dani
/
ansible-roles
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
ansible-roles/roles/nomad/defaults/main.yml

268 lines
8.7 KiB
YAML
Raw Blame History

---
# List of plugins to install
nomad_plugins:
podman:
archive_url: https://releases.hashicorp.com/nomad-driver-podman/0.5.2/nomad-driver-podman_0.5.2_linux_amd64.zip
sha256: e4fd4c94b429d5fe1f70086522061d0e0a217b81a5920572fbfc196973a6ce61
containerd:
archive_url: https://github.com/Roblox/nomad-driver-containerd/releases/download/v0.9.4/containerd-driver
sha256: 337e1bab178071500bfbe46a59946e0e3bafc652906ed1b755d2aa4d35990982
# Root dir where Nomad will be installed
nomad_root_dir: /opt/nomad
# user under which nomad will run.
# Servers can run under an unprivileged user, while clients should run as root (or with equivalent privileges)
nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"
# List of Unix group which will be nomad admins
# Used for example to grant access to cli cert with ACL
nomad_admin_groups: "{{ system_admin_groups | default([]) }}"
# List of nomad servers (not clients !)
nomad_servers: []
# Nomad configuration
nomad_base_conf:
log_level: INFO
# You can define the datacenter in which this agent is running. The default value is dc1
# datacenter: dc1
# You can set the region here
# region: eu
# Node name, which should be uniq in the region. Default is the hostname
# name: nomad-fr-zone-c
# ACL
acl:
# Enable ACL
enabled: False
# For server in non authoritative regions, a token must be used to replicated policies
# replication_token: ...
# TLS Settings
# See the nomad_vault_secrets configuration if you want to integrate with vault to obtain and renew the certificates
tls:
http: False
rpc: False
ca_file: "{{ nomad_root_dir }}/tls/ca.crt"
cert_file: "{{ nomad_root_dir }}/tls/nomad.crt"
key_file: "{{ nomad_root_dir }}/tls/nomad.key"
rpc_upgrade_mode: False
verify_https_client: False
verify_server_hostname: False
# Client related settings
# The default is to act as a client if the hostname is not listed in nomad servers
client:
# Should client be enabled
enabled: "{{ (inventory_hostname in nomad_servers | map('regex_replace', ':\\d+$', '')) | ternary(False, True) }}"
# Node pool
# node_pool: gateways
drain_on_shutdown:
deadline: 1h
force: False
ignore_system_jobs: False
# host_volumes:
# - name: mysql
# path: /data/mysql
# read_only: False
host_volumes: []
# The max amount of time to wait for a task to stop, before sending a SIGKILL
max_kill_timeout: 300s
# An arbitrary string which can be used for job placement
# node_class: prod
# Resource reservation for the host to work properly
reserved:
# Unit is MHz
cpu: 200
# can be expressed as number, in which case it'll be the amount of RAM to reserve in MB
# or as a percentage, in which case it'll be a percentage of the total RAM
memory: 8%
# When memory is expressed as a percentage, you can set a minimum amount (in MB) which will be set
# if the percentage is less than that
memory_min: 500
# Unit is MB
disk: 500
# List of reserved ports which won't be allocated on tasks
reserved_ports: []
# Custom metadata to add in Nomad's conf
# meta:
# rack: 12-1
# cni: macvlan,ipvlan
meta: {}
# List of enabled drivers, and their options.
task_drivers:
exec:
enabled: True
docker:
enabled: True
allow_privileged: True
volumes:
enabled: False
# You can set a list of caps allowed for containers. The default is the same set of caps than Docker, minus net_raw
# allow_caps: ["audit_write", "chown", "dac_override", "fowner", "fsetid", "kill", "mknod", "net_bind_service", "setfcap", "setgid", "setpcap", "setuid", "sys_chroot"]
# List of extra labels to add to containers
extra_labels:
- job_name
- task_group_name
- task_name
- namespace
- node_name
- node_id
gc:
