Add nomad server/client, fix ansible policy to allow for cert creation

ansible/group_vars/all/main.yml

@@ -1,8 +1,60 @@
 ---
+# main
+main_dc_name: columbia
+
 # consul
-consul_dc: columbia
 consul_version: 1.8.3
+consul_domain: masked.name
 
 # vault
 vault_version: 1.5.2
+vault_pki_policy: masked-dot-name
+vault_ca_cert_name: MaskedName_Root_CA.pem
+vault_ca_cert_payload: |
+  -----BEGIN CERTIFICATE-----
+  MIIDNTCCAh2gAwIBAgIUYp8xo5t2lJFP3SiD1fJirgGUQJ0wDQYJKoZIhvcNAQEL
+  BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyMzEyWhcNMzAw
+  ODI3MTkyMzQyWjAWMRQwEgYDVQQDEwttYXNrZWQubmFtZTCCASIwDQYJKoZIhvcN
+  AQEBBQADggEPADCCAQoCggEBAMI7oR+KHvvznfnaAXDMO5qpSTCAYCyfjFEohYJf
+  lOcnLONXb3f6sP5d1eltL+UTq0RVU5UP0aNW7hqDTa41MRw0JCDtB68yKdYq2hZf
+  97gA+lj3MEJU6RTAKLrg75GRh/AbNEIgwvPuHKW6hMbtwOyM9DFU//W3xpusalXy
+  RMFzAHfSDj9ci+UygUt9HINWd/SmMGG/8PghaRhfE44wRFMqYezeliIt2JIs43BV
+  7HqG0Oev9WPeXmiaZUYKQetHiQqR14Mxiv1IGzCmwwN+9b4tZtZTa58oM5dPXfbb
+  lrELQE5OsPaNtMtER3MgxovDN3VSCGH/O/GyaEWVanY5UF8CAwEAAaN7MHkwDgYD
+  VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFBY8jW3fDVUp
+  URt1prhmDMjkVikgMB8GA1UdIwQYMBaAFBY8jW3fDVUpURt1prhmDMjkVikgMBYG
+  A1UdEQQPMA2CC21hc2tlZC5uYW1lMA0GCSqGSIb3DQEBCwUAA4IBAQAWQz4d3QzE
+  W8NGA16ZPamlVubOLB5DtZz2qrSrn3DeObLIDShInV3qtRlDx9HYJLTCA75Ket0J
+  NTsyMcTy2txd4I8hgdF30XJeEciN9wZ0mKEeP/YKDwe8V2XwWq4XYkDechlWHpZo
+  PfWcoLprKwVUI4HzaqkNmwcmMUI4xAsC+SLe1mrebseKm49oOwdQs/oPVLK+0nEp
+  RvD0aOvohILIa/2ZtKczvhB/L3fo5pg9Ex/0JDBdDHIedMabD3qn8Idse+P5Dfwa
+  Ju2Ctyb+n1TTPxRDMxs2cFbA5irr+2ARJd8jtGS+1fyxogjOWS1RR523F+qIS3su
+  KibGel+gFPpq
+  -----END CERTIFICATE-----
+  -----BEGIN CERTIFICATE-----
+  MIID0zCCArugAwIBAgIUM52uhXSeTCim1pmzucm/cnIgNp8wDQYJKoZIhvcNAQEL
+  BQAwFjEUMBIGA1UEAxMLbWFza2VkLm5hbWUwHhcNMjAwODI5MTkyNzAwWhcNMjUw
+  ODI4MTkyNzMwWjAtMSswKQYDVQQDEyJtYXNrZWQubmFtZSBJbnRlcm1lZGlhdGUg
+  QXV0aG9yaXR5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA8LuGo+As
+  ICYWdJjBCY0snF/X+jF1tdcrQzNiRKESEb5dsDiy979bugCblPQDQ+g5WGqXX4pj
+  UyZZE3ZwhOufISlGK0ow1aMjqS+pFlQ85KRD/jUtLPRUJuQF+m2YwId/Mg6/B7Qk
+  d166uJkNxS+MGZCi2OYXeoivnOY7Q0Kj/0vIbc5Vt3kCRVg2ljLSQhoBd+85AHMR
+  jeRjZMeYEYF2HTVwrg4DrC/r00MVtDcNqs6+M7YZ/rzny73GvfJWfWoB1C4piZlg
+  fvUcSDL5HAhjiu5cSeIR7DTuVx7t4PoK6AqUkPygDtq1ZaLybXT7X6d072dR5AXO
+  nWFLPaaGJ979iwIDAQABo4IBADCB/TAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/
+  BAUwAwEB/zAdBgNVHQ4EFgQUIkhVYBaK9CcvXG8FM2jKVZ16oZAwHwYDVR0jBBgw
+  FoAUFjyNbd8NVSlRG3WmuGYMyORWKSAwUQYIKwYBBQUHAQEERTBDMEEGCCsGAQUF
+  BzAChjVodHRwOi8vdmF1bHQuY29sdW1iaWEubWFza2VkLm5hbWU6ODIwMC92MS9w
+  a2lfcm9vdC9jYTBHBgNVHR8EQDA+MDygOqA4hjZodHRwOi8vdmF1bHQuY29sdW1i
+  aWEubWFza2VkLm5hbWU6ODIwMC92MS9wa2lfcm9vdC9jcmwwDQYJKoZIhvcNAQEL
+  BQADggEBAK6HMgR+hpwjZCmf5NszDSHr7dYKZXP4LrcHPWs94nLM33UZ572ubGHs
+  dKjRw8YD0cncrsypsYmEgR57U+DHkys394wkb7UOwy1Zvd5IIRXdP0cDylz0QzqM
+  APnQYN+ismkoljhk9ey0Qbo3CmPjM+UQcAxuZQtA4M+riC1+jkude1uYL0szC6Y9
+  4KetfvbNkedSaV5yJaRKCBhRcC4/GjpBG/odQ/5AfBPAFjZqhcIJWBrVYbTQVC79
+  hMA1iwWJPmT9LsjMSUfxFTPzxRnNXQiKFz5kT2OiS1nqh8aOcyU9YC928pkifNJV
+  KokuDezJFM7ie3d+EcBk1V9lHwOWdto=
+  -----END CERTIFICATE-----
+
+# nomad
+nomad_version: 0.12.3
 ...

