From 08909ceed064deac6924e61dd98f5bf126c6eadc Mon Sep 17 00:00:00 2001
From: Bertrand Lanson <bertrand.lanson@protonmail.com>
Date: Thu, 16 May 2024 17:29:41 +0200
Subject: [PATCH] feat: add global variables for nomad deployment

---
 .gitmodules                              |  6 --
 playbooks/deploy.yml                     |  2 +-
 playbooks/generate_credentials.yml       | 20 +++--
 playbooks/group_vars/all/consul.yml      |  2 +-
 playbooks/group_vars/all/globals.yml     |  1 -
 playbooks/group_vars/all/nomad.yml       | 94 ++++++++++++++++++++----
 playbooks/tasks/consul/consul_deploy.yml |  4 +-
 playbooks/tasks/vault/vault_deploy.yml   |  4 +-
 playbooks/templates/credentials.yml.j2   |  5 +-
 roles/hashicorp_consul                   |  1 -
 roles/hashicorp_vault                    |  1 -
 roles/requirements.yml                   | 16 ++++
 12 files changed, 121 insertions(+), 35 deletions(-)
 delete mode 100644 .gitmodules
 delete mode 160000 roles/hashicorp_consul
 delete mode 160000 roles/hashicorp_vault

diff --git a/.gitmodules b/.gitmodules
deleted file mode 100644
index 8f630b6..0000000
--- a/.gitmodules
+++ /dev/null
@@ -1,6 +0,0 @@
-[submodule "roles/hashicorp_consul"]
-	path = roles/hashicorp_consul
-	url = https://github.com/ednz-cloud/hashicorp_consul
-[submodule "roles/hashicorp_vault"]
-	path = roles/hashicorp_vault
-	url = https://github.com/ednz-cloud/hashicorp_vault
diff --git a/playbooks/deploy.yml b/playbooks/deploy.yml
index fbf6641..5a1613d 100644
--- a/playbooks/deploy.yml
+++ b/playbooks/deploy.yml
@@ -23,7 +23,7 @@
 
     - name: "Deploy Consul Agents"
       ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_consul
+        name: ednz_cloud.hashicorp_consul
       when:
         - enable_consul | bool
         - "'consul_agents' in group_names"
diff --git a/playbooks/generate_credentials.yml b/playbooks/generate_credentials.yml
index 651ee32..df36826 100644
--- a/playbooks/generate_credentials.yml
+++ b/playbooks/generate_credentials.yml
@@ -8,25 +8,33 @@
   tasks:
     - name: "Generate consul credentials"
       block:
+        - name: "Generate consul gossip encryption key"
+          ansible.builtin.set_fact:
+            _consul_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+
         - name: "Generate consul root credentials"
           ansible.builtin.set_fact:
-            _consul_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _consul_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
 
         - name: "Generate consul agents credentials"
           ansible.builtin.set_fact:
-            _cosul_agents_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
-            _consul_agents_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _cosul_agents_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_agents_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
 
         - name: "Generate consul vault credentials"
           ansible.builtin.set_fact:
-            _cosul_vault_accessor: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
-            _consul_vault_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _cosul_vault_accessor: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
+            _consul_vault_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
 
     - name: "Generate nomad credentials"
       block:
+        - name: "Generate nomad gossip encryption key"
+          ansible.builtin.set_fact:
+            _nomad_gossip_encryption_key: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | b64encode }}"
+
         - name: "Generate nomad root credentials"
           ansible.builtin.set_fact:
-            _nomad_root_token: "{{ lookup('password', '/dev/null chars=ascii_letters,digits') | to_uuid }}"
+            _nomad_root_token: "{{ lookup('ansible.builtin.password', '/dev/null', chars=['ascii_letters','digits']) | to_uuid }}"
 
     - name: "Write credentials file"
       ansible.builtin.template:
diff --git a/playbooks/group_vars/all/consul.yml b/playbooks/group_vars/all/consul.yml
index 4caab26..bbfbd59 100644
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@@ -88,7 +88,7 @@ hashi_consul_configuration:
   datacenter: "{{ consul_datacenter }}"
   primary_datacenter: "{{ consul_primary_datacenter }}"
   data_dir: "{{ hashi_consul_data_dir }}"
-  encrypt: "{{ consul_gossip_encryption_key }}"
+  encrypt: "{{ _credentials.consul.gossip_encryption_key }}"
   server: "{{ 'consul_servers' in group_names }}"
   retry_join: "{{
     groups['consul_servers'] |
diff --git a/playbooks/group_vars/all/globals.yml b/playbooks/group_vars/all/globals.yml
index cd5f7af..f72cf7b 100644
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@@ -46,7 +46,6 @@ consul_primary_datacenter: dc1
 consul_leave_on_terminate: true
 consul_rejoin_after_leave: true
 consul_enable_script_checks: true
-consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
 
