sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_server_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_server_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
driver.whitelist: "docker,raw_exec,exec"
fingerprint.network.disallow_link_local: true
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.26"
- "10.30.51.24"
read_only: false
# Consul settings.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
dest: "{{ consul_key_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "both"
consul_retry_servers:
- "10.30.51.26"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_server_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_server_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
driver.whitelist: "docker,raw_exec,exec"
fingerprint.network.disallow_link_local: true
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.26"
read_only: false
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
dest: "{{ consul_key_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "both"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_server_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_server_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
driver.whitelist: "docker,raw_exec,exec"
fingerprint.network.disallow_link_local: true
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
read_only: false
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
dest: "{{ consul_key_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "both"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.26"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_server_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_server_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
driver.whitelist: "docker,raw_exec,exec"
fingerprint.network.disallow_link_local: true
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
read_only: false
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
dest: "{{ consul_key_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "both"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
- "10.30.51.25:4647"
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
- "10.30.51.25:4647"
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.32.8.15"
- "10.32.8.16"
- "10.32.8.17:4647"
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.32.8.15"
- "10.32.8.17"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker settings.
docker_daemon:
default-shm-size: "1073741824"
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.32.8.15"
- "10.32.8.16"
- "10.32.8.17:4647"
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.32.8.15"
- "10.32.8.17"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker settings.
docker_daemon:
default-shm-size: "1073741824"
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
nomad_cpu_total_compute: "40000"
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
nomad_cpu_total_compute: "40000"
# Consul settigs.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.30.51.23"
- "10.30.51.25"
consul_service_mgr: "systemd"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
- "10.30.51.25:4647"
# Consul settings.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.30.51.23"
consul_service_mgr: "systemd"
#consul_package_version: "1.5.2+dfsg2-14"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
sshd_disable_password_login: true
# Nomad settings.
+nomad_version: "1.6.1"
nomad_certificates:
- src: "{{ file_nomad_ca_pem }}"
- dest: "{{ nomad_ca_file }}"
+ dest: "{{ nomad_tls_ca_file }}"
- src: "{{ file_nomad_client_pem }}"
- dest: "{{ nomad_cert_file }}"
+ dest: "{{ nomad_tls_cert_file }}"
- src: "{{ file_nomad_client_key_pem }}"
- dest: "{{ nomad_key_file }}"
+ dest: "{{ nomad_tls_key_file }}"
nomad_datacenter: "yul1"
nomad_node_name: "{{ hostname }}-{{ ansible_architecture }}"
nomad_node_role: "client"
docker.volumes.enabled: true
driver.whitelist: "docker,raw_exec,exec"
nomad_service_mgr: "systemd"
+nomad_consul_use_ssl: false
+nomad_use_tls: false
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_use_vault: false
nomad_retry_servers:
- "10.30.51.23"
- "10.30.51.24"
- "10.30.51.25:4647"
# Consul settings.
-consul_nomad_integration: true
+nomad_use_consul: true
consul_certificates:
- src: "{{ file_consul_ca_pem }}"
dest: "{{ consul_ca_file }}"
consul_datacenter: "yul1"
consul_encrypt: "Y4T+5JGx1C3l2NFBBvkTWQ=="
-consul_node_name: "{{ hostname }}"
+consul_node_name: "{{ ansible_hostname }}"
consul_node_role: "client"
consul_retry_servers:
- "10.30.51.23"
consul_service_mgr: "systemd"
#consul_package_version: "1.5.2+dfsg2-14"
+# Vault settings.
+vault_version: "1.13.1"
+
# Docker daemon settings.
docker_daemon:
dns: ["172.17.0.1"]
- []
# Package
-nomad_version: "{{ lookup('env','NOMAD_VERSION') | default('1.3.1', true) }}"
+nomad_version: "1.4.3"
nomad_architecture_map:
amd64: "amd64"
x86_64: "amd64"
nomad_pkg: "nomad_{{ nomad_version }}_linux_{{nomad_architecture}}.zip"
nomad_zip_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_{{nomad_architecture}}.zip"
nomad_checksum_file_url: "https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version}}_SHA256SUMS"
-nomad_podman_enable: false
-nomad_podman_version: "{{ lookup('env','NOMAD_PODMAN_VERSION') | default('0.1.0', true) }}"
-nomad_podman_pkg: "nomad-driver-podman_{{ nomad_podman_version }}_linux_{{nomad_architecture}}.zip"
-nomad_podman_url: "https://releases.hashicorp.com/nomad-driver-podman/{{ nomad_podman_version }}"
-nomad_podman_zip_url: "{{ nomad_podman_url }}/{{ nomad_podman_pkg }}"
-nomad_podman_checksum_file_url: "{{ nomad_podman_url }}/nomad-driver-podman_{{ nomad_podman_version }}_SHA256SUMS"
nomad_force_update: false
# Paths
nomad_ssl_dir: "/etc/nomad.d/ssl"
# Initialization and startup script templates
-nomad_restart_handler_state: "restarted"
nomad_service_mgr: ""
# System user and group
nomad_group: "nomad"
-nomad_group_state: "present"
nomad_user: "nomad"
-nomad_user_state: "present"
# Nomad settings
nomad_datacenter: "dc1"
nomad_region: "global"
nomad_log_level: "INFO"
nomad_syslog_enable: true
-nomad_iface: "{{ lookup('env','NOMAD_IFACE') | default(ansible_default_ipv4.interface, true) }}"
+nomad_iface: "{{ ansible_default_ipv4.interface }}"
nomad_node_name: "{{ inventory_hostname }}"
-nomad_node_role: "{{ lookup('env','NOMAD_NODE_ROLE') | default('server', true) }}"
+nomad_node_role: "server"
nomad_leave_on_terminate: true
nomad_leave_on_interrupt: false
nomad_disable_update_check: true
# Specifies the minimum time a deployment must be in the terminal state before
# it is eligible for garbage collection.
nomad_deployment_gc_threshold: "1h"
-nomad_encrypt_enable: "{{ lookup('env','NOMAD_ENCRYPT_ENABLE') | default('false', true) }}"
+nomad_encrypt_enable: false
nomad_raft_protocol: 2
# Client settings
{% set _nomad_servers = [] %}\
{% for host in groups[nomad_group_name] %}\
{% set _nomad_node_role = hostvars[host]['nomad_node_role'] | default('client', true) %}\
- {% if ( _nomad_node_role == 'server' or _nomad_node_role == 'both') %}\
+ {% if (_nomad_node_role == 'server' or _nomad_node_role == 'both') %}\
{% if _nomad_servers.append(host) %}{% endif %}\
{% endif %}\
{% endfor %}\
nomad_consul_servers_service_name: "nomad"
nomad_consul_clients_service_name: "nomad-client"
nomad_consul_tags: {}
+nomad_consul_use_ssl: false
# ACLs
-nomad_acl_enabled: "{{ lookup('env', 'NOMAD_ACL_ENABLED') | default('no', true) }}"
+nomad_acl_enabled: false
nomad_acl_token_ttl: "30s"
nomad_acl_policy_ttl: "30s"
nomad_acl_replication_token: ""
-# Vault
-nomad_vault_enabled: "{{ lookup('env', 'NOMAD_VAULT_ENABLED') | default('no', true) }}"
-nomad_vault_address: "{{ vault_address | default('0.0.0.0', true) }}"
-nomad_vault_allow_unauthenticated: true
-nomad_vault_create_from_role: ""
-nomad_vault_task_token_ttl: ""
-nomad_vault_ca_file: ""
-nomad_vault_ca_path: ""
-nomad_vault_cert_file: ""
-nomad_vault_key_file: ""
-nomad_vault_tls_server_name: ""
-nomad_vault_tls_skip_verify: false
-nomad_vault_token: ""
-nomad_vault_namespace: ""
-
# Docker
-nomad_docker_enable: "{{ lookup('env','NOMAD_DOCKER_ENABLE') | default('false', true) }}"
+nomad_docker_enable: false
nomad_docker_dmsetup: true
-# TLS
-nomad_tls_enable: true
-nomad_ca_file: "{{ nomad_ssl_dir }}/nomad-ca.pem"
-nomad_cert_file: "{{ nomad_ssl_dir }}/nomad.pem"
-nomad_key_file: "{{ nomad_ssl_dir }}/nomad-key.pem"
-nomad_cli_cert_file: "{{ nomad_ssl_dir }}/nomad-cli.pem"
-nomad_cli_key_file: "{{ nomad_ssl_dir }}/nomad-cli-key.pem"
-nomad_http: false
-nomad_rpc: false
-nomad_rpc_upgrade_mode: false
-nomad_verify_server_hostname: false
-nomad_verify_https_client: false
-
-# Conf - autopilot.hcl
+# Autopilot
nomad_autopilot_cleanup_dead_servers: true
nomad_autopilot_last_contact_threshold: "200ms"
nomad_autopilot_max_trailing_logs: 250
nomad_autopilot_server_stabilization_time: "10s"
-# Telemetry
-nomad_telemetry: true
+# Telemetry.
+nomad_use_telemetry: true
nomad_telemetry_disable_hostname: false
-nomad_telemetry_collection_interval: 60s
+nomad_telemetry_collection_interval: "1s"
nomad_telemetry_use_node_name: false
nomad_telemetry_publish_allocation_metrics: true
nomad_telemetry_publish_node_metrics: true
nomad_telemetry_prometheus_metrics: true
+
+# TLS.
+nomad_use_tls: true
+nomad_tls_ca_file: "{{ nomad_ssl_dir }}/nomad-ca.pem"
+nomad_tls_cert_file: "{{ nomad_ssl_dir }}/nomad.pem"
+nomad_tls_key_file: "{{ nomad_ssl_dir }}/nomad-key.pem"
+nomad_tls_cli_cert_file: "{{ nomad_ssl_dir }}/nomad-cli.pem"
+nomad_tls_cli_key_file: "{{ nomad_ssl_dir }}/nomad-cli-key.pem"
+nomad_tls_http: false
+nomad_tls_rpc: false
+nomad_tls_rpc_upgrade_mode: false
+nomad_tls_verify_https_client: false
+nomad_tls_verify_server_hostname: false
+
+# Vault
+nomad_use_vault: false
+nomad_vault_address: "http://vault.service.consul:8200"
+nomad_vault_allow_unauthenticated: true
+nomad_vault_enabled: false
+nomad_vault_create_from_role: ""
+nomad_vault_task_token_ttl: "72h"
+nomad_vault_use_ssl: false
+nomad_vault_ca_file: ""
+nomad_vault_ca_path: ""
+nomad_vault_cert_file: ""
+nomad_vault_key_file: ""
+nomad_vault_namespace: ""
+nomad_vault_tls_server_name: ""
+nomad_vault_tls_skip_verify: false
+nomad_vault_token: ""
---
-# file roles/nomad/handlers/main.yaml
+# file handlers/main.yaml
- name: Restart Nomad
ansible.builtin.systemd:
daemon_reload: true
enabled: true
name: "nomad"
- state: "{{ nomad_restart_handler_state }}"
+ state: "restarted"
---
-# file: roles/nomad/meta/main.yaml
+# file: meta/main.yaml
-dependencies: [docker]
+dependencies: ["docker"]
galaxy_info:
- role_name: nomad
- author: fd.io
- description: Hashicorp Nomad.
- company: none
+ role_name: "nomad"
+ author: "pmikus"
+ description: "Hashicorp Nomad."