ansible/inventory.txt

@@ -9,6 +9,15 @@ fatman.minhas.io
 ivyking.minhas.io
 sedan.minhas.io
 
+[docker_registry]
+ivyking.minhas.io
+
+[nomad_client]
+sedan.minhas.io
+
+[nomad_server]
+ivyking.minhas.io
+
 [vault_server]
 ivyking.minhas.io
 sedan.minhas.io

ansible/playbooks/common.yml

@@ -0,0 +1,5 @@
+---
+- hosts: all
+  roles:
+    - role: common
+...

ansible/playbooks/docker-registry.yml

@@ -0,0 +1,5 @@
+---
+- hosts: docker_registry
+  roles:
+    - role: docker_registry
+...

ansible/playbooks/docker.yml

@@ -0,0 +1,5 @@
+---
+- hosts: docker_registry:nomad_client
+  roles:
+    - role: docker
+...

ansible/playbooks/nomad-client.yml

@@ -0,0 +1,5 @@
+---
+- hosts: nomad_client
+  roles:
+    - role: nomad_client
+...

ansible/playbooks/nomad-server.yml

@@ -0,0 +1,5 @@
+---
+- hosts: nomad_server
+  roles:
+    - role: nomad_server
+...

ansible/playbooks/nomad.yml

@@ -0,0 +1,4 @@
+---
+- import_playbook: nomad-server.yml
+- import_playbook: nomad-client.yml
+...

ansible/playbooks/site.yml

@@ -1,9 +1,8 @@
 ---
-- hosts: all
+- import_playbook: common.yml
-  roles:
-    - role: common
-
 - import_playbook: consul-server.yml
 - import_playbook: vault-server.yml
 - import_playbook: consul-client.yml
+- import_playbook: nomad.yml
+  #- import_playbook: docker-registry.yml
 ...

ansible/roles/common/tasks/Debian_pki.yml

@@ -0,0 +1,100 @@
+---
+- name: ensure root cert exists
+  copy:
+    content: "{{ vault_ca_cert_payload }}"
+    dest: "/usr/local/share/ca-certificates/{{ vault_ca_cert_name }}"
+    mode: 0755
+    owner: root
+    group: root
+  register: root_ca
+
+- name: update ca certs
+  shell: update-ca-certificates
+  args:
+    executable: /bin/bash
+  when: root_ca.changed
+
+- name: check vault version
+  shell:
+    cmd: "vault --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_vault_version
+  check_mode: False
+
+- name: get vault
+  unarchive:
+    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
+
+- name: ensure pki cert directory
+  file:
+    path: /etc/pki/certs
+    state: directory
+    owner: root
+    group: root
+    mode: 0755
+
+- name: ensure main pki directory
+  file:
+    path: /etc/pki/keys
+    state: directory
+    owner: root
+    group: root
+    mode: 0600
+
+- name: ensure root cert exists for general use
+  copy:
+    content: "{{ vault_ca_cert_payload }}"
+    dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
+    mode: 0644
+    owner: root
+    group: root
+  register: root_ca
+
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/pki/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: root
+    group: root
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "certs/{{ inventory_hostname_short }}.crt",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "keys/{{ inventory_hostname_short }}.key",
+        mode: "0600"
+    }
+...

