Update to 2022-09-02 18:00

roles/nomad/templates/agent.crt.tpl.j2

@@ -0,0 +1,3 @@
+{{ with secret "[[ nomad_vault.pki.path ]]/issue/[[ nomad_vault.pki.role ]]" "common_name=[[ (nomad_conf.server.enabled) | ternary('server', 'client') ]].[[ nomad_conf.region | default('global') ]].nomad" "ttl=[[ nomad_vault.pki.ttl ]]" "alt_names=localhost,[[ inventory_hostname ]],{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.[[ nomad_conf.region | default('global') ]].nomad{% endif %}" "ip_sans=127.0.0.1,[[ ansible_default_ipv4.address ]]"}}
+{{ .Data.certificate }}
+{{ end }}

roles/nomad/templates/agent_cert.tpl.j2

@@ -0,0 +1,3 @@
+[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "common_name={{ (nomad_conf.server.enabled) | ternary('server', 'client') }}.{{ nomad_conf.region | default('global') }}.nomad" "ttl={{ nomad_vault.pki.ttl }}" "alt_names=localhost,{{ inventory_hostname }},{% if nomad_conf.server.enabled and nomad_conf.client.enabled %}client.{{ nomad_conf.region | default('global') }}.nomad{% endif %}" "ip_sans=127.0.0.1,{{ ansible_default_ipv4.address }}" ]]
+[[ .Data.{{ item.what }} ]]
+[[ end ]]

roles/nomad/templates/cli_cert.tpl.j2

@@ -0,0 +1,3 @@
+[[ with secret "{{ nomad_vault.pki.path }}/issue/{{ nomad_vault.pki.role }}" "ttl={{ nomad_vault.pki.ttl }}" ]]
+[[ .Data.{{ item.what }} ]]
+[[ end ]]

roles/nomad/templates/consul-template-nomad.service.j2

@@ -0,0 +1,18 @@
+[Unit]
+Description="HashiCorp consul-template"
+Documentation=https://github.com/hashicorp/consul-template
+Requires=network-online.target
+After=network-online.target
+ConditionFileNotEmpty={{ nomad_root_dir }}/consul-template/consul-template.hcl
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/consul-template -config={{ nomad_root_dir }}/consul-template/consul-template.hcl
+ExecReload=/bin/kill --signal HUP $MAINPID
+KillSignal=SIGINT
+Restart=on-failure
+RestartSec=2
+
+[Install]
+WantedBy=multi-user.target
+

roles/nomad/templates/consul-template.hcl.j2

@@ -0,0 +1,54 @@
+vault {
+  address      = "{{ nomad_vault.address }}"
+  token        = "{{ nomad_vault.token }}"
+  unwrap_token = false
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/agent.crt.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_conf.tls.cert_file }}"
+  perms           = 0644
+  exec {
+    command = "systemctl reload nomad"
+  }
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/agent.key.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_conf.tls.key_file }}"
+  perms           = 0640
+  exec {
+    command = ["sh", "-c", "chgrp {{ nomad_user }} {{ nomad_conf.tls.key_file }} && systemctl reload nomad"]
+  }
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/ca.crt.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_conf.tls.ca_file }}"
+  perms           = 0644
+  exec {
+    command = "systemctl reload nomad"
+  }
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/cli.crt.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_root_dir }}/tls/cli.crt"
+}
+
+template {
+  source          = "{{ nomad_root_dir }}/consul-template/cli.key.tpl"
+  left_delimiter  = "[["
+  right_delimiter = "]]"
+  destination     = "{{ nomad_root_dir }}/tls/cli.key"
+  perms           = 0640
+}
+

roles/nomad/templates/nomad.hcl.j2

@@ -181,3 +181,30 @@ consul {
 {% endfor %}
 {% endif %}
 }
+
+vault {
+{% for key in ['enabled', 'tls_skip_verify', 'allow_unauthenticated'] %}
+{% if nomad_conf.vault[key] is defined %}
+  {{ key }} = {{ nomad_conf.vault[key] | ternary('true', 'false') }}
+{% endif %}
+{% endfor %}
+{% for key in ['address', 'create_from_role', 'task_token_ttl', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name', 'token'] %}
+{% if nomad_conf.vault[key] is defined %}
+  {{ key }} = "{{ nomad_conf.vault[key] }}"
+{% endif %}
+{% endfor %}
+}
+
+tls {
+{% for key in ['ca_file', 'cert_file', 'key_file', 'tls_min_version', 'tls_cipher_suites'] %}
+{% if nomad_conf.tls[key] is defined %}
+  {{ key }} = "{{ nomad_conf.tls[key] }}"
+{% endif %}
+{% endfor %}
+
+{% for key in ['http', 'rpc', 'rpc_upgrade_mode', 'tls_prefer_server_cipher_suites', 'verify_https_client', 'verify_server_hostname'] %}
+{% if nomad_conf.tls[key] is defined %}
+  {{ key }} = {{ nomad_conf.tls[key] | ternary('true', 'false') }}
+{% endif %}
+{% endfor %}
+}

roles/nomad/templates/pre-backup.j2

@@ -2,4 +2,12 @@
 
 set -eo pipefail
 
+{% if nomad_conf.tls.http %}
+NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }} \
+NOMAD_CACERT={{ nomad_conf.tls.ca_file }} \
+{% endif %}
+{% if nomad_vault.enabled %}
+NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt \
+NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key \
+{% endif %}
 {{ nomad_root_dir }}/bin/nomad operator snapshot save {{ nomad_root_dir }}/backup/nomad.snap

roles/nomad/templates/profile.sh.j2

@@ -0,0 +1,8 @@
+{% if nomad_conf.tls.http %}
+export NOMAD_ADDR=https://localhost:{{ nomad_services.http.port }}
+export NOMAD_CACERT={{ nomad_conf.tls.ca_file }}
+{% if nomad_vault.enabled %}
+export NOMAD_CLIENT_CERT={{ nomad_root_dir }}/tls/cli.crt
+export NOMAD_CLIENT_KEY={{ nomad_root_dir }}/tls/cli.key
+{% endif %}
+{% endif %}