Update to 2023-07-26 19:00

roles/nomad/defaults/main.yml

@@ -256,3 +256,8 @@ nomad_extra_services: {}
 nomad_host_services: {}
 nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
 
+# An optional NOMAD_TOKEN to use to take a snapshot of raft logs during pre-backup
+# for example:
+# nomad_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
+# or a more advanced use
+# nomad_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id nomad/creds/admin ttl=1m)

roles/nomad/tasks/install.yml

@@ -78,7 +78,7 @@
   tags: nomad
 
 - name: Install backup hooks
-  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=700
   loop:
     - pre
     - post

roles/nomad/templates/pre-backup.j2

@@ -2,10 +2,15 @@
 
 set -eo pipefail
 
-{% if nomad_conf.tls.http %}
-NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \
-NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \
-NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \
-NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \
+{% if nomad_conf.server.enabled %}
+if [ -e /etc/profile.d/vault.sh ]; then
+  source /etc/profile.d/vault.sh
+fi
+if [ -e /etc/profile.d/nomad.sh ]; then
+  source /etc/profile.d/nomad.sh
+fi
+{% if nomad_conf.acl.enabled and nomad_backup_token is defined %}
+export NOMAD_TOKEN={{ nomad_backup_token }}
 {% endif %}
-{{ nomad_root_dir }}/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap
+{% endif %}
+/usr/local/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap