Update to 2024-10-08 16:00

roles/nomad/tasks/conf.yml

@@ -40,6 +40,7 @@
 
     - name: Deploy logrotate conf
       template: src=logrotate.conf.j2 dest=/etc/logrotate.d/nomad-jwks-proxy
+
   tags: nomad
 
 - name: Deploy jwks-proxy unit
@@ -152,25 +153,37 @@
   template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
   tags: nomad
 
-- name: Ensure the bridge module is loaded
-  modprobe: name=bridge state=present
-  when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
-  tags: nomad
+- when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
+  block:
+    - name: Ensure the bridge module is loaded
+      modprobe: name={{ item }} state=present
+      loop:
+        - bridge
+        - br_netfilter
 
-#- name: Set sysctl
-#  sysctl:
-#    name: "{{ item.key }}"
-#    value: "{{ item.val }}"
-#    sysctl_file: /etc/sysctl.d/nomad.conf
-#    state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
-#  loop:
-#    - key: net.bridge.bridge-nf-call-arptables
-#      val: 1
-#    - key: net.bridge.bridge-nf-call-ip6tables
-#      val: 1
-#    - key: net.bridge.bridge-nf-call-iptables
-#      val: 1
-#  tags: nomad
+    - name: Configure br_netfilter to be loaded
+      copy:
+        content: |
+          bridge
+          br_netfilter
+        dest: /etc/modules-load.d/nomad.conf
+      tags: nomad
+
+    - name: Set sysctl
+      sysctl:
+        name: "{{ item.key }}"
+        value: "{{ item.val }}"
+        sysctl_file: /etc/sysctl.d/nomad.conf
+        state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
+      loop:
+        - key: net.bridge.bridge-nf-call-arptables
+          val: 1
+        - key: net.bridge.bridge-nf-call-ip6tables
+          val: 1
+        - key: net.bridge.bridge-nf-call-iptables
+          val: 0
+
+  tags: nomad
 
 - name: Deploy Docker auth config
   template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600

roles/nomad/tasks/directories.yml

@@ -19,6 +19,26 @@
     - dir: tmp
       owner: "{{ nomad_user }}"
       group: "{{ nomad_user }}"
+    - dir: tmp/proxy_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/client_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/fastcgi_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/uwsgi_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
+    - dir: tmp/scgi_temp
+      owner: "{{ nomad_user }}"
+      group: "{{ nomad_user }}"
+      mode: 700
     - dir: data
       owner: "{{ nomad_user }}"
       group: "{{ nomad_user }}"

roles/nomad/tasks/main.yml

@@ -20,6 +20,10 @@
   when: iptables_manage | default(True)
   tags: always
 
+- include_tasks: selinux.yml
+  when: ansible_selinux.status == 'enabled'
+  tags: always
+
 - include_tasks: services.yml
   tags: always
 

roles/nomad/tasks/selinux.yml

@@ -0,0 +1,21 @@
+---
+
+- name: Set correct SELinux context
+  sefcontext:
+    target: "{{ nomad_root_dir }}/log(/.*)?"
+    setype: httpd_log_t
+    state: present
+  register: nomad_fcontext
+  when:
+    - nomad_conf.tls.http
+    - nomad_conf.server.enabled
+  tags: nomad
+
+- name: Fix context for log dir
+  command: restorecon -R {{ nomad_root_dir }}/log
+  changed_when: false
+  tags: nomad
+
+- name: Allow nginx to bind on other ports
+  seboolean: name=nis_enabled state=true persistent=true
+  tags: nomad