+ company: "none"
license: "license (Apache)"
- min_ansible_version: 2.9
+ min_ansible_version: "2.9"
platforms:
- - name: Ubuntu
- versions:
- - jammy
+ - name: "Ubuntu"
+ release:
+ - "focal"
+ - "jammy"
+ - "kinetic"
galaxy_tags:
- - nomad
+ - "nomad"
+ - "hashicorp"
---
# file: tasks/main.yaml
-- name: Inst - Update Repositories Cache
+- name: Update Repositories Cache
ansible.builtin.apt:
update_cache: true
when:
tags:
- nomad-inst-package
-- name: Inst - Dependencies
+- name: Dependencies
ansible.builtin.apt:
name: "{{ packages | flatten(levels=1) }}"
state: "present"
tags:
- nomad-inst-dependencies
-- name: Conf - Add Nomad Group
+- name: Add Nomad Group
ansible.builtin.group:
name: "{{ nomad_group }}"
- state: "{{ nomad_user_state }}"
+ state: "present"
tags:
- nomad-conf-user
-- name: Conf - Add Nomad user
+- name: Add Nomad user
ansible.builtin.user:
name: "{{ nomad_user }}"
group: "{{ nomad_group }}"
- state: "{{ nomad_group_state }}"
+ state: "present"
system: true
tags:
- nomad-conf-user
-- name: Inst - Download Nomad
+- name: Download Nomad
ansible.builtin.get_url:
url: "{{ nomad_zip_url }}"
dest: "{{ nomad_inst_dir }}/{{ nomad_pkg }}"
+ mode: 0644
tags:
- nomad-inst-package
-- name: Inst - Clean Nomad
+- name: Clean Nomad
ansible.builtin.file:
path: "{{ nomad_inst_dir }}/nomad"
state: "absent"
tags:
- nomad-inst-package
-- name: Inst - Unarchive Nomad
+- name: Unarchive Nomad
ansible.builtin.unarchive:
src: "{{ nomad_inst_dir }}/{{ nomad_pkg }}"
dest: "{{ nomad_inst_dir }}/"
tags:
- nomad-inst-package
-- name: Inst - Nomad
+- name: Nomad
ansible.builtin.copy:
src: "{{ nomad_inst_dir }}/nomad"
dest: "{{ nomad_bin_dir }}"
tags:
- nomad-inst-package
-- name: Conf - Create Directories "{{ nomad_data_dir }}"
- ansible.builtin.file:
- dest: "{{ nomad_data_dir }}"
- state: directory
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0755
- tags:
- - nomad-conf
-
-- name: Conf - Create Directories "{{ nomad_ssl_dir }}"
- ansible.builtin.file:
- dest: "{{ nomad_ssl_dir }}"
- state: directory
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0755
- tags:
- - nomad-conf
-
-- name: Conf - Create Config Directory
+- name: Create Directories
ansible.builtin.file:
- dest: "{{ nomad_config_dir }}"
- state: directory
+ dest: "{{ item }}"
+ state: "directory"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: 0755
+ with_items:
+ - "{{ nomad_data_dir }}"
+ - "{{ nomad_config_dir }}"
+ - "{{ nomad_ssl_dir }}"
tags:
- nomad-conf
-- name: Conf - Base Configuration
- ansible.builtin.template:
- src: base.hcl.j2
- dest: "{{ nomad_config_dir }}/base.hcl"
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0644
- tags:
- - nomad-conf
-
-- name: Conf - Server Configuration
+- name: Base Configuration
ansible.builtin.template:
- src: server.hcl.j2
- dest: "{{ nomad_config_dir }}/server.hcl"
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0644
- when:
- - nomad_node_server | bool
- tags:
- - nomad-conf
-
-- name: Conf - Client Configuration
- ansible.builtin.template:
- src: client.hcl.j2
- dest: "{{ nomad_config_dir }}/client.hcl"
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0644
- when:
- - nomad_node_client | bool
- tags:
- - nomad-conf
-
-- name: Conf - TLS Configuration
- ansible.builtin.template:
- src: tls.hcl.j2
- dest: "{{ nomad_config_dir }}/tls.hcl"
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0644
- tags:
- - nomad-conf
-
-- name: Conf - Telemetry Configuration
- ansible.builtin.template:
- src: telemetry.hcl.j2
- dest: "{{ nomad_config_dir }}/telemetry.hcl"
- owner: "{{ nomad_user }}"
- group: "{{ nomad_group }}"
- mode: 0644
- tags:
- - nomad-conf
-
-- name: Conf - Consul Configuration
- ansible.builtin.template:
- src: consul.hcl.j2
- dest: "{{ nomad_config_dir }}/consul.hcl"
+ src: "{{ item }}.hcl.j2"
+ dest: "{{ nomad_config_dir }}/{{ item }}.hcl"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: 0644
+ with_items:
+ - "base"
+ - "consul"
+ - "client"
+ - "server"
+ - "telemetry"
+ - "tls"
+ - "vault"
tags:
- nomad-conf
tags:
- nomad-conf
