Update to 2023-07-08 16:00

2025-08-07 00:57:00 +02:00 · 2023-07-08 16:00:11 +02:00
parent f16dd6e98d
commit d87c1bdc89
60 changed files with 708 additions and 439 deletions
--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@@ -5,8 +5,7 @@
  vars:
    cert_path: "{{ nomad_conf.tls.cert_file }}"
    cert_key_path: "{{ nomad_conf.tls.key_file }}"
-    cert_key_group: "{{ nomad_user }}"
-    cert_key_mode: 640
+    cert_key_mode: omit
  tags: nomad

 - name: Check if CA exists
@@ -26,8 +25,7 @@
      vars:
        cert_path: "{{ nomad_conf.consul.cert_file }}"
        cert_key_path: "{{ nomad_conf.consul.key_file }}"
-        cert_key_group: "{{ nomad_user }}"
-        cert_key_mode: 640
+        cert_key_mode: omit
      tags: nomad

    - name: Check if CA exists
@@ -113,27 +111,67 @@
  loop: "{{ nomad_backup_configs.stdout_lines }}"
  tags: nomad

- name: Deploy consul-template config
-  template: src=consul-template.hcl.j2 dest={{ nomad_root_dir }}/consul-template/consul-template.hcl mode=600 owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled or nomad_vault_secrets.tokens.enabled
-  tags: nomad
-
- name: Deploy consul-template agent bundle template
-  template: src=agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/agent_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled
-  tags: nomad
-
- name: Deploy consul-template cli bundle template
-  template: src=cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/cli_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.pki.enabled and nomad_conf.server.enabled
-  tags: nomad
+#- name: Deploy vault-agent config
+#  template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }}
+#  notify: restart nomad-vault-agent
+#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
+#  tags: nomad
+#
+#- name: Deploy agent cert bundle template
+#  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
+#  notify: restart nomad-vault-agent
+#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
+#  tags: nomad
+#  
+#- name: Deploy cli cert bundle template
+#  template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root
+#  notify: restart nomad-vault-agent
+#  when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled
+#  tags: nomad
+#
+#- name: Deploy consul token template
+#  template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root
+#  notify: restart nomad-vault-agent
+#  when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled
+#  tags: nomad
+#
+#- fail: msg="Only one of token or approle should be configured"
+#  when:
+#    - nomad_vault_agent.auth.approle is defined
+#    - nomad_vault_agent.auth.token is defined
+#  tags: nomad
+#
+#- name: Setup AppRole auth
+#  block:
+#    - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640
+#    - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640
+#    - file: path={{ nomad_root_dir }}/vault/token state=absent
+#  when:
+#    - nomad_vault_agent.auth is defined
+#    - nomad_vault_agent.auth.approle is defined
+#    - nomad_vault_agent.auth.approle.role_id is defined
+#    - nomad_vault_agent.auth.approle.secret_id is defined
+#  tags: nomad
+#
+#- name: Setup Token auth
+#  block:
+#    - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640
+#    - file: path={{ nomad_root_dir }}/vault/role_id state=absent
+#    - file: path={{ nomad_root_dir }}/vault/secret_id state=absent
+#  when:
+#    - nomad_vault_agent.auth is defined
+#    - nomad_vault_agent.auth.token is defined
+#  tags: nomad

 - name: Set ACL on the TLS dir
  shell: |
-    setfacl -R -k -b {{ nomad_root_dir }}/tls
+    setfacl -R -b -k {{ nomad_root_dir }}/tls
+    chown -R :{{ nomad_user }} {{ nomad_root_dir }}/tls
+    chmod 750 {{ nomad_root_dir }}/tls
+    chmod 640 {{ nomad_root_dir }}/tls/*
+    setfacl -m u:{{ nomad_user }}:rx {{ nomad_root_dir }}/tls
+    setfacl -m d:u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls
+    setfacl -m u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls/*
    {% if nomad_admin_groups | length > 0 %}
    setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
    setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
@@ -147,12 +185,6 @@
  template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
  tags: nomad

- name: Deploy consul-template consul cert templates
-  template: src=consul_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/consul-template/consul_bundle.pem.tpl owner=root group=root
-  notify: restart consul-template-nomad
-  when: nomad_vault_secrets.consul_pki.enabled and nomad_conf.consul.ssl
-  tags: nomad
-
 - name: Ensure the bridge module is loaded
  modprobe: name=bridge state=present
  when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers