ansible-roles/roles/nomad/templates/nomad.hcl.j2

data_dir = "{{ nomad_root_dir }}/data"
plugin_dir = "{{ nomad_root_dir }}/plugins"
bind_addr = "0.0.0.0"

{% if nomad_conf.datacenter is defined %}
datacenter = "{{ nomad_conf.datacenter }}"
{% endif %}

{% if nomad_conf.region is defined %}
region = "{{ nomad_conf.region }}"
{% endif %}

{% if nomad_conf.name is defined %}
name = {{ nomad_conf.name }}
{% endif %}

disable_update_check = true

advertise {
{% for service in ['http', 'rpc', 'serf' ] %}
{% if nomad_services[service].advertise is defined %}
  {{ service }} = {{ nomad_services[service].advertise }}
{% endif %}
{% endfor %}
}

ports {
{% for service in ['http', 'rpc', 'serf' ] %}
  {{ service }} = {{ nomad_services[service].port }}
{% endfor %}
}

acl {
  enabled = {{ nomad_conf.acl.enabled | ternary('true', 'false') }}
{% if nomad_conf.acl.replication_token is defined and nomad_conf.region is defined and nomad_conf.server.authoritative_region is defined and nomad_conf.region != nomad_conf.server.authoritative_region %}
  replication_token = "{{ nomad_conf.acl.replication_token }}"
{% endif %}
}

server {
  enabled = {{ nomad_conf.server.enabled | ternary('true', 'false') }}
  bootstrap_expect = {{ nomad_conf.server.bootstrap_expect }}
  server_join {
    retry_join = [
{% for server in nomad_servers %}
      "{{ server }}",
{% endfor %}
    ]
  }

{% for setting in [
    'authoritative_region',
    'encrypt',
    'node_gc_threshold',
    'job_gc_interval',
    'job_gc_threshold',
    'eval_gc_threshold',
    'batch_eval_gc_threshold',
    'deployment_gc_threshold',
    'csi_volume_claim_gc_interval',
    'csi_volume_claim_gc_threshold',
    'csi_plugin_gc_threshold',
    'acl_token_gc_threshold',
    'heartbeat_grace',
    'min_heartbeat_ttl',
    'failover_heartbeat_ttl',
    'license_path',
    'root_key_gc_interval',
    'root_key_gc_threshold',
    'root_key_rotation_threshold',
    'job_max_source_size'
  ] %}
{% if nomad_conf.server[setting] is defined %}
  {{ setting }} = "{{ nomad_conf.server[setting] }}"
{% endif %}
{% endfor %}

  default_scheduler_config {
    scheduler_algorithm = "{{ nomad_conf.server.default_scheduler_config.scheduler_algorithm }}"
    memory_oversubscription_enabled = {{ nomad_conf.server.default_scheduler_config.memory_oversubscription_enabled | ternary('true', 'false') }}
    preemption_config {
{% for type in ['batch', 'system', 'sysbatch', 'service'] %}
      {{ type }}_scheduler_enabled = {{ nomad_conf.server.default_scheduler_config.preemption_config[type ~ '_scheduler_enabled'] | ternary('true', 'false') }}
{% endfor %}
    }
  }
}

{% if nomad_conf.client.enabled %}
client {
  enabled = true

  servers = [
{% for server in nomad_servers %}
    "{{ server }}",
{% endfor %}
  ]

{% if nomad_conf.client.node_pool is defined %}
  node_pool = "{{ nomad_conf.client.node_pool }}"
{% endif %}

{% if nomad_conf.client.drain_on_shutdown is defined %}
  drain_on_shutdown {
{% if nomad_conf.client.drain_on_shutdown.deadline is defined %}
    deadline = "{{ nomad_conf.client.drain_on_shutdown.deadline }}"
{% endif %}
{% for param in ['force', 'ignore_system_jobs'] %}
{% if nomad_conf.client.drain_on_shutdown[param] is defined %}
    {{ param }} = {{ nomad_conf.client.drain_on_shutdown[param] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
  }
{% endif %}

{% for volume in nomad_conf.client.host_volumes %}
  host_volume "{{ volume.name }}" {
    path = "{{ volume.path }}"
{% if volume.read_only is defined %}
    read_only = "{{ volume.read_only | ternary('true', 'false') }}"
{% endif %}
  }
{% endfor %}

  reserved {
    cpu = {{ nomad_conf.client.reserved.cpu }}
    memory = {{ (nomad_conf.client.reserved.memory is search('%$')) | ternary([((nomad_conf.client.reserved.memory | regex_replace('%$', '') | int) * ansible_memtotal_mb * 0.01), nomad_conf.client.reserved.memory_min] | max | int, nomad_conf.client.reserved.memory) }}
    disk = {{ nomad_conf.client.reserved.disk }}
    reserved_ports = "{{ nomad_conf.client.reserved.reserved_ports | join(',') }}"
  }

  meta {
{% for meta in nomad_conf.client.meta.keys() | list %}
    {{ meta }} = "{{ nomad_conf.client.meta[meta] }}"
{% endfor %}
  }