-- name: Conf - Nomad CLI Environment Variables
+- name: Nomad CLI Environment Variables
ansible.builtin.lineinfile:
path: "/etc/profile.d/nomad.sh"
line: "{{ item }}"
+ mode: 0644
create: true
loop:
- - "export NOMAD_ADDR=http://nomad.service.consul:4646"
- - "export NOMAD_CACERT={{ nomad_ca_file }}"
-# - "export NOMAD_CLIENT_CERT={{ nomad_cli_cert_file }}"
-# - "export NOMAD_CLIENT_KEY={{ nomad_cli_key_file }}"
+ - "export NOMAD_ADDR=https://nomad-server.service.consul:4646"
+ - "export NOMAD_CACERT={{ nomad_tls_ca_file }}"
+ - "export NOMAD_CLIENT_CERT={{ nomad_tls_cli_cert_file }}"
+ - "export NOMAD_CLIENT_KEY={{ nomad_tls_cli_key_file }}"
tags:
- nomad-conf
-- name: Conf - System.d Script
+- name: System.d Script
ansible.builtin.template:
src: "nomad_systemd.service.j2"
dest: "/lib/systemd/system/nomad.service"
--- /dev/null
+{
+ "signing": {
+ "default": {
+ "expiry": "87600h",
+ "usages": ["signing", "key encipherment", "server auth", "client auth"]
+ }
+ }
+}
\ No newline at end of file
{% if nomad_use_consul | bool == True %}
consul {
- # The address to the Consul agent.
+ # Specifies the address to the local Consul agent, given in the format
+ # host:port.
address = "{{ nomad_consul_address }}"
- token = "{{ nomad_consul_token }}"
- # The service name to register the server and client with Consul.
- server_service_name = "{{ nomad_consul_servers_service_name }}"
- client_service_name = "{{ nomad_consul_clients_service_name }}"
- tags = {{ nomad_consul_tags | to_json }}
- # Enables automatically registering the services.
+ # Specifies if Nomad should advertise its services in Consul. The services
+ # are named according to server_service_name and client_service_name. Nomad
+ # servers and clients advertise their respective services, each tagged
+ # appropriately with either http or rpc tag. Nomad servers also advertise a
+ # serf tagged service.
auto_advertise = true
- # Enabling the server and client to bootstrap using Consul.
- server_auto_join = true
+ # Specifies if the Nomad clients should automatically discover servers in
+ # the same region by searching for the Consul service name defined in the
+ # server_service_name option. The search occurs if the client is not
+ # registered with any servers or it is unable to heartbeat to the leader of
+ # the region, in which case it may be partitioned and searches for other
+ # servers.
client_auto_join = true
+
+ # Specifies the name of the service in Consul for the Nomad clients.
+ client_service_name = "{{ nomad_consul_clients_service_name }}"
+
+ # Specifies the name of the service in Consul for the Nomad servers.
+ server_service_name = "{{ nomad_consul_servers_service_name }}"
+
+ # Specifies if the Nomad servers should automatically discover and join
+ # other Nomad servers by searching for the Consul service name defined in
+ # the server_service_name option. This search only happens if the server
+ # does not have a leader.
+ server_auto_join = true
+
+ # Specifies optional Consul tags to be registered with the Nomad server and
+ # agent services.
+ tags = {{ nomad_consul_tags | to_json }}
+
+ # Specifies the token used to provide a per-request ACL token. This option
+ # overrides the Consul Agent's default token. If the token is not set here
+ # or on the Consul agent, it will default to Consul's anonymous policy,
+ # which may or may not allow writes.
+ token = "{{ nomad_consul_token }}"
+
+ {% if nomad_consul_use_ssl | bool == True -%}
+ # Specifies if the transport scheme should use HTTPS to communicate with the
+ # Consul agent.
+ ssl = true
+
+ # Specifies an optional path to the CA certificate used for Consul
+ # communication. This defaults to the system bundle if unspecified.
+ ca_file = "{{ nomad_ca_file }}"
+
+ # Specifies the path to the certificate used for Consul communication. If
+ # this is set then you need to also set key_file.
+ cert_file = "{{ nomad_cert_file }}"
+
+ # Specifies the path to the private key used for Consul communication. If
+ # this is set then you need to also set cert_file.
