diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml index 730edaf..8209bc2 100644 --- a/ansible/group_vars/all/main.yml +++ b/ansible/group_vars/all/main.yml @@ -57,4 +57,8 @@ vault_ca_cert_payload: | # nomad nomad_version: 0.12.3 +nomad_podman_driver_version: 0.1.0 + +# podman +podman_version: 2.0.6+dfsg1-1 ... diff --git a/ansible/roles/nomad_client/files/podman.socket b/ansible/roles/nomad_client/files/podman.socket new file mode 100644 index 0000000..c233bda --- /dev/null +++ b/ansible/roles/nomad_client/files/podman.socket @@ -0,0 +1,11 @@ +[Unit] +Description=Podman API Socket +Documentation=man:podman-system-service(1) + +[Socket] +ListenStream=/run/podman/io.podman +SocketMode=0660 +SocketGroup=podman + +[Install] +WantedBy=sockets.target diff --git a/ansible/roles/nomad_client/tasks/main.yml b/ansible/roles/nomad_client/tasks/main.yml index 9697510..0d87ea5 100644 --- a/ansible/roles/nomad_client/tasks/main.yml +++ b/ansible/roles/nomad_client/tasks/main.yml @@ -1,73 +1,4 @@ --- -- name: ensure nomad group - group: - name: nomad - state: present - system: True - -- name: ensure nomad user - user: - name: nomad - state: present - group: nomad - system: True - -- name: ensure nomad config dir - file: - path: /etc/nomad.d/ - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: ensure nomad data dir - file: - path: /opt/nomad - state: directory - owner: nomad - group: nomad - mode: 0755 - -- name: check nomad version - shell: - cmd: "nomad --version | head -1 | cut -d'v' -f2" - args: - executable: /bin/bash - changed_when: False - register: installed_nomad_version - check_mode: False - -- name: get nomad - unarchive: - src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" - dest: /usr/local/bin/ - mode: 0755 - owner: root - group: root - remote_src: True - when: installed_nomad_version.stdout != nomad_version - -- name: copy nomad unit file - copy: - src: files/nomad.service - dest: /etc/systemd/system/nomad.service - mode: 0755 - owner: root - group: root - notify: daemon_reload - -- name: template nomad config - template: - src: templates/nomad.hcl.j2 - dest: /etc/nomad.d/nomad.hcl - owner: root - group: root - mode: 0755 - notify: restart_nomad - -- name: ensure nomad is started and enabled - systemd: - name: nomad - state: started - enabled: True +- import_tasks: podman_prep.yml +- import_tasks: nomad.yml ... diff --git a/ansible/roles/nomad_client/tasks/nomad.yml b/ansible/roles/nomad_client/tasks/nomad.yml new file mode 100644 index 0000000..4df9741 --- /dev/null +++ b/ansible/roles/nomad_client/tasks/nomad.yml @@ -0,0 +1,93 @@ +--- +- name: ensure nomad group + group: + name: nomad + state: present + system: True + +- name: ensure nomad user + user: + name: nomad + state: present + group: nomad + groups: + - podman + append: True + system: True + +- name: ensure nomad config dir + file: + path: /etc/nomad.d/ + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: ensure nomad data dir + file: + path: /opt/nomad + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: check nomad version + shell: + cmd: "nomad --version | head -1 | cut -d'v' -f2" + args: + executable: /bin/bash + changed_when: False + register: installed_nomad_version + check_mode: False + +- name: get nomad + unarchive: + src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip" + dest: /usr/local/bin/ + mode: 0755 + owner: root + group: root + remote_src: True + when: installed_nomad_version.stdout != nomad_version + +- name: copy nomad unit file + copy: + src: files/nomad.service + dest: /etc/systemd/system/nomad.service + mode: 0755 + owner: root + group: root + notify: daemon_reload + +- name: template nomad config + template: + src: templates/nomad.hcl.j2 + dest: /etc/nomad.d/nomad.hcl + owner: root + group: root + mode: 0755 + notify: restart_nomad + +- name: ensure nomad plugins dir + file: + path: /opt/nomad_plugins + state: directory + owner: nomad + group: nomad + mode: 0755 + +- name: get nomad podman plugins + unarchive: + src: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_driver_version }}/nomad-driver-podman_{{ nomad_podman_driver_version }}_linux_amd64.zip" + dest: /opt/nomad_plugins/ + mode: 0755 + owner: nomad + group: nomad + remote_src: True + +- name: ensure nomad is started and enabled + systemd: + name: nomad + state: started + enabled: True +... diff --git a/ansible/roles/nomad_client/tasks/podman_prep.yml b/ansible/roles/nomad_client/tasks/podman_prep.yml new file mode 100644 index 0000000..b11d21d --- /dev/null +++ b/ansible/roles/nomad_client/tasks/podman_prep.yml @@ -0,0 +1,27 @@ +--- +- name: ensure podman group + group: + name: podman + state: present + system: True + +- name: ensure podman user + user: + name: podman + state: present + group: podman + system: True + +- name: ensure podman is installed + apt: + name: "podman={{ podman_version }}" + state: present + +- name: ensure podman socket is configured + copy: + src: files/podman.socket + dest: /etc/systemd/system/podman.socket + owner: root + group: root + mode: 0755 +... diff --git a/ansible/roles/nomad_client/templates/nomad.hcl.j2 b/ansible/roles/nomad_client/templates/nomad.hcl.j2 index f61f8d3..a643c74 100644 --- a/ansible/roles/nomad_client/templates/nomad.hcl.j2 +++ b/ansible/roles/nomad_client/templates/nomad.hcl.j2 @@ -8,3 +8,9 @@ client { consul { token = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}" } + +plugin_dir = "/opt/nomad_plugins" + +plugin "nomad-driver-podman" { + enabled = true +}