Update to 2022-09-02 18:00

roles/nomad/tasks/conf.yml

@@ -1,5 +1,24 @@
 ---
 
+- name: Generate self-signed certificate
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ nomad_conf.tls.cert_file }}"
+    cert_key_path: "{{ nomad_conf.tls.key_file }}"
+    cert_key_group: "{{ nomad_user }}"
+    cert_key_mode: 640
+  tags: nomad
+
+- name: Check if CA exists
+  stat: path={{ nomad_conf.tls.ca_file }}
+  register: nomad_ca_file
+  tags: nomad
+
+- name: Copy cert as CA
+  copy: src={{ nomad_conf.tls.cert_file }} dest={{ nomad_conf.tls.ca_file }} remote_src=True
+  when: not nomad_ca_file.stat.exists
+  tags: nomad
+
 - name: Deploy nomad configuration
   block:
     - name: Deploy nomad configuration
@@ -73,3 +92,46 @@
   loop: "{{ nomad_backup_configs.stdout_lines }}"
   tags: nomad
 
+- when: nomad_vault.enabled
+  block:
+
+    - name: Deploy consul-template config
+      template: src=consul-template.hcl.j2 dest={{ nomad_root_dir }}/consul-template/consul-template.hcl
+      notify: restart consul-template-nomad
+
+    - name: Deploy consul-template agent cert template
+      template: src=agent_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root
+      loop:
+        - what: certificate
+          where: agent.crt.tpl
+        - what: private_key
+          where: agent.key.tpl
+        - what: issuing_ca
+          where: ca.crt.tpl
+      notify: restart consul-template-nomad
+
+    - name: Deploy consul-template cli cert template
+      template: src=cli_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root
+      loop:
+        - what: certificate
+          where: cli.crt.tpl
+        - what: private_key
+          where: cli.key.tpl
+      notify: restart consul-template-nomad
+
+  tags: nomad
+
+- name: Set ACL on the TLS dir
+  shell: |
+    setfacl -R -b -x {{ nomad_root_dir }}/tls
+    {% if nomad_admin_groups | length > 0 %}
+    setfacl -R -m {% for group in nomad_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
+    setfacl -R -m {% for group in nomad_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
+    {% endif %}
+  changed_when: False
+  failed_when: False # Do not fail if eg, the FS doesn't support ACL
+  tags: nomad
+
+- name: Deploy profile script
+  template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
+  tags: nomad

roles/nomad/tasks/directories.yml

@@ -31,6 +31,10 @@
       group: "{{ nomad_user }}"
     - dir: etc
       owner: root
-      group: "{{ nomad_user }}"
-      mode: 750
+      mode: 755
+    - dir: tls
+      owner: root
+      mode: 755
+    - dir: consul-template
+      mode: 755
   tags: nomad

roles/nomad/tasks/install.yml

@@ -109,9 +109,22 @@
   notify: restart nomad
   tags: nomad
 
+- name: Install backup hooks
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/nomad mode=755
+  loop:
+    - pre
+    - post
+  tags: nomad
+
+- name: Install consul-template unit
+  template: src=consul-template-nomad.service.j2 dest=/etc/systemd/system/consul-template-nomad.service
+  register: nomad_consul_tpl_unit
+  notify: restart consul-template-nomad
+  tags: nomad
+
 - name: Reload systemd
   systemd: daemon_reload=True
-  when: nomad_unit.changed
+  when: nomad_unit.changed or (nomad_consul_tpl_unit is defined and nomad_consul_tpl_unit.changed)
   tags: nomad
 
 - name: Install backup hooks

roles/nomad/tasks/services.yml

@@ -4,3 +4,7 @@
   service: name=nomad state=started enabled=True
   register: nomad_service_started
   tags: nomad
+
+- name: Handle consul-template-nomad service
+  service: name=consul-template-nomad state={{ nomad_vault.enabled | ternary('started', 'stopped') }} enabled={{ nomad_vault.enabled | ternary(True, False) }}
+  tags: nomad