ansible/roles/common/tasks/FreeBSD_pki.yml

@@ -0,0 +1,110 @@
+---
+- name: ensure root cert exists
+  copy:
+    content: "{{ vault_ca_cert_payload }}"
+    dest: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
+    mode: 0644
+    owner: root
+    group: staff
+  register: root_ca
+
+- name: hash cert
+  shell: "openssl x509 -noout -hash -in /etc/ssl/certs/{{ vault_ca_cert_name }}"
+  when: root_ca.changed
+  register: root_ca_hash
+  failed_when: False
+  args:
+    executable: /usr/local/bin/bash
+
+- name: create hash symlink for cert
+  file:
+    state: link
+    src: "/etc/ssl/certs/{{ vault_ca_cert_name }}"
+    dest: "/etc/ssl/certs/{{ root_ca_hash.stdout }}"
+  when: root_ca_hash.changed
+
+- name: check vault version
+  shell:
+    cmd: "vault --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /usr/local/bin/bash
+  changed_when: False
+  failed_when: False
+  register: installed_vault_version
+  check_mode: False
+
+- name: get vault
+  unarchive:
+    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_freebsd_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: staff
+    remote_src: True
+  when: (installed_vault_version.stdout is not defined) or (installed_vault_version.stdout != vault_version)
+
+- name: ensure pki cert directory
+  file:
+    path: /etc/pki/certs
+    state: directory
+    owner: root
+    group: staff
+    mode: 0755
+
+- name: ensure main pki directory
+  file:
+    path: /etc/pki/keys
+    state: directory
+    owner: root
+    group: staff
+    mode: 0700
+
+- name: ensure root cert exists for general use
+  copy:
+    content: "{{ vault_ca_cert_payload }}"
+    dest: "/etc/pki/certs/{{ vault_ca_cert_name }}"
+    mode: 0644
+    owner: root
+    group: staff
+  register: root_ca
+
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/pki/certs/{{ inventory_hostname_short }}.crt"
+  args:
+    executable: /usr/local/bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name={{ inventory_hostname_short }}.{{ main_dc_name }}.{{ consul_domain }}.name ttl=43200m"
+  args:
+    executable: /usr/local/bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
+  copy:
+    content: "{{ item.content }}"
+    dest: "/etc/pki/{{ item.path }}"
+    mode: '{{ item.mode }}'
+    owner: root
+    group: staff
+  when: cert_data.changed
+  loop:
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
+        path: "certs/{{ inventory_hostname_short }}.crt",
+        mode: "0755"
+    }
+    - {
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
+        path: "keys/{{ inventory_hostname_short }}.key",
+        mode: "0600"
+    }
+...

ansible/roles/common/tasks/main.yml

@@ -1,3 +1,4 @@
 ---
+- include: "{{ ansible_os_family }}_pki.yml"
 - include: "{{ ansible_os_family }}.yml"
 ...

ansible/roles/consul/tasks/Debian.yml

@@ -86,3 +86,4 @@
     name: consul
     state: started
     enabled: True
+...

ansible/roles/consul/templates/consul.hcl.j2

@@ -1,12 +1,12 @@
-datacenter          = "{{ consul_dc }}"
+datacenter          = "{{ main_dc_name }}"
-domain              = "consul"
+domain              = "{{ consul_domain }}"
 
 encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['gossip'] }}"
 
 verify_incoming         = false
 verify_outgoing         = true
 verify_server_hostname  = true
-ca_file                 = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
+ca_file                 = "/etc/pki/certs/{{ vault_ca_cert_name }}"
 
 auto_encrypt {
   tls   = true

ansible/roles/consul_server/handlers/main.yml

@@ -12,3 +12,4 @@
   service:
     name: consul
     state: restarted
+...

ansible/roles/consul_server/tasks/Debian.yml

@@ -26,31 +26,47 @@
     state: directory
     owner: consul
     group: consul
-    mode: 0744
+    mode: 0755
 
