Update to 2022-09-02 18:00

2025-08-07 00:57:00 +02:00 · 2022-09-02 18:00:22 +02:00
parent 67bfcd5db3
commit 24a4eac5e0
23 changed files with 400 additions and 6 deletions
--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@@ -1,5 +1,24 @@
 ---

+- name: Generate self-signed certificate
+  import_tasks: ../includes/create_selfsigned_cert.yml
+  vars:
+    cert_path: "{{ nomad_conf.tls.cert_file }}"
+    cert_key_path: "{{ nomad_conf.tls.key_file }}"
+    cert_key_group: "{{ nomad_user }}"
+    cert_key_mode: 640
+  tags: nomad
+
+- name: Check if CA exists
+  stat: path={{ nomad_conf.tls.ca_file }}
+  register: nomad_ca_file
+  tags: nomad
+
+- name: Copy cert as CA
+  copy: src={{ nomad_conf.tls.cert_file }} dest={{ nomad_conf.tls.ca_file }} remote_src=True
+  when: not nomad_ca_file.stat.exists
+  tags: nomad
+
 - name: Deploy nomad configuration
  block:
    - name: Deploy nomad configuration
@@ -73,3 +92,46 @@
  loop: "{{ nomad_backup_configs.stdout_lines }}"
  tags: nomad

+- when: nomad_vault.enabled
+  block:
+
+    - name: Deploy consul-template config
+      template: src=consul-template.hcl.j2 dest={{ nomad_root_dir }}/consul-template/consul-template.hcl
+      notify: restart consul-template-nomad
+
+    - name: Deploy consul-template agent cert template
+      template: src=agent_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root
+      loop:
+        - what: certificate
+          where: agent.crt.tpl
+        - what: private_key
+          where: agent.key.tpl
+        - what: issuing_ca
+          where: ca.crt.tpl
+      notify: restart consul-template-nomad
+
+    - name: Deploy consul-template cli cert template
+      template: src=cli_cert.tpl.j2 dest={{ nomad_root_dir }}/consul-template/{{ item.where }} owner=root group=root
+      loop:
+        - what: certificate
+          where: cli.crt.tpl
+        - what: private_key
+          where: cli.key.tpl
+      notify: restart consul-template-nomad
+
+  tags: nomad
+
+- name: Set ACL on the TLS dir
+  shell: |
+    setfacl -R -b -x {{ nomad_root_dir }}/tls
+    {% if nomad_admin_groups | length > 0 %}
+    setfacl -R -m {% for group in nomad_admin_groups %}g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
+    setfacl -R -m {% for group in nomad_admin_groups %}d:g:{{ group }}:rX{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
+    {% endif %}
+  changed_when: False
+  failed_when: False # Do not fail if eg, the FS doesn't support ACL
+  tags: nomad
+
+- name: Deploy profile script
+  template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
+  tags: nomad