{% if nomad_conf.client.node_class is defined %}
  node_class = "{{ nomad_conf.client.node_class }}"
{% endif %}

  options {
    "driver.allowlist" = "{{ nomad_enabled_task_drivers | join(',') }}"
  }

  max_kill_timeout = "{{ nomad_conf.client.max_kill_timeout }}"
}

{% if 'docker' in nomad_enabled_task_drivers %}
plugin "docker" {
  config {
    allow_privileged = {{ nomad_conf.client.task_drivers.docker.allow_privileged | ternary('true', 'false') }}
    auth {
      config = "{{ nomad_root_dir }}/docker/auth.json"
    }
{% if nomad_conf.client.task_drivers.docker.disable_log_collection %}
    disable_log_collection = true
{% endif %}
    logging {
      type = "{{ nomad_conf.client.task_drivers.docker.logging.type }}"
      config {
{% for log_conf in nomad_conf.client.task_drivers.docker.logging.config.keys() | list %}
{% if nomad_conf.client.task_drivers.docker.logging.config[log_conf] is boolean %}
        {{ log_conf }} = {{ nomad_conf.client.task_drivers.docker.logging.config[log_conf] | ternary('true','false') }}
{% elif nomad_conf.client.task_drivers.docker.logging.config[log_conf] is number %}
        {{ log_conf }} = {{ nomad_conf.client.task_drivers.docker.logging.config[log_conf] }}
{% else %}
        {{ log_conf }} = "{{ nomad_conf.client.task_drivers.docker.logging.config[log_conf] }}"
{% endif %}
{% endfor %}
      }
    }
{% if nomad_conf.client.task_drivers.docker.volumes.enabled %}
    volumes {
      enabled = true
    }
{% endif %}
{% if nomad_conf.client.task_drivers.docker.allow_caps is defined %}
    allow_caps = [
{% for cap in nomad_conf.client.task_drivers.docker.allow_caps %}
      "{{ cap }}",
{% endfor %}
    ]
{% endif %}
    extra_labels = [
{% for label in nomad_conf.client.task_drivers.docker.extra_labels %}
      "{{ label }}",
{% endfor %}
    ]

    gc {
{% for gc in ['image_delay'] %}
{% if nomad_conf.client.task_drivers.docker.gc[gc] is defined %}
      {{ gc }} = "{{ nomad_conf.client.task_drivers.docker.gc[gc] }}"
{% endif %}
{% endfor %}
    }
  }
}

{% if 'podman' in nomad_enabled_task_drivers %}
plugin "podman-driver-podman" {
  config {
    recover_stopped = {{ nomad_conf.client.task_drivers.podman.recover_stopped | ternary('true', 'false') }}
{% if nomad_conf.client.task_drivers.podman.socket_path is defined %}
    socket_path = "{{ nomad_conf.client.task_drivers.podman.socket_path }}"
{% endif %}
{% if nomad_conf.client.task_drivers.podman.volumes.enabled %}
    volumes {
      enabled = true
    }
{% endif %}
    extra_labels = [
{% for label in nomad_conf.client.task_drivers.podman.extra_labels %}
      "{{ label }}",
{% endfor %}
    ]
  }
}
{% endif %}

plugin "raw_exec" {
  config {
    enabled = {{ ('raw_exec' in nomad_enabled_task_drivers) | ternary('true', 'false') }}
  }
}

plugin "containerd-driver" {
  config {
    enabled = {{ ('containerd-driver' in nomad_enabled_task_drivers) | ternary('true', 'false') }}
    containerd_runtime = "{{ nomad_conf.client.task_drivers['containerd-driver'].containerd_runtime }}"
    allow_privileged = {{ nomad_conf.client.task_drivers['containerd-driver'].allow_privileged | ternary('true', 'false') }}
  }
}