-- name: ensure consul agent ca cert
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /etc/consul.d/certs/consul-server.pem"
+  args:
+    executable: /bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
   copy:
-    src: files/consul-agent-ca.pem
+    content: "{{ item.content }}"
-    dest: /etc/consul.d/certs/consul-agent-ca.pem
+    dest: "/etc/consul.d/certs/{{ item.path }}"
+    mode: '{{ item.mode }}'
     owner: consul
     group: consul
-    mode: 0644
+  when: cert_data.changed
-
+  loop:
-- name: ensure consul server cert
+    - {
-  copy:
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-    src: files/consul-server.pem
+        path: "consul-server.pem",
-    dest: /etc/consul.d/certs/consul-server.pem
+        mode: "0755"
-    owner: consul
+    }
-    group: consul
+    - {
-    mode: 0600
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-
+        path: "consul-server.key",
-- name: ensure consul server key
+        mode: "0600"
-  template:
+    }
-    src: templates/consul-server.key.j2
-    dest: /etc/consul.d/certs/consul-server.key
-    owner: consul
-    group: consul
-    mode: 0600
 
 - name: ensure consul data dir
   file:
@@ -93,8 +109,8 @@
     src: templates/consul.hcl.j2
     dest: /etc/consul.d/consul.hcl
     owner: root
-    group: root
+    group: consul
-    mode: 0755
+    mode: 0750
   notify: restart_consul_debian
 
 - name: ensure consul is started and enabled
@@ -102,3 +118,4 @@
     name: consul
     state: started
     enabled: True
+...

ansible/roles/consul_server/tasks/FreeBSD.yml

@@ -26,31 +26,47 @@
     state: directory
     owner: consul
     group: consul
-    mode: 0744
+    mode: 0755
 
-- name: ensure consul agent ca cert
+- name: check if server cert is expiring in the next 5 days
+  shell: "openssl x509 -checkend 432000 -noout -in /usr/local/etc/consul.d/certs/consul-server.pem"
+  args:
+    executable: /usr/local/bin/bash
+  failed_when: False
+  check_mode: False
+  changed_when: False
+  register: exp
+
+- name: get cert
+  shell: "vault write pki_int/issue/{{ vault_pki_policy }} common_name=server.{{ main_dc_name }}.{{ consul_domain }} ttl=43200m"
+  args:
+    executable: /usr/local/bin/bash
+  environment:
+    VAULT_ADDR: http://ivyking.minhas.io:8200
+    VAULT_TOKEN: "{{ lookup('file', lookup('env', 'HOME') + '/.vault-token') }}"
+    VAULT_FORMAT: json
+  register: cert_data
+  when: exp.rc != 0
+
+- name: write cert data to server
   copy:
-    src: files/consul-agent-ca.pem
+    content: "{{ item.content }}"
-    dest: /usr/local/etc/consul.d/certs/consul-agent-ca.pem
+    dest: "/usr/local/etc/consul.d/certs/{{ item.path }}"
+    mode: '{{ item.mode }}'
     owner: consul
     group: consul
-    mode: 0644
+  when: cert_data.changed
-
+  loop:
-- name: ensure consul server cert
+    - {
-  copy:
+        content: "{{ (cert_data.stdout | from_json).data.certificate }}",
-    src: files/consul-server.pem
+        path: "consul-server.pem",
-    dest: /usr/local/etc/consul.d/certs/consul-server.pem
+        mode: "0755"
-    owner: consul
+    }
-    group: consul
+    - {
-    mode: 0600
+        content: "{{ (cert_data.stdout | from_json).data.private_key }}",
-
+        path: "consul-server.key",
-- name: ensure consul server key
+        mode: "0600"
-  template:
+    }
-    src: templates/consul-server.key.j2
-    dest: /usr/local/etc/consul.d/certs/consul-server.key
-    owner: consul
-    group: consul
-    mode: 0600
 
 - name: ensure consul data dir
   file:
@@ -64,7 +80,7 @@
   shell:
     cmd: "consul --version | head -1 | cut -d'v' -f2"
   args:
-    executable: /bin/bash
+    executable: /usr/local/bin/bash
   changed_when: False
   failed_when: False
   register: installed_consul_version
@@ -80,8 +96,8 @@
     src: templates/consul.hcl.j2
     dest: /usr/local/etc/consul.d/consul.hcl
     owner: root
-    group: staff
+    group: consul
-    mode: 0755
+    mode: 0750
   notify: restart_consul_fbsd
 