 ################################
 # consul address configuration #
diff --git a/playbooks/group_vars/all/nomad.yml b/playbooks/group_vars/all/nomad.yml
index e484058..5572039 100644
--- a/playbooks/group_vars/all/nomad.yml
+++ b/playbooks/group_vars/all/nomad.yml
@@ -1,18 +1,86 @@
+---
 #####################################################
 #                                                   #
-#                Nomad Configuration                #
+#                Non-Editable                       #
 #                                                   #
 #####################################################
 
-hashi_nomad_cni_plugins_install: true
-hashi_nomad_start_service: true
-hashi_nomad_cni_plugins_version: latest
-hashi_nomad_cni_plugins_install_path: /opt/cni/bin
-hashi_nomad_version: latest
-hashi_nomad_deploy_method: host # deployment method, either host or docker
-hashi_nomad_env_variables: {}
-hashi_nomad_data_dir: /opt/nomad
-hashi_nomad_extra_files: false
-hashi_nomad_extra_files_src: /tmp/extra_files
-hashi_nomad_extra_files_dst: /etc/nomad.d/extra_files
-hashi_nomad_configuration: {}
+nomad_datacenter: dc1
+
+###########################
+# nomad ACL configuration #
+###########################
+
+nomad_acl_configuration:
+  enabled: true
+  token_ttl: 30s
+  policy_ttl: 60s
+  role_ttl: 60s
+
+#################################
+# nomad autopilot configuration #
+#################################
+
+nomad_autopilot_configuration: {}
+
+############################
+# nomad consul integration #
+############################
+
+nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+nomad_consul_integration_configuration: {}
+
+############################
+# nomad vault integration #
+############################
+
+nomad_enable_vault_integration: false
+nomad_vault_integration_configuration: {}
+
+#############################
+# nomad leave configuration #
+#############################
+
+# node will leave the cluster if the process is stopped
+# and if it is only a client
+nomad_leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+nomad_leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+
+##############################
+# nomad server configuration #
+##############################
+
+nomad_server_configuration:
+  enabled: "{{ 'nomad_servers' in group_names }}"
+  data_dir: "{{ hashicorp_nomad_data_dir }}/server"
+  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
+
+##############################
+# nomad client configuration #
+##############################
+
+nomad_client_configuration:
+  enabled: "{{ 'nomad_clients' in group_names | bool }}"
+  state_dir: "{{ hashicorp_nomad_data_dir }}/client"
+
+hashicorp_nomad_cni_plugins_install: true
+hashicorp_nomad_start_service: true
+hashicorp_nomad_cni_plugins_version: latest
+hashicorp_nomad_cni_plugins_install_path: /opt/cni/bin
+hashicorp_nomad_version: latest
+hashicorp_nomad_deploy_method: host # deployment method, either host or docker
+hashicorp_nomad_env_variables: {}
+hashicorp_nomad_config_dir: "/etc/nomad.d"
+hashicorp_nomad_data_dir: /opt/nomad
+hashicorp_nomad_extra_files: false
+hashicorp_nomad_extra_files_src: /tmp/extra_files
+hashicorp_nomad_extra_files_dst: /etc/nomad.d/extra_files
+hashicorp_nomad_configuration:
+  datacenter: "{{ nomad_datacenter }}"
+  bind_addr: "0.0.0.0"
+  data_dir: "{{ hashicorp_nomad_data_dir }}"
+  leave_on_interrupt: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+  leave_on_terminate: "{{ (('nomad_clients' in group_names) and (not 'nomad_servers' in group_names)) | bool }}"
+  acl: "{{ nomad_acl_configuration }}"
+  server: "{{ nomad_server_configuration }}"
+  client: "{{ nomad_client_configuration }}"
diff --git a/playbooks/tasks/consul/consul_deploy.yml b/playbooks/tasks/consul/consul_deploy.yml
index 2d3ac78..5937d93 100644
--- a/playbooks/tasks/consul/consul_deploy.yml
+++ b/playbooks/tasks/consul/consul_deploy.yml
@@ -1,9 +1,9 @@
 ---
 - name: "Consul"
   block:
-    - name: "Include ednz_cloud.hashistack.hashicorp_consul"
+    - name: "Include ednz_cloud.hashicorp_consul"
       ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_consul
+        name: ednz_cloud.hashicorp_consul
 
     - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
       ansible.builtin.uri:
diff --git a/playbooks/tasks/vault/vault_deploy.yml b/playbooks/tasks/vault/vault_deploy.yml
index 8561327..f3e3e33 100644
--- a/playbooks/tasks/vault/vault_deploy.yml
+++ b/playbooks/tasks/vault/vault_deploy.yml
@@ -38,9 +38,9 @@
             state: present
           when: _consul_vault_policy.changed
 
-    - name: "Include ednz_cloud.hashistack.hashicorp_consul"
+    - name: "Include ednz_cloud.hashicorp_consul"
       ansible.builtin.include_role:
-        name: ednz_cloud.hashistack.hashicorp_vault
+        name: ednz_cloud.hashicorp_vault
 
     - name: "Initialize vault cluster" # noqa: run-once[task]
       ednz_cloud.hashistack.vault_init:
diff --git a/playbooks/templates/credentials.yml.j2 b/playbooks/templates/credentials.yml.j2
index 76a0ab4..7c759d5 100644
--- a/playbooks/templates/credentials.yml.j2
+++ b/playbooks/templates/credentials.yml.j2
@@ -1,5 +1,6 @@
 ---
 consul:
+  gossip_encryption_key: "{{ _consul_gossip_encryption_key }}"
   root_token:
     secret_id: "{{ _consul_root_token }}"
   tokens:
@@ -10,4 +11,6 @@ consul:
       accessor_id: "{{ _consul_vault_accessor }}"
       secret_id: "{{ _consul_vault_token }}"
 nomad:
-  root_token: "{{ _nomad_root_token }}"
+  gossip_encryption_key: "{{ _nomad_gossip_encryption_key }}"
+  root_token:
+    secret_id: "{{ _nomad_root_token }}"
diff --git a/roles/hashicorp_consul b/roles/hashicorp_consul
deleted file mode 160000
index 56696c3..0000000
--- a/roles/hashicorp_consul
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 56696c3552308225d4e5b91efc8e4bf75d31d2f3
diff --git a/roles/hashicorp_vault b/roles/hashicorp_vault
deleted file mode 160000
index 738c347..0000000
--- a/roles/hashicorp_vault
+++ /dev/null
@@ -1 +0,0 @@
-Subproject commit 738c347df8efd4965eda14167171343be13bed75
diff --git a/roles/requirements.yml b/roles/requirements.yml
index 5cf228d..ee2798a 100644
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@@ -3,15 +3,31 @@
 roles:
   - name: ednz_cloud.manage_repositories
     src: https://github.com/ednz-cloud/manage_repositories.git
+    version: main
   - name: ednz_cloud.manage_apt_packages
     src: https://github.com/ednz-cloud/manage_apt_packages.git
+    version: main
   - name: ednz_cloud.manage_pip_packages
     src: https://github.com/ednz-cloud/manage_pip_packages.git
+    version: main
   - name: ednz_cloud.install_docker
     src: https://github.com/ednz-cloud/install_docker.git
+    version: main
   - name: ednz_cloud.docker_systemd_service
     src: https://github.com/ednz-cloud/docker_systemd_service.git
+    version: main
   - name: ednz_cloud.deploy_haproxy
     src: https://github.com/ednz-cloud/deploy_haproxy.git
+    version: main
   - name: ednz_cloud.deploy_keepalived
     src: https://github.com/ednz-cloud/deploy_keepalived.git
+    version: main
+  - name: ednz_cloud.hashicorp_nomad
+    src: https://github.com/ednz-cloud/hashicorp_nomad.git
+    version: v0.1.0
+  - name: ednz_cloud.hashicorp_consul
+    src: https://github.com/ednz-cloud/hashicorp_consul.git
+    version: main
+  - name: ednz_cloud.hashicorp_vault
+    src: https://github.com/ednz-cloud/hashicorp_vault.git
+    version: main