+ key_file = "{{ nomad_key_file }}"
+ {% endif %}
+
}
{% endif %}
\ No newline at end of file
#After=consul.service
[Service]
+# Nomad server should be run as the nomad user. Nomad clients
+# should be run as root
+#User=nomad
+#Group=nomad
+
ExecReload=/bin/kill -HUP $MAINPID
ExecStart={{ nomad_bin_dir }}/nomad agent -config {{ nomad_config_dir }}
KillMode=process
+{% if nomad_node_server | bool == True %}
server {
enabled = {{ nomad_node_server | bool | lower }}
{%- endif %}
}
+{% endif %}
\ No newline at end of file
-{% if nomad_telemetry | bool == True %}
+{% if nomad_use_telemetry | bool == True %}
telemetry {
- disable_hostname = "{{ nomad_telemetry_disable_hostname | default(false) | bool | lower }}"
- collection_interval = "{{ nomad_telemetry_collection_interval | default("1s") }}"
- use_node_name = "{{ nomad_telemetry_use_node_name | default(false) | bool | lower }}"
- publish_allocation_metrics = "{{ nomad_telemetry_publish_allocation_metrics | default(false) | bool | lower }}"
- publish_node_metrics = "{{ nomad_telemetry_publish_node_metrics | default(false) | bool | lower }}"
- prometheus_metrics = "{{ nomad_telemetry_prometheus_metrics | default(false) | bool | lower }}"
+ # Specifies if gauge values should be prefixed with the local hostname.
+ disable_hostname = {{ nomad_telemetry_disable_hostname | bool | lower }}
+
+ # Specifies the time interval at which the Nomad agent collects telemetry
+ # data.
+ collection_interval = "{{ nomad_telemetry_collection_interval }}"
+
+ # Specifies if gauge values should be prefixed with the name of the node,
+ # instead of the hostname. If set it will override disable_hostname value.
+ use_node_name = {{ nomad_telemetry_use_node_name | bool | lower }}
+
+ # Specifies if Nomad should publish runtime metrics of allocations.
+ publish_allocation_metrics = {{ nomad_telemetry_publish_allocation_metrics | bool | lower }}
+
+ # Specifies if Nomad should publish runtime metrics of nodes.
+ publish_node_metrics = {{ nomad_telemetry_publish_node_metrics | bool | lower }}
+
+ # Specifies whether the agent should make Prometheus formatted metrics
+ # available at /v1/metrics?format=prometheus.Specifies whether the agent
+ # should make Prometheus formatted metrics available at
+ # /v1/metrics?format=prometheus.
+ prometheus_metrics = {{ nomad_telemetry_prometheus_metrics | bool | lower }}
}
{% endif %}
-{% if nomad_tls_enable | bool %}
+{% if nomad_use_tls | bool %}
tls {
- http = {{ nomad_http | bool | lower }}
- rpc = {{ nomad_rpc | bool | lower }}
- ca_file = "{{ nomad_ca_file }}"
- cert_file = "{{ nomad_cert_file }}"
- key_file = "{{ nomad_key_file }}"
- rpc_upgrade_mode = {{ nomad_rpc_upgrade_mode | bool | lower }}
- verify_server_hostname = {{ nomad_verify_server_hostname | bool | lower }}
- verify_https_client = {{ nomad_verify_https_client | bool | lower }}
+ # Specifies the path to the CA certificate to use for Nomad's TLS
+ # communication.
+ ca_file = "{{ nomad_tls_ca_file }}"
+
+ # Specifies the path to the certificate file used for Nomad's TLS
+ # communication.
+ cert_file = "{{ nomad_tls_cert_file }}"
+
+ # Specifies the path to the key file to use for Nomad's TLS communication.
+ key_file = "{{ nomad_tls_key_file }}"
+
+ # Specifies if TLS should be enabled on the HTTP endpoints on the Nomad
+ # agent, including the API.
+ http = {{ nomad_tls_http | bool | lower }}
+
+ # Specifies if TLS should be enabled on the RPC endpoints and Raft traffic
+ # between the Nomad servers. Enabling this on a Nomad client makes the
+ # client use TLS for making RPC requests to the Nomad servers.
+ rpc = {{ nomad_tls_rpc | bool | lower }}
+
+ # This option should be used only when the cluster is being upgraded to
+ # TLS, and removed after the migration is complete. This allows the agent
+ # to accept both TLS and plaintext traffic.
