diff options
Diffstat (limited to 'fdio.infra.ansible/roles/nomad/templates')
9 files changed, 379 insertions, 0 deletions
diff --git a/fdio.infra.ansible/roles/nomad/templates/base.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/base.hcl.j2 new file mode 100644 index 0000000000..cd7fb54f9c --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/base.hcl.j2 @@ -0,0 +1,26 @@ +name = "{{ nomad_node_name }}" +region = "{{ nomad_region }}" +datacenter = "{{ nomad_datacenter }}" + +enable_debug = {{ nomad_enable_debug | bool | lower }} +disable_update_check = {{ nomad_disable_update_check | bool | lower }} + +bind_addr = "{{ nomad_bind_address }}" +advertise { + http = "{{ nomad_advertise_address }}:{{ nomad_ports.http }}" + rpc = "{{ nomad_advertise_address }}:{{ nomad_ports.rpc }}" + serf = "{{ nomad_advertise_address }}:{{ nomad_ports.serf }}" +} +ports { + http = {{ nomad_ports['http'] }} + rpc = {{ nomad_ports['rpc'] }} + serf = {{ nomad_ports['serf'] }} +} + +data_dir = "{{ nomad_data_dir }}" + +log_level = "{{ nomad_log_level }}" +enable_syslog = {{ nomad_syslog_enable | bool | lower }} + +leave_on_terminate = {{ nomad_leave_on_terminate | bool | lower }} +leave_on_interrupt = {{ nomad_leave_on_interrupt | bool | lower }} diff --git a/fdio.infra.ansible/roles/nomad/templates/cfssl.json b/fdio.infra.ansible/roles/nomad/templates/cfssl.json new file mode 100644 index 0000000000..2b603e9b84 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/cfssl.json @@ -0,0 +1,8 @@ +{ + "signing": { + "default": { + "expiry": "87600h", + "usages": ["signing", "key encipherment", "server auth", "client auth"] + } + } +}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/client.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/client.hcl.j2 new file mode 100644 index 0000000000..f82f38a4e4 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/client.hcl.j2 @@ -0,0 +1,60 @@ +client { + enabled = {{ nomad_node_client | bool | lower }} + + node_class = "{{ nomad_node_class }}" + no_host_uuid = {{ nomad_no_host_uuid | bool | lower }} + +{% if nomad_use_consul == False %} + {% if nomad_servers -%} + servers = [ {% for ip_port in nomad_servers -%} "{{ ip_port }}" {% if not loop.last %},{% endif %}{%- endfor -%} ] + {% endif -%} +{% endif %} + + {% if nomad_network_interface is defined -%} + network_interface = "{{ nomad_network_interface }}" + {% endif -%} + {% if nomad_network_speed is defined -%} + network_speed = "{{ nomad_network_speed }}" + {% endif -%} + {% if nomad_cpu_total_compute is defined -%} + cpu_total_compute = {{ nomad_cpu_total_compute }} + {% endif -%} + + reserved { + cpu = {{ nomad_reserved['cpu'] }} + memory = {{ nomad_reserved['memory'] }} + disk = {{ nomad_reserved['disk'] }} + } + + {% for nomad_host_volume in nomad_volumes -%} + host_volume "{{ nomad_host_volume.name }}" { + path = "{{ nomad_host_volume.path }}" + read_only = {{ nomad_host_volume.read_only | bool | lower }} + } + {% endfor %} + + {% if nomad_chroot_env != False -%} + chroot_env = { + {% for key, value in nomad_chroot_env.items() %} + "{{ key }}" = "{{ value }}" + {% endfor -%} + } + {% endif %} + + {% if nomad_options -%} + options = { + {% for key, value in nomad_options.items() %} + "{{ key }}" = "{{ value }}" + {% endfor -%} + } + {% endif %} + + {% if nomad_meta -%} + meta = { + {% for key, value in nomad_meta.items() %} + "{{ key }}" = "{{ value }}" + {% endfor -%} + } + {% endif %} + +} diff --git a/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 new file mode 100644 index 0000000000..a9c1aff7b2 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/consul.hcl.j2 @@ -0,0 +1,63 @@ +{% if nomad_use_consul | bool == True %} +consul { + # Specifies the address to the local Consul agent, given in the format + # host:port. + address = "{{ nomad_consul_address }}" + + # Specifies if Nomad should advertise its services in Consul. The services + # are named according to server_service_name and client_service_name. Nomad + # servers and clients advertise their respective services, each tagged + # appropriately with either http or rpc tag. Nomad servers also advertise a + # serf tagged service. + auto_advertise = true + + # Specifies if the Nomad clients should automatically discover servers in + # the same region by searching for the Consul service name defined in the + # server_service_name option. The search occurs if the client is not + # registered with any servers or it is unable to heartbeat to the leader of + # the region, in which case it may be partitioned and searches for other + # servers. + client_auto_join = true + + # Specifies the name of the service in Consul for the Nomad clients. + client_service_name = "{{ nomad_consul_clients_service_name }}" + + # Specifies the name of the service in Consul for the Nomad servers. + server_service_name = "{{ nomad_consul_servers_service_name }}" + + # Specifies if the Nomad servers should automatically discover and join + # other Nomad servers by searching for the Consul service name defined in + # the server_service_name option. This search only happens if the server + # does not have a leader. + server_auto_join = true + + # Specifies optional Consul tags to be registered with the Nomad server and + # agent services. + tags = {{ nomad_consul_tags | to_json }} + + # Specifies the token used to provide a per-request ACL token. This option + # overrides the Consul Agent's default token. If the token is not set here + # or on the Consul agent, it will default to Consul's anonymous policy, + # which may or may not allow writes. + token = "{{ nomad_consul_token }}" + + {% if nomad_consul_use_ssl | bool == True -%} + # Specifies if the transport scheme should use HTTPS to communicate with the + # Consul agent. + ssl = true + + # Specifies an optional path to the CA certificate used for Consul + # communication. This defaults to the system bundle if unspecified. + ca_file = "{{ nomad_ca_file }}" + + # Specifies the path to the certificate used for Consul communication. If + # this is set then you need to also set key_file. + cert_file = "{{ nomad_cert_file }}" + + # Specifies the path to the private key used for Consul communication. If + # this is set then you need to also set cert_file. + key_file = "{{ nomad_key_file }}" + {% endif %} + +} +{% endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 b/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 new file mode 100644 index 0000000000..564505781b --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/nomad_systemd.service.j2 @@ -0,0 +1,33 @@ +[Unit] +Description=Nomad +Documentation=https://nomadproject.io/docs/ +Wants=network-online.target +After=network-online.target + +# When using Nomad with Consul it is not necessary to start Consul first. These +# lines start Consul before Nomad as an optimization to avoid Nomad logging +# that Consul is unavailable at startup. +#Wants=consul.service +#After=consul.service + +[Service] +# Nomad server should be run as the nomad user. Nomad clients +# should be run as root +#User=nomad +#Group=nomad + +ExecReload=/bin/kill -HUP $MAINPID +ExecStart={{ nomad_bin_dir }}/nomad agent -config {{ nomad_config_dir }} +KillMode=process +KillSignal=SIGINT +LimitNOFILE=infinity +LimitNPROC=infinity +Restart=on-failure +RestartSec=2 +StartLimitBurst=3 +StartLimitInterval=10 +TasksMax=infinity +OOMScoreAdjust=-1000 + +[Install] +WantedBy=multi-user.target
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 new file mode 100644 index 0000000000..e19dea9e6f --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/server.hcl.j2 @@ -0,0 +1,58 @@ +{% if nomad_node_server | bool == True %} +server { + enabled = {{ nomad_node_server | bool | lower }} + + {% if nomad_node_server | bool -%} + bootstrap_expect = {{ nomad_bootstrap_expect }} + {%- endif %} + + {% if nomad_node_server | bool -%} + raft_protocol = 3 + {%- endif %} + + {% if nomad_authoritative_region is defined %} + authoritative_region = "{{ nomad_authoritative_region }}" + {% endif %} + +{% if nomad_use_consul == False %} + {% if nomad_retry_join | bool -%} + retry_join = [ + {%- set comma = joiner(",") -%} + {% for server in nomad_servers -%} + {{ comma() }}"{{ hostvars[server]['nomad_advertise_address'] | ipwrap }}" + {%- endfor -%} ] + retry_max = {{ nomad_retry_max }} + retry_interval = "{{ nomad_retry_interval }}" + {% else -%} + start_join = [ + {%- set comma = joiner(",") -%} + {% for server in nomad_servers -%} + {{ comma() }}"{{ hostvars[server]['nomad_advertise_address'] | ipwrap }}" + {%- endfor -%} ] + {%- endif %} +{% endif %} + + encrypt = "{{ nomad_encrypt | default('') }}" + + {% if nomad_node_gc_threshold -%} + node_gc_threshold = "{{ nomad_node_gc_threshold }}" + {%- endif %} + + {% if nomad_job_gc_interval -%} + job_gc_interval = "{{ nomad_job_gc_interval }}" + {%- endif %} + + {% if nomad_job_gc_threshold -%} + job_gc_threshold = "{{ nomad_job_gc_threshold }}" + {%- endif %} + + {% if nomad_eval_gc_threshold -%} + eval_gc_threshold = "{{ nomad_eval_gc_threshold }}" + {%- endif %} + + {% if nomad_deployment_gc_threshold -%} + deployment_gc_threshold = "{{ nomad_deployment_gc_threshold }}" + {%- endif %} + +} +{% endif %}
\ No newline at end of file diff --git a/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 new file mode 100644 index 0000000000..14be0d9548 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/telemetry.hcl.j2 @@ -0,0 +1,26 @@ +{% if nomad_use_telemetry | bool == True %} +telemetry { + # Specifies if gauge values should be prefixed with the local hostname. + disable_hostname = {{ nomad_telemetry_disable_hostname | bool | lower }} + + # Specifies the time interval at which the Nomad agent collects telemetry + # data. + collection_interval = "{{ nomad_telemetry_collection_interval }}" + + # Specifies if gauge values should be prefixed with the name of the node, + # instead of the hostname. If set it will override disable_hostname value. + use_node_name = {{ nomad_telemetry_use_node_name | bool | lower }} + + # Specifies if Nomad should publish runtime metrics of allocations. + publish_allocation_metrics = {{ nomad_telemetry_publish_allocation_metrics | bool | lower }} + + # Specifies if Nomad should publish runtime metrics of nodes. + publish_node_metrics = {{ nomad_telemetry_publish_node_metrics | bool | lower }} + + # Specifies whether the agent should make Prometheus formatted metrics + # available at /v1/metrics?format=prometheus.Specifies whether the agent + # should make Prometheus formatted metrics available at + # /v1/metrics?format=prometheus. + prometheus_metrics = {{ nomad_telemetry_prometheus_metrics | bool | lower }} +} +{% endif %} diff --git a/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 new file mode 100644 index 0000000000..0a1a5b20a4 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/tls.hcl.j2 @@ -0,0 +1,36 @@ +{% if nomad_use_tls | bool %} +tls { + # Specifies the path to the CA certificate to use for Nomad's TLS + # communication. + ca_file = "{{ nomad_tls_ca_file }}" + + # Specifies the path to the certificate file used for Nomad's TLS + # communication. + cert_file = "{{ nomad_tls_cert_file }}" + + # Specifies the path to the key file to use for Nomad's TLS communication. + key_file = "{{ nomad_tls_key_file }}" + + # Specifies if TLS should be enabled on the HTTP endpoints on the Nomad + # agent, including the API. + http = {{ nomad_tls_http | bool | lower }} + + # Specifies if TLS should be enabled on the RPC endpoints and Raft traffic + # between the Nomad servers. Enabling this on a Nomad client makes the + # client use TLS for making RPC requests to the Nomad servers. + rpc = {{ nomad_tls_rpc | bool | lower }} + + # This option should be used only when the cluster is being upgraded to + # TLS, and removed after the migration is complete. This allows the agent + # to accept both TLS and plaintext traffic. + rpc_upgrade_mode = {{ nomad_tls_rpc_upgrade_mode | bool | lower }} + + # Specifies agents should require client certificates for all incoming + # HTTPS requests. The client certificates must be signed by the same CA + # as Nomad. + verify_https_client = {{ nomad_tls_verify_https_client | bool | lower }} + + # Specifies if outgoing TLS connections should verify the server's hostname. + verify_server_hostname = {{ nomad_tls_verify_server_hostname | bool | lower }} +} +{% endif %} diff --git a/fdio.infra.ansible/roles/nomad/templates/vault.hcl.j2 b/fdio.infra.ansible/roles/nomad/templates/vault.hcl.j2 new file mode 100644 index 0000000000..7911cbc5c4 --- /dev/null +++ b/fdio.infra.ansible/roles/nomad/templates/vault.hcl.j2 @@ -0,0 +1,69 @@ +{% if nomad_use_tls | bool == True %} +vault { + # Specifies the address to the Vault server. This must include the protocol, + # host/ip, and port given in the format protocol://host:port. If your Vault + # installation is behind a load balancer, this should be the address of the + # load balancer. + address = "{{ nomad_vault_address }}" + + # Specifies if users submitting jobs to the Nomad server should be required + # to provide their own Vault token, proving they have access to the policies + # listed in the job. This option should be disabled in an untrusted + # environment. + allow_unauthenticated = {{ nomad_vault_allow_unauthenticated | bool | lower }} + + # Specifies if the Vault integration should be activated. + enabled = {{ nomad_vault_enabled | bool | lower }} + + # Specifies the role to create tokens from. The token given to Nomad does + # not have to be created from this role but must have "update" capability + # on "auth/token/create/<create_from_role>" path in Vault. If this value is + # unset and the token is created from a role, the value is defaulted to the + # role the token is from. This is largely for backwards compatibility. It + # is recommended to set the create_from_role field if Nomad is deriving + # child tokens from a role. + create_from_role = "{{ nomad_vault_create_from_role }}" + + # Specifies the TTL of created tokens when using a root token. This is + # specified using a label suffix like "30s" or "1h". + task_token_ttl = "{{ nomad_vault_task_token_ttl }}" + + {% if nomad_vault_use_ssl | bool == True -%} + # Specifies an optional path to the CA certificate used for Vault + # communication. If unspecified, this will fallback to the default system + # CA bundle, which varies by OS and version. + ca_file = "{{ nomad_vault_ca_file }}" + + # Specifies an optional path to a folder containing CA certificates to be + # used for Vault communication. If unspecified, this will fallback to the + # default system CA bundle, which varies by OS and version. + ca_path = "{{ nomad_vault_ca_path }}" + + # Specifies the path to the certificate used for Vault communication. This + # must be set if tls_require_and_verify_client_cert is enabled in Vault. + cert_file = "{{ nomad_vault_cert_file }}" + + # Specifies the path to the private key used for Vault communication. If + # this is set then you need to also set cert_file. This must be set if + # tls_require_and_verify_client_cert is enabled in Vault. + key_file = "{{ nomad_vault_key_file }}" + + # Specifies the Vault namespace used by the Vault integration. If non-empty, + # this namespace will be used on all Vault API calls. + namespace = "{{ nomad_vault_namespace }}" + + # Specifies an optional string used to set the SNI host when connecting to + # Vault via TLS. + tls_server_name = "{{ nomad_vault_tls_server_name }}" + + # Specifies if SSL peer validation should be enforced. + tls_skip_verify = {{ nomad_vault_tls_skip_verify | bool | lower }} + {% endif %} + + # Specifies the parent Vault token to use to derive child tokens for jobs + # requesting tokens. Only required on Nomad servers. Nomad client agents + # use the allocation's token when contacting Vault. Visit the Vault + # Integration Guide to see how to generate an appropriate token in Vault. + token = "{{ nomad_vault_token }}" +} +{% endif %}
\ No newline at end of file |