 - name: enable and start consul
@@ -89,3 +105,4 @@
     name: consul
     state: started
     enabled: True
+...

ansible/roles/consul_server/templates/consul-server.key.j2

@@ -1 +0,0 @@
-{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['consul-server-key'] }}

ansible/roles/consul_server/templates/consul.hcl.j2

@@ -1,5 +1,5 @@
-datacenter          = "{{ consul_dc }}"
+datacenter          = "{{ main_dc_name }}"
-domain              = "consul"
+domain              = "{{ consul_domain }}"
 server              = true
 bootstrap_expect    = 3
 ui                  = true
@@ -9,7 +9,7 @@ encrypt             = "{{ lookup('hashi_vault', 'secret=kv/data/consul:data')['g
 verify_incoming         = true
 verify_outgoing         = true
 verify_server_hostname  = true
-ca_file                 = "{{ consul_config_path }}/certs/consul-agent-ca.pem"
+ca_file                 = "/etc/pki/certs/{{ vault_ca_cert_name }}"
 cert_file               = "{{ consul_config_path }}/certs/consul-server.pem"
 key_file                = "{{ consul_config_path }}/certs/consul-server.key"
 

ansible/roles/docker/files/docker.gpg

@@ -0,0 +1,62 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+
+mQINBFit2ioBEADhWpZ8/wvZ6hUTiXOwQHXMAlaFHcPH9hAtr4F1y2+OYdbtMuth
+lqqwp028AqyY+PRfVMtSYMbjuQuu5byyKR01BbqYhuS3jtqQmljZ/bJvXqnmiVXh
+38UuLa+z077PxyxQhu5BbqntTPQMfiyqEiU+BKbq2WmANUKQf+1AmZY/IruOXbnq
+L4C1+gJ8vfmXQt99npCaxEjaNRVYfOS8QcixNzHUYnb6emjlANyEVlZzeqo7XKl7
+UrwV5inawTSzWNvtjEjj4nJL8NsLwscpLPQUhTQ+7BbQXAwAmeHCUTQIvvWXqw0N
+cmhh4HgeQscQHYgOJjjDVfoY5MucvglbIgCqfzAHW9jxmRL4qbMZj+b1XoePEtht
+ku4bIQN1X5P07fNWzlgaRL5Z4POXDDZTlIQ/El58j9kp4bnWRCJW0lya+f8ocodo
+vZZ+Doi+fy4D5ZGrL4XEcIQP/Lv5uFyf+kQtl/94VFYVJOleAv8W92KdgDkhTcTD
+G7c0tIkVEKNUq48b3aQ64NOZQW7fVjfoKwEZdOqPE72Pa45jrZzvUFxSpdiNk2tZ
+XYukHjlxxEgBdC/J3cMMNRE1F4NCA3ApfV1Y7/hTeOnmDuDYwr9/obA8t016Yljj
+q5rdkywPf4JF8mXUW5eCN1vAFHxeg9ZWemhBtQmGxXnw9M+z6hWwc6ahmwARAQAB
+tCtEb2NrZXIgUmVsZWFzZSAoQ0UgZGViKSA8ZG9ja2VyQGRvY2tlci5jb20+iQI3
+BBMBCgAhBQJYrefAAhsvBQsJCAcDBRUKCQgLBRYCAwEAAh4BAheAAAoJEI2BgDwO
+v82IsskP/iQZo68flDQmNvn8X5XTd6RRaUH33kXYXquT6NkHJciS7E2gTJmqvMqd
+tI4mNYHCSEYxI5qrcYV5YqX9P6+Ko+vozo4nseUQLPH/ATQ4qL0Zok+1jkag3Lgk
+jonyUf9bwtWxFp05HC3GMHPhhcUSexCxQLQvnFWXD2sWLKivHp2fT8QbRGeZ+d3m
+6fqcd5Fu7pxsqm0EUDK5NL+nPIgYhN+auTrhgzhK1CShfGccM/wfRlei9Utz6p9P
+XRKIlWnXtT4qNGZNTN0tR+NLG/6Bqd8OYBaFAUcue/w1VW6JQ2VGYZHnZu9S8LMc
+FYBa5Ig9PxwGQOgq6RDKDbV+PqTQT5EFMeR1mrjckk4DQJjbxeMZbiNMG5kGECA8
+g383P3elhn03WGbEEa4MNc3Z4+7c236QI3xWJfNPdUbXRaAwhy/6rTSFbzwKB0Jm