+ rpc_upgrade_mode = {{ nomad_tls_rpc_upgrade_mode | bool | lower }}
+
+ # Specifies agents should require client certificates for all incoming
+ # HTTPS requests. The client certificates must be signed by the same CA
+ # as Nomad.
+ verify_https_client = {{ nomad_tls_verify_https_client | bool | lower }}
+
+ # Specifies if outgoing TLS connections should verify the server's hostname.
+ verify_server_hostname = {{ nomad_tls_verify_server_hostname | bool | lower }}
}
{% endif %}
--- /dev/null
+{% if nomad_use_tls | bool == True %}
+vault {
+ # Specifies the address to the Vault server. This must include the protocol,
+ # host/ip, and port given in the format protocol://host:port. If your Vault
+ # installation is behind a load balancer, this should be the address of the
+ # load balancer.
+ address = "{{ nomad_vault_address }}"
+
+ # Specifies if users submitting jobs to the Nomad server should be required
+ # to provide their own Vault token, proving they have access to the policies
+ # listed in the job. This option should be disabled in an untrusted
+ # environment.
+ allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }}
+
+ # Specifies if the Vault integration should be activated.
+ enabled = {{ nomad_vault_enabled | bool | lower }}
+
+ # Specifies the role to create tokens from. The token given to Nomad does
+ # not have to be created from this role but must have "update" capability
+ # on "auth/token/create/<create_from_role>" path in Vault. If this value is
+ # unset and the token is created from a role, the value is defaulted to the
+ # role the token is from. This is largely for backwards compatibility. It
+ # is recommended to set the create_from_role field if Nomad is deriving
+ # child tokens from a role.
+ create_from_role = "{{ nomad_vault_create_from_role }}"
+
+ # Specifies the TTL of created tokens when using a root token. This is
+ # specified using a label suffix like "30s" or "1h".
+ task_token_ttl = "{{ nomad_vault_task_token_ttl }}"
+
+ {% if nomad_vault_use_ssl | bool == True -%}
+ # Specifies an optional path to the CA certificate used for Vault
+ # communication. If unspecified, this will fallback to the default system
+ # CA bundle, which varies by OS and version.
+ ca_file = "{{ nomad_vault_ca_file }}"
+
+ # Specifies an optional path to a folder containing CA certificates to be
+ # used for Vault communication. If unspecified, this will fallback to the
+ # default system CA bundle, which varies by OS and version.
+ ca_path = "{{ nomad_vault_ca_path }}"
+
+ # Specifies the path to the certificate used for Vault communication. This
+ # must be set if tls_require_and_verify_client_cert is enabled in Vault.
+ cert_file = "{{ nomad_vault_cert_file }}"
+
+ # Specifies the path to the private key used for Vault communication. If
+ # this is set then you need to also set cert_file. This must be set if
+ # tls_require_and_verify_client_cert is enabled in Vault.
+ key_file = "{{ nomad_vault_key_file }}"
+
+ # Specifies the Vault namespace used by the Vault integration. If non-empty,
+ # this namespace will be used on all Vault API calls.
+ namespace = "{{ nomad_vault_namespace }}"
+
+ # Specifies an optional string used to set the SNI host when connecting to
+ # Vault via TLS.
+ tls_server_name = "{{ nomad_vault_tls_server_name }}"
+
+ # Specifies if SSL peer validation should be enforced.
+ tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }}
+ {% endif %}
+
+ # Specifies the parent Vault token to use to derive child tokens for jobs
+ # requesting tokens. Only required on Nomad servers. Nomad client agents
+ # use the allocation's token when contacting Vault. Visit the Vault
+ # Integration Guide to see how to generate an appropriate token in Vault.
+ token = "{{ nomad_vault_token }}"
+}
+{% endif %}
\ No newline at end of file
---
-# file: roles/nomad/vars/main.yaml
+# file: vars/main.yaml
nomad_node_client: "{{ (nomad_node_role == 'client') or (nomad_node_role == 'both') }}"
nomad_node_server: "{{ (nomad_node_role == 'server') or (nomad_node_role == 'both') }}"
Code Review / csit.git / commitdiff