mirror of
https://git.lapiole.org/dani/ansible-roles.git
synced 2025-04-12 00:03:17 +02:00
266 lines
8.7 KiB
YAML
266 lines
8.7 KiB
YAML
---
|
|
|
|
# List of plugins to install
|
|
nomad_plugins:
|
|
podman:
|
|
archive_url: https://releases.hashicorp.com/nomad-driver-podman/0.5.1/nomad-driver-podman_0.5.1_linux_amd64.zip
|
|
sha256: cef60b0dfd708ab2b5b1e517991cf933bce509a27b087c482e6993f3784dd572
|
|
containerd:
|
|
archive_url: https://github.com/Roblox/nomad-driver-containerd/releases/download/v0.9.4/containerd-driver
|
|
sha256: 337e1bab178071500bfbe46a59946e0e3bafc652906ed1b755d2aa4d35990982
|
|
|
|
# Root dir where Nomad will be installed
|
|
nomad_root_dir: /opt/nomad
|
|
|
|
# user under which nomad will run.
|
|
# Servers can run under an unprivileged user, while clients should run as root (or with equivalent privileges)
|
|
nomad_user: "{{ nomad_conf.client.enabled | ternary('root', 'nomad') }}"
|
|
|
|
# List of Unix group which will be nomad admins
|
|
# Used for example to grant access to cli cert with ACL
|
|
nomad_admin_groups: "{{ system_admin_groups | default([]) }}"
|
|
|
|
# List of nomad servers (not clients !)
|
|
nomad_servers: []
|
|
|
|
# Nomad configuration
|
|
nomad_base_conf:
|
|
log_level: INFO
|
|
|
|
# You can define the datacenter in which this agent is running. The default value is dc1
|
|
# datacenter: dc1
|
|
|
|
# You can set the region here
|
|
# region: eu
|
|
|
|
# Node name, which should be uniq in the region. Default is the hostname
|
|
# name: nomad-fr-zone-c
|
|
|
|
# ACL
|
|
acl:
|
|
# Enable ACL
|
|
enabled: False
|
|
|
|
# For server in non authoritative regions, a token must be used to replicated policies
|
|
# replication_token: ...
|
|
|
|
|
|
# TLS Settings
|
|
# See the nomad_vault_secrets configuration if you want to integrate with vault to obtain and renew the certificates
|
|
tls:
|
|
http: False
|
|
rpc: False
|
|
ca_file: "{{ nomad_root_dir }}/tls/ca.crt"
|
|
cert_file: "{{ nomad_root_dir }}/tls/nomad.crt"
|
|
key_file: "{{ nomad_root_dir }}/tls/nomad.key"
|
|
rpc_upgrade_mode: False
|
|
verify_https_client: False
|
|
verify_server_hostname: False
|
|
|
|
# Client related settings
|
|
# The default is to act as a client if the hostname is not listed in nomad servers
|
|
client:
|
|
# Should client be enabled
|
|
enabled: "{{ (inventory_hostname in nomad_servers | map('regex_replace', ':\\d+$', '')) | ternary(False, True) }}"
|
|
|
|
# Node pool
|
|
# node_pool: gateways
|
|
|
|
drain_on_shutdown:
|
|
deadline: 1h
|
|
force: False
|
|
ignore_system_jobs: False
|
|
|
|
# host_volumes:
|
|
# - name: mysql
|
|
# path: /data/mysql
|
|
# read_only: False
|
|
host_volumes: []
|
|
|
|
# The max amount of time to wait for a task to stop, before sending a SIGKILL
|
|
max_kill_timeout: 300s
|
|
|
|
# An arbitrary string which can be used for job placement
|
|
# node_class: prod
|
|
|
|
# Resource reservation for the host to work properly
|
|
reserved:
|
|
# Unit is MHz
|
|
cpu: 200
|
|
# can be expressed as number, in which case it'll be the amount of RAM to reserve in MB
|
|
# or as a percentage, in which case it'll be a percentage of the total RAM
|
|
memory: 8%
|
|
# When memory is expressed as a percentage, you can set a minimum amount (in MB) which will be set
|
|
# if the percentage is less than that
|
|
memory_min: 500
|
|
# Unit is MB
|
|
disk: 500
|
|
# List of reserved ports which won't be allocated on tasks
|
|
reserved_ports: []
|
|
|
|
# Custom metadata to add in Nomad's conf
|
|
# meta:
|
|
# rack: 12-1
|
|
# cni: macvlan,ipvlan
|
|
meta: {}
|
|
|
|
# List of enabled drivers, and their options.
|
|
task_drivers:
|
|
exec:
|
|
enabled: True
|
|
docker:
|
|
enabled: True
|
|
allow_privileged: True
|
|
volumes:
|
|
enabled: False
|
|
# You can set a list of caps allowed for containers. The default is the same set of caps than Docker, minus net_raw
|
|
# allow_caps: ["audit_write", "chown", "dac_override", "fowner", "fsetid", "kill", "mknod", "net_bind_service", "setfcap", "setgid", "setpcap", "setuid", "sys_chroot"]
|
|
# List of extra labels to add to containers
|
|
extra_labels:
|
|
- job_name
|
|
- task_group_name
|
|
- task_name
|
|
- namespace
|
|
- node_name
|
|
- node_id
|
|
gc:
|
|
image_delay: 1h
|
|
# Authentication for OCI registries
|
|
# auths:
|
|
# - registry: oci.example.org
|
|
# login: foo
|
|
# password: bar
|
|
# - registry: docker.io
|
|
# login: daniel
|
|
# password: S3cr3t.
|
|
auths: []
|
|
raw_exec:
|
|
enabled: False
|
|
java:
|
|
enabled: False
|
|
qemu:
|
|
enabled: False
|
|
podman:
|
|
enabled: False # Note on EL8, it cannot be used with docker as there are package conflicts, see https://bugs.centos.org/view.php?id=16892
|
|
volumes:
|
|
enabled: False
|
|
# socket_path: unix:///run/podman/podman.sock
|
|
recover_stopped: False
|
|
extra_labels:
|
|
- job_name
|
|
- task_group_name
|
|
- task_name
|
|
- namespace
|
|
- node_name
|
|
- node_id
|
|
containerd-driver:
|
|
enabled: False
|
|
containerd_runtime: io.containerd.runc.v2
|
|
allow_privileged: True
|
|
|
|
# Server related settings
|
|
server:
|
|
# Should server be enabled
|
|
# The default is to act as a server if the hostname is listed in nomad_servers
|
|
enabled: "{{ (inventory_hostname in nomad_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
|
|
|
|
# Expected number of servers to bootstrap the cluster. The default is to wait for all the servers
|
|
# listed in nomad_servers to be ready, and then to do the bootstrap
|
|
bootstrap_expect: "{{ nomad_servers | length }}"
|
|
|
|
# Encryption key to use to encrypt inter-server communications
|
|
# You can generate one with nomad operator keygen command. It must be the same
|
|
# on all the servers of the cluster. If not defined (the default), the trafic will
|
|
# not be encrypted
|
|
# encrypt: NVlG6VKgsTbMim041S5nbWmmaQKS7YchV+9G3XxcZDs=
|
|
|
|
# Name of the authoritative region from which policies will be pulled
|
|
# authoritative_region: eu
|
|
|
|
# Default scheduler config. Only used during cluster bootstrap
|
|
# If you want to change it after, you have to use the API
|
|
default_scheduler_config:
|
|
# can be binpack or spread. Spread makes more sense when running on premise
|
|
scheduler_algorithm: spread
|
|
memory_oversubscription_enabled: True
|
|
preemption_config:
|
|
batch_scheduler_enabled: True
|
|
system_scheduler_enabled: True
|
|
service_scheduler_enabled: True
|
|
sysbatch_scheduler_enabled: True
|
|
|
|
|
|
# UI related settings
|
|
ui:
|
|
# Default is to enable the UI on server only
|
|
enabled: "{{ (inventory_hostname in nomad_servers | map('regex_replace', ':\\d+$', '')) | ternary(True, False) }}"
|
|
# Consul and vault optional URL. This is just to add a shortcut in Nomad's UI
|
|
# consul_ui: https://consul.example.org
|
|
# vault_ui: https://vault.example.org
|
|
|
|
# Telemetry settings
|
|
telemetry:
|
|
prometheus_metrics: True
|
|
disable_hostname: True
|
|
publish_allocation_metrics: True
|
|
publish_node_metrics: True
|
|
|
|
# Consul integration
|
|
# See https://www.nomadproject.io/docs/configuration/consul
|
|
consul:
|
|
# address: http://localhost:8500
|
|
# allow_unauthenticated: True
|
|
# tags: []
|
|
ssl: False
|
|
ca_file: "{{ nomad_root_dir }}/tls/consul_ca.crt"
|
|
cert_file: "{{ nomad_root_dir }}/tls/consul.crt"
|
|
key_file: "{{ nomad_root_dir }}/tls/consul.key"
|
|
|
|
# Vault integration
|
|
vault:
|
|
enabled: False
|
|
create_from_role: nomad-cluster
|
|
#address: https://vault.exaple.org:8200
|
|
#ca_path: /opt/nomad/tls/vault_ca.crt
|
|
#cert_file: /opt/nomad/tls/vault.crt
|
|
#key_file: /opt/nomad/tls/vault.key
|
|
|
|
|
|
# You can override part of the default config without rewriting everything else
|
|
# the dict will get merged
|
|
nomad_extra_conf: {}
|
|
nomad_host_conf: {}
|
|
nomad_conf: "{{ nomad_base_conf | combine(nomad_extra_conf, recursive=True) | combine(nomad_host_conf, recursive=True) }}"
|
|
|
|
# Ports used by Nomad, the protocols, and the list of IP/CIDR for which the ports will be opened in the firewall
|
|
# You can also specify which address/port to advertise (not needed most of the time)
|
|
nomad_base_services:
|
|
http:
|
|
port: 4646
|
|
proto: [tcp]
|
|
src_ip: []
|
|
# advertise: 10.11.12.13:4347
|
|
rpc:
|
|
port: 4647
|
|
proto: [tcp]
|
|
src_ip: []
|
|
# advertise: y.y.y.y
|
|
serf:
|
|
port: 4648
|
|
proto: [tcp,udp]
|
|
src_ip: []
|
|
# advertise: x.x.x.x
|
|
dynamic:
|
|
port: 20000:32000
|
|
proto: [tcp,udp]
|
|
src_ip: []
|
|
nomad_extra_services: {}
|
|
nomad_host_services: {}
|
|
nomad_services: "{{ nomad_base_services | combine(nomad_extra_services, recursive=True) | combine(nomad_host_services, recursive=True) }}"
|
|
|
|
# An optional NOMAD_TOKEN to use to take a snapshot of raft logs during pre-backup
|
|
# for example:
|
|
# nomad_backup_token: 1677848e-1fcd-b24a-6fb0-56b503d75651
|
|
# or a more advanced use
|
|
# nomad_backup_token: $(VAULT_TOKEN=$(cat /run/vault_agent/vault.token) vault read -field=secret_id nomad/creds/admin ttl=1m)
|