+ebwzQfwjQY6f55MiI/RqDCyuPj3r3jyVRkK86pQKBAJwFHyqj9KaKXMZjfVnowLh
+9svIGfNbGHpucATqREvUHuQbNnqkCx8VVhtYkhDb9fEP2xBu5VvHbR+3nfVhMut5
+G34Ct5RS7Jt6LIfFdtcn8CaSas/l1HbiGeRgc70X/9aYx/V/CEJv0lIe8gP6uDoW
+FPIZ7d6vH+Vro6xuWEGiuMaiznap2KhZmpkgfupyFmplh0s6knymuQINBFit2ioB
+EADneL9S9m4vhU3blaRjVUUyJ7b/qTjcSylvCH5XUE6R2k+ckEZjfAMZPLpO+/tF
+M2JIJMD4SifKuS3xck9KtZGCufGmcwiLQRzeHF7vJUKrLD5RTkNi23ydvWZgPjtx
+Q+DTT1Zcn7BrQFY6FgnRoUVIxwtdw1bMY/89rsFgS5wwuMESd3Q2RYgb7EOFOpnu
+w6da7WakWf4IhnF5nsNYGDVaIHzpiqCl+uTbf1epCjrOlIzkZ3Z3Yk5CM/TiFzPk
+z2lLz89cpD8U+NtCsfagWWfjd2U3jDapgH+7nQnCEWpROtzaKHG6lA3pXdix5zG8
+eRc6/0IbUSWvfjKxLLPfNeCS2pCL3IeEI5nothEEYdQH6szpLog79xB9dVnJyKJb
+VfxXnseoYqVrRz2VVbUI5Blwm6B40E3eGVfUQWiux54DspyVMMk41Mx7QJ3iynIa
+1N4ZAqVMAEruyXTRTxc9XW0tYhDMA/1GYvz0EmFpm8LzTHA6sFVtPm/ZlNCX6P1X
+zJwrv7DSQKD6GGlBQUX+OeEJ8tTkkf8QTJSPUdh8P8YxDFS5EOGAvhhpMBYD42kQ
+pqXjEC+XcycTvGI7impgv9PDY1RCC1zkBjKPa120rNhv/hkVk/YhuGoajoHyy4h7
+ZQopdcMtpN2dgmhEegny9JCSwxfQmQ0zK0g7m6SHiKMwjwARAQABiQQ+BBgBCAAJ
+BQJYrdoqAhsCAikJEI2BgDwOv82IwV0gBBkBCAAGBQJYrdoqAAoJEH6gqcPyc/zY
+1WAP/2wJ+R0gE6qsce3rjaIz58PJmc8goKrir5hnElWhPgbq7cYIsW5qiFyLhkdp
+YcMmhD9mRiPpQn6Ya2w3e3B8zfIVKipbMBnke/ytZ9M7qHmDCcjoiSmwEXN3wKYI
+mD9VHONsl/CG1rU9Isw1jtB5g1YxuBA7M/m36XN6x2u+NtNMDB9P56yc4gfsZVES
+KA9v+yY2/l45L8d/WUkUi0YXomn6hyBGI7JrBLq0CX37GEYP6O9rrKipfz73XfO7
+JIGzOKZlljb/D9RX/g7nRbCn+3EtH7xnk+TK/50euEKw8SMUg147sJTcpQmv6UzZ
+cM4JgL0HbHVCojV4C/plELwMddALOFeYQzTif6sMRPf+3DSj8frbInjChC3yOLy0
+6br92KFom17EIj2CAcoeq7UPhi2oouYBwPxh5ytdehJkoo+sN7RIWua6P2WSmon5
+U888cSylXC0+ADFdgLX9K2zrDVYUG1vo8CX0vzxFBaHwN6Px26fhIT1/hYUHQR1z
+VfNDcyQmXqkOnZvvoMfz/Q0s9BhFJ/zU6AgQbIZE/hm1spsfgvtsD1frZfygXJ9f
+irP+MSAI80xHSf91qSRZOj4Pl3ZJNbq4yYxv0b1pkMqeGdjdCYhLU+LZ4wbQmpCk
+SVe2prlLureigXtmZfkqevRz7FrIZiu9ky8wnCAPwC7/zmS18rgP/17bOtL4/iIz
+QhxAAoAMWVrGyJivSkjhSGx1uCojsWfsTAm11P7jsruIL61ZzMUVE2aM3Pmj5G+W
+9AcZ58Em+1WsVnAXdUR//bMmhyr8wL/G1YO1V3JEJTRdxsSxdYa4deGBBY/Adpsw
+24jxhOJR+lsJpqIUeb999+R8euDhRHG9eFO7DRu6weatUJ6suupoDTRWtr/4yGqe
+dKxV3qQhNLSnaAzqW/1nA3iUB4k7kCaKZxhdhDbClf9P37qaRW467BLCVO/coL3y
+Vm50dwdrNtKpMBh3ZpbB1uJvgi9mXtyBOMJ3v8RZeDzFiG8HdCtg9RvIt/AIFoHR
+H3S+U79NT6i0KPzLImDfs8T7RlpyuMc4Ufs8ggyg9v3Ae6cN3eQyxcK3w0cbBwsh
+/nQNfsA6uu+9H7NhbehBMhYnpNZyrHzCmzyXkauwRAqoCbGCNykTRwsur9gS41TQ
+M8ssD1jFheOJf3hODnkKU+HKjvMROl1DK7zdmLdNzA1cvtZH/nCC9KPj1z8QC47S
+xx+dTZSx4ONAhwbS/LN3PoKtn8LPjY9NP9uDWI+TWYquS2U+KHDrBDlsgozDbs/O
+jCxcpDzNmXpWQHEtHU7649OXHP7UeNST1mCUCH5qdank0V1iejF6/CfTFU4MfcrG
+YT90qFF93M3v01BbxP+EIY2/9tiIPbrd
+=0YYh
+-----END PGP PUBLIC KEY BLOCK-----