{% endif %}
{% else %}
client {
  enabled = false
}
{% endif %}
ui {
  enabled = {{ nomad_conf.ui.enabled | ternary('true', 'false') }}
{% if nomad_conf.ui.consul_ui is defined %}
  consul {
    ui_url = "{{ nomad_conf.ui.consul_ui }}"
  }
{% endif %}
{% if nomad_conf.ui.vault_ui is defined %}
  vault {
    ui_url = "{{ nomad_conf.ui.vault_ui }}"
  }
{% endif %}
}

telemetry {
  prometheus_metrics = {{ nomad_conf.telemetry.prometheus_metrics | ternary('true', 'false') }}
  disable_hostname = {{ nomad_conf.telemetry.disable_hostname | ternary('true', 'false') }}
  publish_allocation_metrics = {{ nomad_conf.telemetry.publish_allocation_metrics | ternary('true', 'false') }}
  publish_node_metrics = {{ nomad_conf.telemetry.publish_node_metrics | ternary('true', 'false') }}
}

consul {
{% for key in ['address', 'auth', 'client_service_name', 'server_service_name', 'grpc_address', 'token'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = "{{ nomad_conf.consul[key] }}"
{% endif %}
{% endfor %}

{% for key in ['allow_unauthenticated', 'auto_advertise', 'checks_use_advertise', 'server_auto_join'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = {{ nomad_conf.consul[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}

{% if nomad_conf.consul.tags is defined and nomad_conf.consul.tags is iterable %}
  tags = [
{% for tag in nomad_conf.consul.tags %}
    "{{ tag }}",
{% endfor %}
  ]
{% endif %}

{% if nomad_conf.server.enabled %}
{% if nomad_conf.consul.service_identity is defined %}
  service_identity {
    aud = [
{% for aud in nomad_conf.consul.service_identity.aud | default(['consul.io']) %}
      "{{ aud }}",
{% endfor %}
    ]
    ttl = "{{  nomad_conf.consul.service_identity.ttl | default('1h') }}"
  }
{% endif %}

{% if nomad_conf.consul.task_identity is defined %}
  task_identity {
    aud = [
{% for aud in nomad_conf.consul.task_identity.aud | default(['consul.io']) %}
      "{{ aud }}",
{% endfor %}
    ]
    ttl = "{{  nomad_conf.consul.task_identity.ttl | default('1h') }}"
{% for key in ['env', 'file'] %}
{% if nomad_conf.consul.task_identity[key] is defined %}
    {{ key }} = {{ nomad_conf.consul.task_identity[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
  }
{% endif %}
{% endif %}

{% if nomad_conf.consul.ssl %}
  ssl = true
{% for key in ['ca_file', 'cert_file', 'key_file'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = "{{ nomad_conf.consul[key] }}"
{% endif %}
{% endfor %}

{% for key in ['verify_ssl', 'share_ssl'] %}
{% if nomad_conf.consul[key] is defined %}
  {{ key }} = {{ nomad_conf.consul[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}

{% endif %}
}

vault {
{% for key in ['enabled', 'tls_skip_verify', 'allow_unauthenticated'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = {{ nomad_conf.vault[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
{% for key in ['create_from_role'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = "{{ nomad_conf.vault[key] }}"
{% endif %}
{% endfor %}
{% if nomad_conf.server.enabled %}
{% for key in ['address', 'task_token_ttl', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'tls_server_name', 'token'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = "{{ nomad_conf.vault[key] }}"
{% endif %}
{% endfor %}
{% if nomad_conf.vault.default_identity is defined %}
  default_identity {
    aud = [
{% for aud in nomad_conf.vault.default_identity.aud | default(['vault.io']) %}
      "{{ aud }}",
{% endfor %}
    ]
    ttl = "{{  nomad_conf.vault.default_identity.ttl | default('1h') }}"
{% for key in ['env', 'file'] %}
{% if nomad_conf.consul.task_identity[key] is defined %}
    {{ key }} = {{ nomad_conf.vault.default_identity[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
  }
{% endif %}
{% elif nomad_conf.client.enabled and not nomad_conf.server.enabled %}
{% for key in ['namespace', 'address', 'ca_file', 'ca_path', 'cert_file', 'key_file', 'namespace', 'tls_server_name', 'jwt_auth_backend_path'] %}
{% if nomad_conf.vault[key] is defined %}
  {{ key }} = "{{ nomad_conf.vault[key] }}"
{% endif %}
{% endfor %}
{% endif %}
}

tls {
{% for key in ['ca_file', 'cert_file', 'key_file', 'tls_min_version', 'tls_cipher_suites'] %}
{% if nomad_conf.tls[key] is defined %}
  {{ key }} = "{{ nomad_conf.tls[key] }}"
{% endif %}
{% endfor %}

{% for key in ['http', 'rpc', 'rpc_upgrade_mode', 'tls_prefer_server_cipher_suites', 'verify_https_client', 'verify_server_hostname'] %}
{% if nomad_conf.tls[key] is defined %}
  {{ key }} = {{ nomad_conf.tls[key] | ternary('true', 'false') }}
{% endif %}
{% endfor %}
}