template nomad config
|
|
||||||
template:
|
|
||||||
src: templates/nomad.hcl.j2
|
|
||||||
dest: /etc/nomad.d/nomad.hcl
|
|
||||||
owner: root
|
|
||||||
group: root
|
|
||||||
mode: 0755
|
|
||||||
notify: restart_nomad
|
|
||||||
|
|
||||||
- name: ensure nomad config dir
|
|
||||||
file:
|
|
||||||
path: /etc/nomad.d/certs/
|
|
||||||
state: directory
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
mode: 0755
|
|
||||||
|
|
||||||
- name: check if server cert is expiring in the next 5 days
|
|
||||||
shell: "openssl x509 -checkend 432000 -noout -in /etc/nomad.d/certs/nomad.pem"
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
failed_when: False
|
|
||||||
check_mode: False
|
|
||||||
changed_when: False
|
|
||||||
register: exp
|
|
||||||
|
|
||||||
- name: get cert
|
|
||||||
shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=nomad.service.{{ main_dc_name }}.{{ consul_domain }} alt_names=nomad.service.{{ consul_domain }} ttl=43200m"
|
|
||||||
args:
|
|
||||||
executable: /bin/bash
|
|
||||||
environment:
|
|
||||||
VAULT_ADDR: https://vault.service.masked.name:8200
|
|
||||||
VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
|
|
||||||
VAULT_FORMAT: json
|
|
||||||
register: cert_data
|
|
||||||
when: exp.rc != 0
|
|
||||||
notify: reload_nomad
|
|
||||||
|
|
||||||
- name: write cert data to server
|
|
||||||
copy:
|
|
||||||
content: "{{ item.content }}"
|
|
||||||
dest: "/etc/nomad.d/certs/{{ item.path }}"
|
|
||||||
mode: '{{ item.mode }}'
|
|
||||||
owner: nomad
|
|
||||||
group: nomad
|
|
||||||
when: cert_data.changed
|
|
||||||
loop:
|
|
||||||
- {
|
|
||||||
content: "{{ (cert_data.stdout | from_json).data.certificate }}",
|
|
||||||
path: "nomad.pem",
|
|
||||||
mode: "0755"
|
|
||||||
}
|
|
||||||
- {
|
|
||||||
content: "{{ (cert_data.stdout | from_json).data.private_key }}",
|
|
||||||
path: "nomad.key",
|
|
||||||
mode: "0600"
|
|
||||||
}
|
|
||||||
|
|
||||||
- name: append cacert to vault cert
|
|
||||||
blockinfile:
|
|
||||||
path: /etc/nomad.d/certs/nomad.pem
|
|
||||||
block: |
|
|
||||||
{{ vault_ca_cert_payload }}
|
|
||||||
|
|
||||||
- name: ensure nomad is started and enabled
|
|
||||||
systemd:
|
|
||||||
name: nomad
|
|
||||||
state: started
|
|
||||||
enabled: True
|
|
||||||
...
|
|
|
@ -1,28 +0,0 @@
|
||||||
datacenter = "{{ main_dc_name }}"
|
|
||||||
data_dir = "/opt/nomad"
|
|
||||||
|
|
||||||
server {
|
|
||||||
enabled = true
|
|
||||||
bootstrap_expect = 1
|
|
||||||
}
|
|
||||||
|
|
||||||
vault {
|
|
||||||
enabled = true
|
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:vault-token ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
|
||||||
address = "https://vault.service.{{ consul_domain }}:8200"
|
|
||||||
create_from_role = "nomad-cluster"
|
|
||||||
unwrap_token = true
|
|
||||||
}
|
|
||||||
|
|
||||||
consul {
|
|
||||||
token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:consul-acl-server ca_cert=/etc/pki/certs/MaskedName_Root_CA.crt') }}"
|
|
||||||
}
|
|
||||||
|
|
||||||
tls {
|
|
||||||
http = true
|
|
||||||
rpc = true
|
|
||||||
ca_file = "/etc/pki/certs/{{ vault_ca_cert_name }}"
|
|
||||||
cert_file = "/etc/nomad.d/certs/nomad.pem"
|
|
||||||
key_file = "/etc/nomad.d/certs/nomad.key"
|
|
||||||
}
|
|
Loading…
Reference in a new issue