ansible/roles/docker/tasks/main.yml

@@ -0,0 +1,31 @@
+---
+- name: install docker dependencies
+  apt:
+    state: present
+    name:
+      - apt-transport-https
+      - ca-certificates
+      - curl
+      - gnupg-agent
+      - software-properties-common
+
+- name: add docker apt key
+  apt_key:
+    url: https://download.docker.com/linux/debian/gpg
+    state: present
+    id: 9DC858229FC7DD38854AE2D88D81803C0EBFCD88
+
+- name: add docker repo
+  apt_repository:
+    repo: deb [arch=amd64] https://download.docker.com/linux/debian buster stable
+    state: present
+    mode: 0600
+
+- name: install docker-ce
+  apt:
+    state: present
+    name:
+      - docker-ce
+      - docker-ce-cli
+      - containerd.io
+...

ansible/roles/nomad_client/files/nomad.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Nomad
+Documentation=https://nomadproject.io/docs/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=infinity
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+StartLimitBurst=3
+StartLimitIntervalSec=10
+TasksMax=infinity
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/nomad_client/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: daemon_reload
+  systemd:
+    daemon_reload: True
+
+- name: restart_nomad
+  systemd:
+    name: nomad
+    state: restarted
+...

ansible/roles/nomad_client/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+- name: ensure nomad group
+  group:
+    name: nomad
+    state: present
+    system: True
+
+- name: ensure nomad user
+  user:
+    name: nomad
+    state: present
+    group: nomad
+    system: True
+
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: ensure nomad data dir
+  file:
+    path: /opt/nomad
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check nomad version
+  shell:
+    cmd: "nomad --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_nomad_version
+  check_mode: False
+
+- name: get nomad
+  unarchive:
+    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_nomad_version.stdout != nomad_version
+
+- name: copy nomad unit file
+  copy:
+    src: files/nomad.service
+    dest: /etc/systemd/system/nomad.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template nomad config
+  template:
+    src: templates/nomad.hcl.j2
+    dest: /etc/nomad.d/nomad.hcl
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart_nomad
+
+- name: ensure nomad is started and enabled
+  systemd:
+    name: nomad
+    state: started
+    enabled: True
+...

ansible/roles/nomad_client/templates/nomad.hcl.j2

@@ -0,0 +1,10 @@
+datacenter = "{{ main_dc_name }}"
+data_dir = "/opt/nomad"
+
+client {
+  enabled   = true
+}
+
+consul {
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-client'] }}"
+}

ansible/roles/nomad_server/files/nomad.service

@@ -0,0 +1,21 @@
+[Unit]
+Description=Nomad
+Documentation=https://nomadproject.io/docs/
+Wants=network-online.target
+After=network-online.target
+
+[Service]
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/local/bin/nomad agent -config /etc/nomad.d
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=infinity
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+StartLimitBurst=3
+StartLimitIntervalSec=10
+TasksMax=infinity
+
+[Install]
+WantedBy=multi-user.target

ansible/roles/nomad_server/handlers/main.yml

@@ -0,0 +1,10 @@
+---
+- name: daemon_reload
+  systemd:
+    daemon_reload: True
+
+- name: restart_nomad
+  systemd:
+    name: nomad
+    state: restarted
+...

