Update to 2023-07-17 17:00

roles/vault_agent/templates/nomad/nomad.hcl.j2

@@ -6,7 +6,7 @@ template {
   right_delimiter = "]]"
   perms           = 0640
   exec {
-    # Wait a few sec before reloading Nomad as it fails if reloaded while not fully initialized yet
+    # No need to restart Nomad as the previous token will be renewed by Nomad itself
     command = ["chown", ":{{ nomad_user }}", "/run/nomad/vault.env"]
   }
 }
@@ -34,7 +34,7 @@ template {
   perms           = 0640
 {% if vault_agent_nomad.nomad_pki.cli.enabled and vault_agent_nomad.nomad_pki.cli.secret_path is defined %}
   exec {
-    command = "{{ vault_agent_root_dir }}/bin/update_nomad_cert.sh"
+    command = ["sh", "-c", "export $(cat /run/nomad/vault.env) && {{ vault_agent_root_dir }}/bin/update_nomad_cert.sh"]
   }
 {% endif %}
 }
@@ -63,7 +63,7 @@ template {
   right_delimiter = "]]"
   perms           = 0640
   exec {
-    command = ["chown", ":{{ nomad_user}}", "/run/nomad/consul.env"]
+    command = ["sh", "-c", "chown :{{ nomad_user }} /run/nomad/consul.env && systemctl restart nomad"]
   }
 }
 {% endif %}

roles/vault_agent/templates/vault-agent.service.j2

@@ -8,12 +8,6 @@ StartLimitIntervalSec=60
 StartLimitBurst=6
 Before=consul.service
 Before=nomad.service
-{% if vault_agent_nomad.nomad_pki.enabled or vault_agent_nomad.vault_token.enabled or vault_agent_nomad.consul_pki.enabled or vault_agent_nomad.consul_token.enabled %}
-PartOf=nomad.service
-{% endif %}
-{% if vault_agent_consul.consul_pki.enabled %}
-PartOf=consul.service
-{% endif %}
 
 [Service]
 Type=notify
@@ -41,9 +35,9 @@ LimitMEMLOCK=infinity
 [Install]
 WantedBy=multi-user.target
 {% if vault_agent_nomad.nomad_pki.enabled or vault_agent_nomad.vault_token.enabled or vault_agent_nomad.consul_pki.enabled or vault_agent_nomad.consul_token.enabled %}
-RequiredBy=nomad.service
+WantedBy=nomad.service
 {% endif %}
 {% if vault_agent_consul.consul_pki.enabled %}
-RequiredBy=consul.service
+WantedBy=consul.service
 {% endif %}