chore: add more tags to collection metadata

ci: add nomad and consul tests, only run tests when they change
chore: remove unused dependencies from roles/requirements.yml
2024-09-16 20:15:24 +02:00 · 2024-09-16 19:43:52 +02:00 · 2024-09-15 23:21:04 +02:00 · 2024-09-15 23:08:47 +02:00 · 2024-09-15 23:04:14 +02:00 · 2024-09-15 23:01:50 +02:00
16 changed files with 1206 additions and 898 deletions
--- a/.gitea/workflows/e2e-tests-consul.yml
+++ b/.gitea/workflows/e2e-tests-consul.yml
@ -0,0 +1,48 @@
 ---
 name: test
 on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
    branches:
      - main
    paths:
      - roles/consul/**
 jobs:
  retrieve-credentials:
    name: Retrieve Credentials
    runs-on: ubuntu-latest
    outputs:
      registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
      registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
    steps:
      - name: Get secrets from vault
        id: import-secrets
        uses: hashicorp/vault-action@v3
        with:
          url: "https://vault.ednz.fr"
          method: approle
          roleId: ${{ secrets.VAULT_APPROLE_ID }}
          secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
          secrets: |
            kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
            kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
  end_to_end_vault:
    needs: retrieve-credentials
    strategy:
      matrix:
        test_os:
          ["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"]
        scenario: ["consul_default", "consul_with_acl_enabled"]
    uses: ./.gitea/workflows/e2e-tests.yml
    with:
      role: vault
      scenario: ${{ matrix.scenario }}
      test_os: ${{ matrix.test_os }}
    secrets:
      GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }}
      GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }}
--- a/.gitea/workflows/e2e-tests-nomad.yml
+++ b/.gitea/workflows/e2e-tests-nomad.yml
@ -0,0 +1,48 @@
 ---
 name: test
 on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
    branches:
      - main
    paths:
      - roles/nomad/**
 jobs:
  retrieve-credentials:
    name: Retrieve Credentials
    runs-on: ubuntu-latest
    outputs:
      registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
      registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
    steps:
      - name: Get secrets from vault
        id: import-secrets
        uses: hashicorp/vault-action@v3
        with:
          url: "https://vault.ednz.fr"
          method: approle
          roleId: ${{ secrets.VAULT_APPROLE_ID }}
          secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
          secrets: |
            kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
            kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
  end_to_end_vault:
    needs: retrieve-credentials
    strategy:
      matrix:
        test_os:
          ["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"]
        scenario: ["nomad_default", "nomad_with_acl_enabled"]
    uses: ./.gitea/workflows/e2e-tests.yml
    with:
      role: vault
      scenario: ${{ matrix.scenario }}
      test_os: ${{ matrix.test_os }}
    secrets:
      GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }}
      GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }}
--- a/.gitea/workflows/e2e-tests-vault.yml
+++ b/.gitea/workflows/e2e-tests-vault.yml
@ -0,0 +1,49 @@
 ---
 name: test
 on:
  pull_request:
    types:
      - opened
      - edited
      - synchronize
    branches:
      - main
    paths:
      - roles/vault/**
      - plugins/modules/vault_unseal.py
 jobs:
  retrieve-credentials:
    name: Retrieve Credentials
    runs-on: ubuntu-latest
    outputs:
      registry-username: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_USERNAME }}
      registry-token: ${{ steps.import-secrets.outputs.GITEA_ACTIONS_TOKEN }}
    steps:
      - name: Get secrets from vault
        id: import-secrets
        uses: hashicorp/vault-action@v3
        with:
          url: "https://vault.ednz.fr"
          method: approle
          roleId: ${{ secrets.VAULT_APPROLE_ID }}
          secretId: ${{ secrets.VAULT_APPROLE_SECRET_ID }}
          secrets: |
            kv/data/applications/gitea/users/actions username | GITEA_ACTIONS_USERNAME ;
            kv/data/applications/gitea/users/actions token_write | GITEA_ACTIONS_TOKEN ;
  end_to_end_vault:
    needs: retrieve-credentials
    strategy:
      matrix:
        test_os:
          ["debian11", "debian12", "ubuntu2004", "ubuntu2204", "ubuntu2404"]
        scenario: ["vault_default", "vault_with_raft_enabled"]
    uses: ./.gitea/workflows/e2e-tests.yml
    with:
      role: vault
      scenario: ${{ matrix.scenario }}
      test_os: ${{ matrix.test_os }}
    secrets:
      GITEA_ACTIONS_USERNAME: ${{ needs.retrieve-credentials.outputs.registry-username }}
      GITEA_ACTIONS_TOKEN: ${{ needs.retrieve-credentials.outputs.registry-token }}
--- a/.gitea/workflows/e2e-tests.yml
+++ b/.gitea/workflows/e2e-tests.yml
@ -0,0 +1,47 @@
 ---
 name: End-to-end tests
 on:
  workflow_call:
    inputs:
      role:
        required: true
        type: string
        description: "Which role should be tested"
      scenario:
        required: true
        type: string
        description: "Which scenarios should be run"
      test_os:
        required: true
        type: string
        description: "On which OS to run the tests"
    secrets:
      GITEA_ACTIONS_USERNAME:
        required: true
      GITEA_ACTIONS_TOKEN:
        required: true
 jobs:
  molecule-test:
    name: Molecule tests
    runs-on: ubuntu-latest
    container:
      image: git.ednz.fr/container-factory/ansible-runner:act-latest
      credentials:
        username: ${{ secrets.GITEA_ACTIONS_USERNAME }}
        password: ${{ secrets.GITEA_ACTIONS_TOKEN }}
    env:
      ANSIBLE_HOST_KEY_CHECKING: "false"
      ANSIBLE_FORCE_COLOR: "true"
      ANSIBLE_PYTHON_INTERPRETER: /usr/bin/python3
    steps:
      - name: Checkout
        uses: actions/checkout@v3
      - name: "Molecule test"
        run: molecule test -s ${{ inputs.scenario }}
        shell: bash
        working-directory: ${{ gitea.workspace }}
        env:
          MOLECULE_TEST_OS: ${{ inputs.test_os }}
--- a/galaxy.yml
+++ b/galaxy.yml
@ -11,7 +11,7 @@ license_file: "LICENSE"
 # A list of tags you want to associate with the collection for indexing/searching. A tag name has the same character
 # requirements as 'namespace' and 'name'
-tags: ["tools"]
+tags: ["tools", "hashicorp", "nomad", "vault", "consul"]
 dependencies: {}
 repository: https://git.ednz.fr/ansible-collections/hashistack
 documentation: http://docs.example.com
--- a/molecule/no_tls_multi_node/etc/hashistack/globals.yml
+++ b/molecule/no_tls_multi_node/etc/hashistack/globals.yml
@ -1,293 +1,91 @@
 ---
 # Molecule specific variables
-##########################
+###################
-# General options ########
+# General options #
-##########################
+###################
-# enable_haproxy: "yes"
+enable_vault: "yes"
-# enable_vault: "yes"
+enable_consul: "yes"
-# enable_consul: "yes"
+enable_nomad: "yes"
 # enable_nomad: "yes"
-# haproxy_version: "2.8"
+nomad_version: "1.8.3"
 nomad_version: "1.8.2"
 # consul_version: "1.18.1"
-# vault_version: "1.16.2"
+vault_version: "1.17.2"
 # consul_fqdn: consul.ednz.lab
 # vault_fqdn: vault.ednz.lab
 # nomad_fqdn: nomad.ednz.lab
 # hashistack_external_vip_interface: "eth0"
 # hashistack_external_vip_addr: "192.168.121.100"
 # hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
 # hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
 api_interface: "eth1"
 # api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
-########################
+###################
-# external tls options #
+# logging options #
-########################
+###################
 # enable_tls_external: false
 # external_tls_externally_managed_certs: false
 enable_log_to_file: true
 ########################
 # internal tls options #
 ########################
 # enable_tls_internal: false
 # internal_tls_externally_managed_certs: false
-
+##########
 #####################################################
 #                                                   #
 # Consul #
-#                                                   #
+##########
 #####################################################
-# consul_domain: consul
+# hashistack_consul_domain: consul
-# consul_datacenter: dc1
+# hashistack_consul_datacenter: dc1
-# consul_primary_datacenter: dc1
+# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}"
-# consul_leave_on_terminate: true
+# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
-# consul_rejoin_after_leave: true
+# hashistack_consul_enable_script_checks: false
 # consul_enable_script_checks: true
 # consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
-################################
+# hashistack_consul_extra_files_list: []
-# consul address configuration #
+# hashistack_consul_extra_configuration: {}
 ################################
-# consul_address_configuration:
+# hashistack_consul_enable_tls: "{{ enable_tls_internal }}"
