mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-04-12 00:03:17 +02:00
171 lines
5.4 KiB
YAML
171 lines
5.4 KiB
YAML
---
|
|
|
|
- name: Generate self-signed certificate
|
|
import_tasks: ../includes/create_selfsigned_cert.yml
|
|
vars:
|
|
cert_path: "{{ nomad_conf.tls.cert_file }}"
|
|
cert_key_path: "{{ nomad_conf.tls.key_file }}"
|
|
cert_key_mode: omit
|
|
tags: nomad
|
|
|
|
- name: Check if CA exists
|
|
stat: path={{ nomad_conf.tls.ca_file }}
|
|
register: nomad_ca_file
|
|
tags: nomad
|
|
|
|
- name: Copy cert as CA
|
|
copy: src={{ nomad_conf.tls.cert_file }} dest={{ nomad_conf.tls.ca_file }} remote_src=True
|
|
when: not nomad_ca_file.stat.exists
|
|
tags: nomad
|
|
|
|
- when: nomad_conf.consul.ca_file is defined
|
|
block:
|
|
- name: Generate self-signed certificate
|
|
import_tasks: ../includes/create_selfsigned_cert.yml
|
|
vars:
|
|
cert_path: "{{ nomad_conf.consul.cert_file }}"
|
|
cert_key_path: "{{ nomad_conf.consul.key_file }}"
|
|
cert_key_mode: omit
|
|
tags: nomad
|
|
|
|
- name: Check if CA exists
|
|
stat: path={{ nomad_conf.tls.ca_file }}
|
|
register: nomad_consul_ca_file
|
|
tags: nomad
|
|
|
|
- name: Copy consul cert as consul CA
|
|
copy: src={{ nomad_conf.consul.cert_file }} dest={{ nomad_conf.consul.ca_file }} remote_src=True
|
|
when: nomad_conf.consul.ca_file is defined and not nomad_consul_ca_file.stat.exists
|
|
tags: nomad
|
|
|
|
- name: Deploy nomad configuration
|
|
block:
|
|
- name: Deploy nomad configuration
|
|
template:
|
|
src: nomad.hcl.j2
|
|
dest: "{{ nomad_root_dir }}/etc/nomad.hcl"
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
backup: True
|
|
register: nomad_main_conf
|
|
notify: restart nomad
|
|
|
|
- name: Deploy nomad reloadable configuration
|
|
template:
|
|
src: reload.hcl.j2
|
|
dest: "{{ nomad_root_dir }}/etc/reload.hcl"
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
backup: True
|
|
register: nomad_reload_conf
|
|
notify: reload nomad
|
|
|
|
- name: Validate configuration
|
|
command: nomad config validate {{ nomad_root_dir }}/etc/nomad.hcl {{ nomad_root_dir }}/etc/reload.hcl
|
|
changed_when: False
|
|
become_user: "{{ nomad_user }}"
|
|
register: nomad_conf_validation
|
|
|
|
rescue:
|
|
- block:
|
|
- name: Restore main configuration
|
|
copy:
|
|
src: "{{ nomad_main_conf.backup_file }}"
|
|
dest: "{{ nomad_root_dir }}/etc/nomad.hcl"
|
|
remote_src: True
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
when: nomad_main_conf.backup_file is defined
|
|
|
|
- name: Restore reloadable configuration
|
|
copy:
|
|
src: "{{ nomad_reload_conf.backup_file }}"
|
|
dest: "{{ nomad_root_dir }}/etc/reload.hcl"
|
|
remote_src: True
|
|
owner: root
|
|
group: "{{ nomad_user }}"
|
|
mode: 0640
|
|
when: nomad_reload_conf.backup_file is defined
|
|
|
|
tags: nomad
|
|
|
|
- name: Fail if configuration validation failed
|
|
fail:
|
|
msg: "Failed to validate configuration: {{ nomad_conf_validation.stdout }}"
|
|
when: nomad_conf_validation.rc != 0
|
|
tags: nomad
|
|
|
|
# Now we remove the backup config to prevent nomad warning about invalid config files
|
|
- name: List backup conf
|
|
shell: ls -1 {{ nomad_root_dir }}/etc/*.hcl.*
|
|
failed_when: False
|
|
changed_when: False
|
|
register: nomad_backup_configs
|
|
tags: nomad
|
|
|
|
- name: Remove backup configs
|
|
file: path={{ item }} state=absent
|
|
loop: "{{ nomad_backup_configs.stdout_lines }}"
|
|
tags: nomad
|
|
|
|
- name: Set ACL on the TLS dir
|
|
shell: |
|
|
setfacl -R -b -k {{ nomad_root_dir }}/tls
|
|
chown -R :{{ nomad_user }} {{ nomad_root_dir }}/tls
|
|
chmod 750 {{ nomad_root_dir }}/tls
|
|
chmod 640 {{ nomad_root_dir }}/tls/*
|
|
setfacl -m u:{{ nomad_user }}:rx {{ nomad_root_dir }}/tls
|
|
setfacl -m d:u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls
|
|
setfacl -m u:{{ nomad_user }}:r {{ nomad_root_dir }}/tls/*
|
|
{% if nomad_admin_groups | length > 0 %}
|
|
setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:rx{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
|
|
setfacl -m {% for group in nomad_admin_groups %}d:g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls
|
|
setfacl -m {% for group in nomad_admin_groups %}g:{{ group }}:r{{ ',' if not loop.last }}{% endfor %} {{ nomad_root_dir }}/tls/*
|
|
{% endif %}
|
|
changed_when: False
|
|
failed_when: False # Do not fail if eg, the FS doesn't support ACL
|
|
tags: nomad
|
|
|
|
- name: Deploy profile script
|
|
template: src=profile.sh.j2 dest=/etc/profile.d/nomad.sh
|
|
tags: nomad
|
|
|
|
- name: Ensure the bridge module is loaded
|
|
modprobe: name=bridge state=present
|
|
when: nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers
|
|
tags: nomad
|
|
|
|
- name: Set sysctl
|
|
sysctl:
|
|
name: "{{ item.key }}"
|
|
value: "{{ item.val }}"
|
|
sysctl_file: /etc/sysctl.d/nomad.conf
|
|
state: "{{ (nomad_conf.client.enabled and 'docker' in nomad_enabled_task_drivers) | ternary('present', 'absent') }}"
|
|
loop:
|
|
- key: net.bridge.bridge-nf-call-arptables
|
|
val: 1
|
|
- key: net.bridge.bridge-nf-call-ip6tables
|
|
val: 1
|
|
- key: net.bridge.bridge-nf-call-iptables
|
|
val: 1
|
|
tags: nomad
|
|
|
|
- name: Deploy Docker auth config
|
|
template: src=docker_auth.json.j2 dest={{ nomad_root_dir }}/docker/auth.json owner={{ nomad_user }} group={{ nomad_user }} mode=600
|
|
tags: nomad
|
|
|
|
- name: Set userns for podman
|
|
lineinfile:
|
|
dest: /etc/{{ item }}
|
|
regexp: '^containers:.+'
|
|
line: 'containers:100000:65536'
|
|
loop:
|
|
- subuid
|
|
- subgid
|
|
when: nomad_conf.client.enabled and 'podman' in nomad_enabled_task_drivers
|
|
tags: nomad
|
|
|