From f5d93fc293bc4f9275d958841ff67211629a71ba Mon Sep 17 00:00:00 2001
From: Daniel Berteaud <dbd@ehtrace.com>
Date: Sun, 9 Jul 2023 23:00:09 +0200
Subject: [PATCH] Update to 2023-07-09 23:00

---
 roles/nomad/defaults/main.yml       | 11 +++++
 roles/nomad/tasks/conf.yml          | 63 +++++------------------------
 roles/nomad/tasks/services.yml      | 16 +++++---
 roles/nomad/templates/nomad.hcl.j2  | 21 ++++++++++
 roles/nomad/vars/RedHat.yml         |  1 +
 roles/wkhtmltopdf/defaults/main.yml |  2 +-
 6 files changed, 55 insertions(+), 59 deletions(-)

diff --git a/roles/nomad/defaults/main.yml b/roles/nomad/defaults/main.yml
index 01a76a4..dda987f 100644
--- a/roles/nomad/defaults/main.yml
+++ b/roles/nomad/defaults/main.yml
@@ -131,6 +131,17 @@ nomad_base_conf:
         enabled: False
       podman:
         enabled: False # Note on EL8, it cannot be used with docker as there are package conflicts, see https://bugs.centos.org/view.php?id=16892
+        volumes:
+          enabled: False
+        # socket_path: unix:///run/podman/podman.sock
+        recover_stopped: False
+        extra_labels:
+          - job_name
+          - task_group_name
+          - task_name
+          - namespace
+          - node_name
+          - node_id
       containerd-driver:
         enabled: False
         containerd_runtime: io.containerd.runc.v2
diff --git a/roles/nomad/tasks/conf.yml b/roles/nomad/tasks/conf.yml
index 9d87a79..8cf3fd8 100644
--- a/roles/nomad/tasks/conf.yml
+++ b/roles/nomad/tasks/conf.yml
@@ -111,58 +111,6 @@
   loop: "{{ nomad_backup_configs.stdout_lines }}"
   tags: nomad
 
-#- name: Deploy vault-agent config
-#  template: src=vault/agent.hcl.j2 dest={{ nomad_root_dir }}/vault/agent.hcl mode=640 owner=root group={{ nomad_user }}
-#  notify: restart nomad-vault-agent
-#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
-#  tags: nomad
-#
-#- name: Deploy agent cert bundle template
-#  template: src=vault/agent_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/agent_bundle.pem.tpl owner=root group=root
-#  notify: restart nomad-vault-agent
-#  when: nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled
-#  tags: nomad
-#  
-#- name: Deploy cli cert bundle template
-#  template: src=vault/cli_bundle.pem.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/cli_bundle.pem.tpl owner=root group=root
-#  notify: restart nomad-vault-agent
-#  when: (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled) and nomad_conf.server.enabled
-#  tags: nomad
-#
-#- name: Deploy consul token template
-#  template: src=vault/consul_token.tpl.j2 dest={{ nomad_root_dir }}/vault/templates/consul_token.tpl owner=root group=root
-#  notify: restart nomad-vault-agent
-#  when: (nomad_vault_agent.consul_token.enabled) and nomad_conf.server.enabled
-#  tags: nomad
-#
-#- fail: msg="Only one of token or approle should be configured"
-#  when:
-#    - nomad_vault_agent.auth.approle is defined
-#    - nomad_vault_agent.auth.token is defined
-#  tags: nomad
-#
-#- name: Setup AppRole auth
-#  block:
-#    - copy: content={{ nomad_vault_agent.auth.approle.role_id }} dest={{ nomad_root_dir }}/vault/role_id owner=root group={{ nomad_user }} mode=640
-#    - copy: content={{ nomad_vault_agent.auth.approle.secret_id }} dest={{ nomad_root_dir }}/vault/secret_id owner=root group={{ nomad_user }} mode=640
-#    - file: path={{ nomad_root_dir }}/vault/token state=absent
-#  when:
-#    - nomad_vault_agent.auth is defined
-#    - nomad_vault_agent.auth.approle is defined
-#    - nomad_vault_agent.auth.approle.role_id is defined
-#    - nomad_vault_agent.auth.approle.secret_id is defined
-#  tags: nomad
-#
-#- name: Setup Token auth
-#  block:
-#    - copy: content={{ nomad_vault_agent.auth.token }} dest={{ nomad_root_dir }}/vault/token owner=root group={{ nomad_user }} mode=640
-#    - file: path={{ nomad_root_dir }}/vault/role_id state=absent
-#    - file: path={{ nomad_root_dir }}/vault/secret_id state=absent
-#  when:
-#    - nomad_vault_agent.auth is defined
-#    - nomad_vault_agent.auth.token is defined
-#  tags: nomad
-
 - name: Set ACL on the TLS dir
   shell: |
     setfacl -R -b -k {{ nomad_root_dir }}/tls
@@ -208,3 +156,14 @@
 - name: Deploy Docker auth config
   template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600
   tags: nomad
+
+- name: Set userns for podman
+  lineinfile:
+    dest: /etc/{{ item }}
+    regexp: '^containers:.+'
+    line: 'containers:100000:65536'
+  loop:
+    - subuid
+    - subgid
+  when: nomad_conf.client.enabled and 'podman' in nomad_enabled_task_drivers
+  tags: nomad
diff --git a/roles/nomad/tasks/services.yml b/roles/nomad/tasks/services.yml
index 98a8d8a..f161d4a 100644
--- a/roles/nomad/tasks/services.yml
+++ b/roles/nomad/tasks/services.yml
@@ -19,10 +19,14 @@
     enabled: "{{ (nomad_conf.client.enabled and iptables_manage | default(True)) | ternary(True, False) }}"
   tags: nomad
 
-#- name: Handle nomad-vault-agent service
-#  service:
-#    name: nomad-vault-agent
-#    state: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary('started', 'stopped') }}"
-#    enabled: "{{ (nomad_vault_agent.nomad_pki.enabled or nomad_vault_agent.consul_pki.enabled or nomad_vault_agent.consul_token.enabled) | ternary(True, False) }}"
-#  tags: nomad
+- name: Handle podman service
+  systemd:
+    name: podman.socket
+    state: started
+    enabled: True
+  when:
+    - nomad_conf.client.enabled
+    - nomad_conf.client.task_drivers.podman.enabled
+  tags: nomad
+
 
diff --git a/roles/nomad/templates/nomad.hcl.j2 b/roles/nomad/templates/nomad.hcl.j2
index aa061c9..4999cc7 100644
--- a/roles/nomad/templates/nomad.hcl.j2
+++ b/roles/nomad/templates/nomad.hcl.j2
@@ -133,6 +133,27 @@ plugin "docker" {
   }
 }
 
+{% if 'podman' in nomad_enabled_task_drivers %}
+plugin "podman-driver-podman" {
+  config {
+    recover_stopped = {{ nomad_conf.client.task_drivers.podman.recover_stopped | ternary('true', 'false') }}
+{% if nomad_conf.client.task_drivers.podman.socket_path is defined %}
+    socket_path = "{{ nomad_conf.client.task_drivers.podman.socket_path }}"
+{% endif %}
+{% if nomad_conf.client.task_drivers.podman.volumes.enabled %}
+    volumes {
+      enabled = true
+    }
+{% endif %}
+    extra_labels = [
+{% for label in nomad_conf.client.task_drivers.podman.extra_labels %}
+      "{{ label }}",
+{% endfor %}
+    ]
+  }
+}
+{% endif %}
+
 plugin "raw_exec" {
   config {
     enabled = {{ ('raw_exec' in nomad_enabled_task_drivers) | ternary('true', 'false') }}
diff --git a/roles/nomad/vars/RedHat.yml b/roles/nomad/vars/RedHat.yml
index a36f042..2c0d23b 100644
--- a/roles/nomad/vars/RedHat.yml
+++ b/roles/nomad/vars/RedHat.yml
@@ -6,6 +6,7 @@ nomad_packages:
   - unzip
   - acl
 
+# Note : there's no package for the Docker driver as it'll pull the docker role already
 nomad_task_driver_packages:
   java:
     - java-17-openjdk-headless
diff --git a/roles/wkhtmltopdf/defaults/main.yml b/roles/wkhtmltopdf/defaults/main.yml
index 2945d3b..2c455e2 100644
--- a/roles/wkhtmltopdf/defaults/main.yml
+++ b/roles/wkhtmltopdf/defaults/main.yml
@@ -1,3 +1,3 @@
 ---
 
-wkhtmltopdf_version: 0.12.6-1
+wkhtmltopdf_version: 0.12.6.1-3