211 lines
7.6 KiB
YAML
211 lines
7.6 KiB
YAML
---
|
|
|
|
- name: Generate self-signed certificate
|
|
import_tasks: ../includes/create_selfsigned_cert.yml
|
|
vars:
|
|
cert_path: "{{ nomad_conf.tls.cert_file }}"
|
|
cert_key_path: "{{ nomad_conf.tls.key_file }}"
|
|
cert_key_mode: omit
|
|
tags: nomad
|
|
|
|
- name: Check if CA exists
|
|
stat: path={{ nomad_conf.tls.ca_file }}
|
|
register: nomad_ca_file
|
|
tags: nomad
|
|
|
|
- name: Copy cert as CA
|
|
copy: src={{ nomad_conf.tls.cert_file }} dest={{ nomad_conf.tls.ca_file }} remote_src=True
|
|
when: not nomad_ca_file.stat.exists
|
|
tags: nomad
|
|
|
|
- when: nomad_conf.consul.ca_file is defined
|
|
block:
|
|
- name: Generate self-signed certificate
|
|
import_tasks: ../includes/create_selfsigned_cert.yml
|
|
vars:
|
|
cert_path: "{{ nomad_conf.consul.cert_file }}"
|
|
cert_key_path: "{{ nomad_conf.consul.key_file }}"
|
|
cert_key_mode: omit
|
|
tags: nomad
|
|
|
|
- name: Check if CA exists
|
|
stat: path={{ nomad_conf.tls.ca_file }}
|
|
register: nomad_consul_ca_file
|
|
tags: nomad
|
|
|
|
- name: Copy consul cert as consul CA
|
|
copy: src={{ nomad_conf.consul.cert_file }} dest={{ nomad_conf.consul.ca_file }} remote_src=True
|
|
when: nomad_conf.consul.ca_file is defined and not nomad_consul_ca_file.stat.exists
|
|
tags: nomad
|
|
|
|
- name: Deploy nomad configuration
|
|
block:
|
|
- name: Deploy nomad configuration
|
|
template:
|
|
src: nomad.hcl.j2
|
|
dest: "{{ nomad_root_dir }}/etc/nomad.hcl"
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
backup: True
|
|
register: nomad_main_conf
|
|
notify: restart nomad
|
|
|
|
- name: Deploy nomad reloadable configuration
|
|
template:
|
|
src: reload.hcl.j2
|
|
dest: "{{ nomad_root_dir }}/etc/reload.hcl"
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
backup: True
|
|
register: nomad_reload_conf
|
|
notify: reload nomad
|
|
|
|
- name: Validate configuration
|
|
command: nomad config validate {{ nomad_root_dir }}/etc/nomad.hcl {{ nomad_root_dir }}/etc/reload.hcl
|
|
changed_when: False
|
|
become_user: "{{ nomad_user }}"
|
|
register: nomad_conf_validation
|
|
|
|
rescue:
|
|
- block:
|
|
- name: Restore main configuration
|
|
copy:
|
|
src: "{{ nomad_main_conf.backup_file }}"
|
|
dest: "{{ nomad_root_dir }}/etc/nomad.hcl"
|
|
remote_src: True
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
when: nomad_main_conf.backup_file is defined
|
|
|
|
- name: Restore reloadable configuration
|
|
copy:
|
|
src: "{{ nomad_reload_conf.backup_file }}"
|
|
dest: "{{ nomad_root_dir }}/etc/reload.hcl"
|
|
remote_src: True
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
when: nomad_reload_conf.backup_file is defined
|
|
|
|
tags: nomad
|
|
|
|
- name: Fail if configuration validation failed
|
|
fail:
|
|
msg: "Failed to validate configuration: {{ nomad_conf_validation.stdout }}"
|
|
when: nomad_conf_validation.rc != 0
|
|
tags: nomad
|
|
|
|
# Now we remove the backup config to prevent nomad warning about invalid config files
|
|
- name: List backup conf
|
|
shell: ls -1 {{ nomad_root_dir }}/etc/*.hcl.*
|
|
failed_when: False
|
|
changed_when: False
|
|
register: nomad_backup_configs
|
|
tags: nomad
|
|
|
|
- name: Remove backup configs
|
|
file: path={{ item }} state=absent
|
|
loop: "{{ nomad_backup_configs.stdout_lines }}"
|
|
tags: nomad
|
|
|
|
#- name: Deploy vault-agent config
|
|
# template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }}
|
|
# notify: restart nomad-vault-agent
|
|
# when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
|
|
# tags: nomad
|
|
#
|
|
#- name: Deploy agent cert bundle template
|
|
# template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
|
|
# notify: restart nomad-vault-agent
|
|
# when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
|
|
# tags: nomad
|
|
#
|
|
#- name: Deploy cli cert bundle template
|
|
# template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root
|
|
# notify: restart nomad-vault-agent
|
|
# when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled
|
|
# tags: nomad
|
|
#
|
|
#- name: Deploy consul token template
|
|
# template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root
|
|
# notify: restart nomad-vault-agent
|
|
# when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled
|
|
# tags: nomad
|
|
#
|
|
#- fail: msg="Only one of token or approle should be configured"
|
|
# when:
|
|
# - nomad_vault_agent.auth.approle is defined
|
|
# - nomad_vault_agent.auth.token is defined
|
|
# tags: nomad
|
|
#
|
|
#- name: Setup AppRole auth
|
|
# block:
|
|
# - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640
|
|
# - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640
|
|
# - file: path={{ nomad_root_dir }}/vault/token state=absent
|
|
# when:
|
|
# - nomad_vault_agent.auth is defined
|
|
# - nomad_vault_agent.auth.approle is defined
|
|
# - nomad_vault_agent.auth.approle.role_id is defined
|
|
# - nomad_vault_agent.auth.approle.secret_id is defined
|
|
# tags: nomad
|
|
#
|
|
#- name: Setup Token auth
|
|
# block:
|
|
# - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640
|
|
# - file: path={{ nomad_root_dir }}/vault/role_id state=absent
|
|
# - file: path={{ nomad_root_dir }}/vault/secret_id state=absent
|
|
# when:
|
|
# - nomad_vault_agent.auth is defined
|
|
# - nomad_vault_agent.auth.token is defined
|
|
# tags: nomad
|
|
|
|
- name: Set ACL on the TLS dir
|
|
shell: |
|
|
setfacl -R -b -k {{ nomad_root_dir }}/tls
|
|
chown -R :{{ nomad_user }} {{ nomad_root_dir }}/tls
|
|
chmod 750 {{ nomad_root_dir }}/tls
|
|
chmod 640 {{ nomad_root_dir }}/tls/*
|
|
setfacl -m u:{{ nomad_user }}:rx {{ nomad_root_dir }}/tls
|
|
setfacl -m d:u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls
|
|
setfacl -m u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls/*
|
|
{% if nomad_admin_groups | length > 0 %}
|
|
setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
|
|
setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
|
|
setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls/*
|
|
{% endif %}
|
|
changed_when: False
|
|
failed_when: False # Do not fail if eg, the FS doesn't support ACL
|
|
tags: nomad
|
|
|
|
- name: Deploy profile script
|
|
template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
|
|
tags: nomad
|
|
|
|
- name: Ensure the bridge module is loaded
|
|
modprobe: name=bridge state=present
|
|
when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
|
|
tags: nomad
|
|
|
|
- name: Set sysctl
|
|
sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.val }}"
|
|
sysctl_file: /etc/sysctl.d/nomad.conf
|
|
state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
|
|
loop:
|
|
- key: net.bridge.bridge-nf-call-arptables
|
|
val: 1
|
|
- key: net.bridge.bridge-nf-call-ip6tables
|
|
val: 1
|
|
- key: net.bridge.bridge-nf-call-iptables
|
|
val: 1
|
|
tags: nomad
|
|
|
|
- name: Deploy Docker auth config
|
|
template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600
|
|
tags: nomad
|