ansible/roles/nomad_server/tasks/main.yml

@@ -0,0 +1,73 @@
+---
+- name: ensure nomad group
+  group:
+    name: nomad
+    state: present
+    system: True
+
+- name: ensure nomad user
+  user:
+    name: nomad
+    state: present
+    group: nomad
+    system: True
+
+- name: ensure nomad config dir
+  file:
+    path: /etc/nomad.d/
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: ensure nomad data dir
+  file:
+    path: /opt/nomad
+    state: directory
+    owner: nomad
+    group: nomad
+    mode: 0755
+
+- name: check nomad version
+  shell:
+    cmd: "nomad --version | head -1 | cut -d'v' -f2"
+  args:
+    executable: /bin/bash
+  changed_when: False
+  register: installed_nomad_version
+  check_mode: False
+
+- name: get nomad
+  unarchive:
+    src: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip"
+    dest: /usr/local/bin/
+    mode: 0755
+    owner: root
+    group: root
+    remote_src: True
+  when: installed_nomad_version.stdout != nomad_version
+
+- name: copy nomad unit file
+  copy:
+    src: files/nomad.service
+    dest: /etc/systemd/system/nomad.service
+    mode: 0755
+    owner: root
+    group: root
+  notify: daemon_reload
+
+- name: template nomad config
+  template:
+    src: templates/nomad.hcl.j2
+    dest: /etc/nomad.d/nomad.hcl
+    owner: root
+    group: root
+    mode: 0755
+  notify: restart_nomad
+
+- name: ensure nomad is started and enabled
+  systemd:
+    name: nomad
+    state: started
+    enabled: True
+...

ansible/roles/nomad_server/templates/nomad.hcl.j2

@@ -0,0 +1,11 @@
+datacenter = "{{ main_dc_name }}"
+data_dir = "/opt/nomad"
+
+server {
+  enabled = true
+  bootstrap_expect = 1
+}
+
+consul {
+  token     = "{{ lookup('hashi_vault', 'secret=kv/data/nomad:data')['consul-acl-server'] }}"
+}

ansible/roles/vault_server/files/vault.service

@@ -25,7 +25,6 @@ Restart=on-failure
 RestartSec=5
 TimeoutStopSec=30
 StartLimitInterval=60
-StartLimitIntervalSec=60
 StartLimitBurst=3
 LimitNOFILE=65536
 LimitMEMLOCK=infinity

ansible/roles/vault_server/tasks/main.yml

@@ -20,25 +20,6 @@
     group: vault
     mode: 0755
 
-- name: check vault version
-  shell:
-    cmd: "vault --version | head -1 | cut -d'v' -f2"
-  args:
-    executable: /bin/bash
-  changed_when: False
-  register: installed_vault_version
-  check_mode: False
-
-- name: get vault
-  unarchive:
-    src: "https://releases.hashicorp.com/vault/{{ vault_version }}/vault_{{ vault_version }}_linux_amd64.zip"
-    dest: /usr/local/bin/
-    mode: 0755
-    owner: root
-    group: root
-    remote_src: True
-  when: installed_vault_version.stdout != vault_version
-
 - name: copy vault unit file
   copy:
     src: files/vault.service
@@ -62,3 +43,4 @@
     name: vault
     state: started
     enabled: True
+...

consul/acls/nomad-client-policy.hcl

@@ -0,0 +1,15 @@
+agent_prefix "" {
+  policy = "read"
+}
+
+node_prefix "" {
+  policy = "read"
+}
+
+service_prefix "" {
+  policy = "write"
+}
+
+key_prefix "" {
+   policy = read
+ }

consul/acls/nomad-server-policy.hcl

@@ -0,0 +1,14 @@
+agent_prefix "" {
+  policy = "read"
+}
+
+node_prefix "" {
+  policy = "read"
+}
+
+service_prefix "" {
+  policy = "write"
+}
+
+acl = "write"
+

vault/policies/ansible.hcl

@@ -1,3 +1,7 @@
 path "kv/*" {
   capabilities = ["list", "read"]
 }
+
+path "pki_int/issue/masked-dot-name" {
+  capabilities = [ "create", "read", "list", "update" ]
+}