image_delay: 168h
# Authentication for OCI registries
# auths:
# - registry: oci.example.org
# login: foo
# password: bar
# - registry: docker.io
# login: daniel
# password: S3cr3t.
auths: []
raw_exec:
enabled: False
java:
enabled: False
qemu:
enabled: False
podman:
enabled: False # Note on EL8, it cannot be used with docker as there are package conflicts, see https://bugs.centos.org/view.php?id=16892
volumes:
enabled: False
# socket_path: unix:///run/podman/podman.sock
recover_stopped: False
extra_labels:
- job_name
- task_group_name
- task_name
- namespace
- node_name
- node_id
containerd-driver:
enabled: False
containerd_runtime: io.containerd.runc.v2
allow_privileged: True
# Server related settings
server:
# Should server be enabled
# The default is to act as a server if the hostname is listed in nomad_servers
enabled: "{{ (inventory_hostname in nomad_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
# Expected number of servers to bootstrap the cluster. The default is to wait for all the servers
# listed in nomad_servers to be ready, and then to do the bootstrap
bootstrap_expect: "{{ nomad_servers | length }}"
# Encryption key to use to encrypt inter-server communications
# You can generate one with nomad operator keygen command. It must be the same
# on all the servers of the cluster. If not defined (the default), the trafic will
# not be encrypted
# encrypt: NVlG6VKgsTbMim041S5nbWmmaQKS7YchV+9G3XxcZDs=
# Name of the authoritative region from which policies will be pulled
# authoritative_region: eu
# Default scheduler config. Only used during cluster bootstrap
# If you want to change it after, you have to use the API
default_scheduler_config:
# can be binpack or spread. Spread makes more sense when running on premise
scheduler_algorithm: spread
memory_oversubscription_enabled: True
preemption_config:
batch_scheduler_enabled: True
system_scheduler_enabled: True
service_scheduler_enabled: True
sysbatch_scheduler_enabled: True
# heartbeat_grace: 10m
# UI related settings
ui:
# Default is to enable the UI on server only
enabled: "{{ (inventory_hostname in nomad_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
# Consul and vault optional URL. This is just to add a shortcut in Nomad's UI
# consul_ui: https://consul.example.org
# vault_ui: https://vault.example.org
# Telemetry settings
telemetry:
prometheus_metrics: True
disable_hostname: True
publish_allocation_metrics: True
publish_node_metrics: True
# Consul integration
# See https://www.nomadproject.io/docs/configuration/consul
consul:
# address: http://localhost:8500
# allow_unauthenticated: True
# tags: []
ssl: False
ca_file: "{{ nomad_root_dir }}/tls/consul_ca.crt"
cert_file: "{{ nomad_root_dir }}/tls/consul.crt"
key_file: "{{ nomad_root_dir }}/tls/consul.key"
# Vault integration
vault:
enabled: False
create_from_role: nomad-cluster
#address: https://vault.exaple.org:8200
#ca_path: /opt/nomad/tls/vault_ca.crt
#cert_file: /opt/nomad/tls/vault.crt
#key_file: /opt/nomad/tls/vault.key
# You can override part of the default config without rewriting everything else
# the dict will get merged
nomad_extra_conf: {}
nomad_host_conf: {}
nomad_conf: "{{ nomad_base_conf | combine(nomad_extra_conf, recursive=True) | combine(nomad_host_conf, recursive=True) }}"
# Ports used by Nomad, the protocols, and the list of IP/CIDR for which the ports will be opened in the firewall
# You can also specify which address/port to advertise (not needed most of the time)
nomad_base_services:
http:
port: 4646
proto: [tcp]
src_ip: []
# advertise: 10.11.12.13:4347
rpc:
port: 4647
proto: [tcp]
src_ip: []
# advertise: y.y.y.y
serf:
port: 4648
proto: [tcp,udp]
src_ip: []
# advertise: x.x.x.x
dynamic:
port: 20000:32000
proto: [tcp,udp]
src_ip: []
nomad_extra_services: {}
nomad_host_services: {}
nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
# An optional NOMAD_TOKEN to use to take a snapshot of raft logs during pre-backup
# for example:
# nomad_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
# or a more advanced use
# nomad_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id nomad/creds/admin ttl=1m)
Reference in New Issue View Git Blame Copy Permalink