Update to 2022-09-02 18:00

roles/nomad/defaults/main.yml

@@ -1,11 +1,11 @@
 ---
 
 # Version of Nomad to install
-nomad_version: 1.3.4
+nomad_version: 1.3.5
 # URL of the archive
 nomad_archive_url: https://releases.hashicorp.com/nomad/{{ nomad_version }}/nomad_{{ nomad_version }}_linux_amd64.zip
 # Expected sha256 of the archive
-nomad_archive_sha256: c20d26b411c1df9c9b7a571e3ba6ee900772703211c565224612bfc199473be9
+nomad_archive_sha256: a4bf189e6a84c4bc7d6090529c87b32e6b4b09b47163514d33305aa867d7c4dc
 
 # List of plugins to install
 nomad_plugins:
@@ -23,6 +23,9 @@ nomad_root_dir: /opt/nomad
 # Servers can run under an unprivileged user, while clients should run as root (or with equivalent privileges)
 nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"
 
+# List of Unix group which will be nomad admins
+nomad_admin_groups: "{{ system_admin_groups | default([]) }}"
+
 # If ACL are enabled, you need to set a management token for ansible
 # to be able to manage Nomad (eg snapshot before upgrades)
 # nomad_mgm_token: XXXXXXXXX
@@ -52,6 +55,18 @@ nomad_base_conf:
     # replication_token: ...
 
 
+  # TLS Settings
+  # See the nomad_vault configuration if you want to integrate with vault to obtain and renew the certificates
+  tls:
+    http: False
+    rpc: False
+    ca_file: "{{ nomad_root_dir }}/tls/ca.crt"
+    cert_file: "{{ nomad_root_dir }}/tls/nomad.crt"
+    key_file: "{{ nomad_root_dir }}/tls/nomad.key"
+    rpc_upgrade_mode: False
+    verify_https_client: False
+    verify_server_hostname: False
+
   # Client related settings
   # The default is to act as a client if the hostname is not listed in nomad servers
   client:
@@ -165,6 +180,14 @@ nomad_base_conf:
     # allow_unauthenticated: True
     # tags: []
 
+  # Vault integration
+  vault:
+    enabled: False
+    create_from_role: nomad-cluster
+    #address: https://vault.exaple.org:8200
+    #ca_path: /opt/nomad/tls/vault_ca.crt
+    #cert_file: /opt/nomad/tls/vault.crt
+    #key_file: /opt/nomad/tls/vault.key
 
 
 # You can override part of the default config without rewriting everything else
@@ -198,3 +221,19 @@ nomad_base_services:
 nomad_extra_services: {}
 nomad_host_services: {}
 nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
+
+# When using vault to setup TLS for Nomad
+nomad_base_vault:
+  enabled: False
+  address: "{{ nomad_conf.vault.address | default(omit) }}"
+  # Token to use to issue certificates
+  # token: XXXXXXXXX
+  pki:
+    # The path of the PKI secret where cert will be issued
+    path: /pki/nomad
+    role: nomad-cluster
+    ttl: 24h
+
+nomad_extra_vault: {}
+nomad_host_vault: {}
+nomad_vault: "{{ nomad_base_vault | combine(nomad_extra_vault, recursive=True) | combine(nomad_host_vault, recursive=True) }}"