 #   # The address to which Consul will bind client interfaces,
 #   # including the HTTP and DNS servers.
 #   client_addr: "0.0.0.0"
 #   # The address that should be bound to for internal cluster communications.
 #   bind_addr: "{{ api_interface_address }}"
 #   # The advertise address is used to change the address that we advertise to other nodes in the cluster.
 #   advertise_addr: "{{ api_interface_address }}"
-############################
+# hashistack_consul_log_level: info
 # consul ACL configuration #
 ############################
-# consul_acl_configuration:
+#########
 #   enabled: true
 #   default_policy: "deny" # can be allow or deny
 #   enable_token_persistence: true
 ############################
 # consul DNS configuration #
 ############################
 # consul_dns_configuration:
 #   allow_stale: true
 #   enable_truncate: true
 #   only_passing: true
 ###########################
 # consul ui configuration #
 ###########################
 # consul_ui_configuration:
 #   enabled: "{{ 'consul_servers' in group_names }}"
 #####################################
 # consul service mesh configuration #
 #####################################
 # consul_mesh_configuration:
 #   enabled: true
 ############################
 # consul tls configuration #
 ############################
 # consul_enable_tls: "{{ enable_tls_internal }}"
 # consul_tls_configuration:
 #   defaults:
 #     ca_file: "/etc/ssl/certs/ca-certificates.crt"
 #     cert_file: "{{ consul_certificates_directory }}/cert.pem"
 #     key_file: "{{ consul_certificates_directory }}/key.pem"
 #     verify_incoming: false
 #     verify_outgoing: true
 #   internal_rpc:
 #     verify_server_hostname: true
 ############################
 # consul container volumes #
 ############################
 # extra_consul_container_volumes: []
 ##############################
 # consul extra configuration #
 ##############################
 # consul_extra_configuration: {}
 # consul_extra_files_list: []
 #####################################################
 #                                                   #
 # Vault #
-#                                                   #
+#########
 #####################################################
-# vault_cluster_name: vault
+# hashistack_vault_cluster_name: vault
-# vault_enable_ui: true
+# hashistack_vault_bind_addr: "0.0.0.0"
-# vault_seal_configuration:
+# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
-#   key_shares: 3
+# hashistack_vault_enable_ui: true
-#   key_threshold: 2
+# hashistack_vault_disable_mlock: false
 # hashistack_vault_disable_cache: false
-#################
+# hashistack_vault_extra_files_list: []
-# vault storage #
+# hashistack_vault_extra_configuration: {}
 #################
-# vault_storage_configuration:
+# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
 #   raft:
 #     path: "{{ hashicorp_vault_data_dir }}/data"
 #     node_id: "{{ ansible_hostname }}"
 #     retry_join: |
 #       [
 #       {% for host in groups['vault_servers'] %}
 #         {
 #           'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
 #         }{% if not loop.last %},{% endif %}
 #       {% endfor %}
 #       ]
-##################
+# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
 # vault listener #
 ##################
-# vault_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_vault_enable_plugins: false
 # vault_tls_verify: false
 # vault_listener_configuration:
 #   tcp:
 #     address: "0.0.0.0:8200"
 #     tls_disable: true
-# vault_tls_listener_configuration:
+# hashistack_vault_log_level: info
 #   tcp:
 #     tls_disable: false
 #     tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
 #     tls_key_file: "{{ vault_certificates_directory }}/key.pem"
 #     tls_disable_client_certs: true
-# vault_extra_listener_configuration: {}
+#########
 ########################
 # service registration #
 ########################
 # vault_enable_service_registration: false
 # vault_service_registration_configuration:
 #   consul:
 #     address: "127.0.0.1:8500"
 #     scheme: "http"
 #     token: ""
 #################
 # vault plugins #
 #################
 # vault_enable_plugins: false
 ###########
 # logging #
 ###########
 # vault_enable_log_to_file: false
 # vault_logging_configuration:
 #   log_level: info
 #   log_format: standard
 #   log_rotate_duration: 24h
 #   log_rotate_max_files: 30
 ###########################
 # vault container volumes #
 ###########################
 # extra_vault_container_volumes: []
 #############################
 # vault extra configuration #
 #############################
 # vault_extra_configuration: {}
 # vault_extra_files_list: []
 #####################################################
 #                                                   #
 # Nomad #
-#                                                   #
+#########
 #####################################################
-# nomad_datacenter: dc1
+# hashistack_nomad_region: global
-# nomad_region: global
+# hashistack_nomad_datacenter: dc1
-###########################
+# hashistack_nomad_extra_files_list: []
-# nomad ACL configuration #
+# hashistack_nomad_extra_configuration: {}
 ###########################
-# nomad_acl_configuration:
+# hashistack_nomad_autopilot_configuration: {}
 #   enabled: true
 #   token_ttl: 30s
 #   policy_ttl: 60s
 #   role_ttl: 60s
-############################
+# hashistack_nomad_driver_enable_docker: true
-# nomad consul integration #
+# hashistack_nomad_driver_enable_podman: false
-############################
+# hashistack_nomad_driver_enable_raw_exec: false
 # hashistack_nomad_driver_enable_java: false
 # hashistack_nomad_driver_enable_qemu: false
-# nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+# hashistack_nomad_driver_configuration: {}
 # nomad_consul_integration_configuration:
 #   address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
 #   auto_advertise: true
 #   ssl: "{{ consul_enable_tls | bool }}"
 #   token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
 #   tags: []
-############################
+# hashistack_nomad_log_level: info
 # nomad vault integration #
 ############################
-# nomad_enable_vault_integration: false
+# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"
 # nomad_vault_integration_configuration: {}
 ###############################
 # nomad drivers configuration #
 ###############################
 # nomad_driver_enable_docker: yes
 # nomad_driver_enable_podman: no
 # nomad_driver_enable_raw_exec: no
 # nomad_driver_enable_java: no
 # nomad_driver_enable_qemu: no
 # nomad_driver_extra_configuration: {}
 ######################
 # nomad internal tls #
 ######################
 # nomad_enable_tls: "{{ enable_tls_internal }}"
 # nomad_tls_configuration:
 #   http: true
 #   rpc: true
 #   ca_file: "/etc/ssl/certs/ca-certificates.crt"
 #   cert_file: "{{ nomad_certificates_directory }}/cert.pem"
 #   key_file: "{{ nomad_certificates_directory }}/key.pem"
 #   verify_server_hostname: true
 # nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
 # nomad_certificates_extra_files_dir:
 #   - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
 #     dest: "{{ nomad_certificates_directory }}"
 #############################
 # nomad extra configuration #
 #############################
 # nomad_extra_configuration: {}
 # nomad_extra_files_list: []
--- a/molecule/tls_multi_node/etc/hashistack/globals.yml
+++ b/molecule/tls_multi_node/etc/hashistack/globals.yml
@ -7,38 +7,26 @@ hashistack_ca_directory_owner: "{{ lookup('env', 'USER') }}"
 hashistack_ca_domain: ednz.lab
 hashistack_ca_intermediate_name_constraints_critical: false
-##########################
+###################
-# General options ########
+# General options #
-##########################
+###################
-# enable_haproxy: "yes"
+enable_vault: "yes"
-# enable_vault: "yes"
+enable_consul: "yes"
-# enable_consul: "yes"
+enable_nomad: "yes"
 # enable_nomad: "yes"
 # haproxy_version: "2.8"
 nomad_version: "1.8.3"
 # consul_version: "1.18.1"
 vault_version: "1.17.2"
 # consul_fqdn: consul.ednz.lab
 # vault_fqdn: vault.ednz.lab
 # nomad_fqdn: nomad.ednz.lab
 # hashistack_external_vip_interface: "eth0"
 # hashistack_external_vip_addr: "192.168.121.100"
 # hashistack_internal_vip_interface: "{{ hashistack_external_vip_interface }}"
 # hashistack_internal_vip_addr: "{{ hashistack_external_vip_addr }}"
 api_interface: "eth1"
 # api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
-########################
+###################
-# external tls options #
+# logging options #
-########################
+###################
-enable_tls_external: true
+enable_log_to_file: true
 # external_tls_externally_managed_certs: false
 ########################
 # internal tls options #
@ -46,254 +34,65 @@ enable_tls_external: true
 enable_tls_internal: true
 # internal_tls_externally_managed_certs: false
-
+##########
 #####################################################
 #                                                   #
 # Consul #
-#                                                   #
+##########
 #####################################################
-# consul_domain: consul
+# hashistack_consul_domain: consul
-# consul_datacenter: dc1
+# hashistack_consul_datacenter: dc1
-# consul_primary_datacenter: dc1
+# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}"
-# consul_leave_on_terminate: true
+# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
-# consul_rejoin_after_leave: true
+# hashistack_consul_enable_script_checks: false
 # consul_enable_script_checks: true
 # consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
-################################
+# hashistack_consul_extra_files_list: []
-# consul address configuration #
+# hashistack_consul_extra_configuration: {}
 ################################
-# consul_address_configuration:
+# hashistack_consul_enable_tls: "{{ enable_tls_internal }}"
 #   # The address to which Consul will bind client interfaces,
 #   # including the HTTP and DNS servers.
 #   client_addr: "0.0.0.0"
 #   # The address that should be bound to for internal cluster communications.
 #   bind_addr: "{{ api_interface_address }}"
 #   # The advertise address is used to change the address that we advertise to other nodes in the cluster.
 #   advertise_addr: "{{ api_interface_address }}"
-############################
+# hashistack_consul_log_level: info
 # consul ACL configuration #
 ############################
-# consul_acl_configuration:
+#########
 #   enabled: true
 #   default_policy: "deny" # can be allow or deny
 #   enable_token_persistence: true
 ############################
 # consul DNS configuration #
 ############################
 # consul_dns_configuration:
 #   allow_stale: true
 #   enable_truncate: true
 #   only_passing: true
 ###########################
 # consul ui configuration #
 ###########################
 # consul_ui_configuration:
 #   enabled: "{{ 'consul_servers' in group_names }}"
 #####################################
 # consul service mesh configuration #
 #####################################
 # consul_mesh_configuration:
 #   enabled: true
 ############################
 # consul tls configuration #
 ############################
 # consul_enable_tls: "{{ enable_tls_internal }}"
 # consul_tls_configuration:
 #   defaults:
 #     ca_file: "/etc/ssl/certs/ca-certificates.crt"
 #     cert_file: "{{ consul_certificates_directory }}/cert.pem"
 #     key_file: "{{ consul_certificates_directory }}/key.pem"
 #     verify_incoming: false
 #     verify_outgoing: true
 #   internal_rpc:
 #     verify_server_hostname: true
 ############################
 # consul container volumes #
 ############################
 # extra_consul_container_volumes: []
 ##############################
 # consul extra configuration #
 ##############################
 # consul_extra_configuration: {}
 # consul_extra_files_list: []
 #####################################################
 #                                                   #
 # Vault #
-#                                                   #
+#########
 #####################################################
-# vault_cluster_name: vault
+# hashistack_vault_cluster_name: vault
-# vault_enable_ui: true
+# hashistack_vault_bind_addr: "0.0.0.0"
-# vault_seal_configuration:
+# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
-#   key_shares: 3
+# hashistack_vault_enable_ui: true
-#   key_threshold: 2
+# hashistack_vault_disable_mlock: false
 # hashistack_vault_disable_cache: false
-#################
+# hashistack_vault_extra_files_list: []
-# vault storage #
+# hashistack_vault_extra_configuration: {}
 #################
-# vault_storage_configuration:
+# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
 #   raft:
 #     path: "{{ hashicorp_vault_data_dir }}/data"
 #     node_id: "{{ ansible_hostname }}"
 #     retry_join: |
 #       [
 #       {% for host in groups['vault_servers'] %}
 #         {
 #           'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
 #         }{% if not loop.last %},{% endif %}
 #       {% endfor %}
 #       ]
-##################
+# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
 # vault listener #
 ##################
-# vault_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_vault_enable_plugins: false
 # vault_tls_verify: false
 # vault_listener_configuration:
 #   tcp:
 #     address: "0.0.0.0:8200"
 #     tls_disable: true
-# vault_tls_listener_configuration:
+# hashistack_vault_log_level: info
 #   tcp:
 #     tls_disable: false
 #     tls_cert_file: "{{ vault_certificates_directory }}/cert.pem"
 #     tls_key_file: "{{ vault_certificates_directory }}/key.pem"
 #     tls_disable_client_certs: true
-# vault_extra_listener_configuration: {}
+#########
 ########################
 # service registration #
 ########################
 # vault_enable_service_registration: false
 # vault_service_registration_configuration:
 #   consul:
 #     address: "127.0.0.1:8500"
 #     scheme: "http"
 #     token: ""
 #################
 # vault plugins #
 #################
 # vault_enable_plugins: false
 ###########
 # logging #
 ###########
 # vault_enable_log_to_file: false
 # vault_logging_configuration:
 #   log_level: info
 #   log_format: standard
 #   log_rotate_duration: 24h
 #   log_rotate_max_files: 30
 ###########################
 # vault container volumes #
 ###########################
 # extra_vault_container_volumes: []
 #############################
 # vault extra configuration #
 #############################
 # vault_extra_configuration: {}
 # vault_extra_files_list: []
 #####################################################
 #                                                   #
 # Nomad #
-#                                                   #
+#########
 #####################################################
-# nomad_datacenter: dc1
+# hashistack_nomad_region: global
-# nomad_region: global
+# hashistack_nomad_datacenter: dc1
-###########################
+# hashistack_nomad_extra_files_list: []
-# nomad ACL configuration #
+# hashistack_nomad_extra_configuration: {}
 ###########################
-# nomad_acl_configuration:
+# hashistack_nomad_autopilot_configuration: {}
 #   enabled: true
 #   token_ttl: 30s
 #   policy_ttl: 60s
 #   role_ttl: 60s
-############################
+# hashistack_nomad_driver_enable_docker: true
-# nomad consul integration #
+# hashistack_nomad_driver_enable_podman: false
-############################
+# hashistack_nomad_driver_enable_raw_exec: false
 # hashistack_nomad_driver_enable_java: false
 # hashistack_nomad_driver_enable_qemu: false
-# nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+# hashistack_nomad_driver_configuration: {}
 # nomad_consul_integration_configuration:
 #   address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
 #   auto_advertise: true
 #   ssl: "{{ consul_enable_tls | bool }}"
 #   token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
 #   tags: []
-############################
+# hashistack_nomad_log_level: info
 # nomad vault integration #
 ############################
-# nomad_enable_vault_integration: false
+# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"
 # nomad_vault_integration_configuration: {}
 ###############################
 # nomad drivers configuration #
 ###############################
 # nomad_driver_enable_docker: yes
 # nomad_driver_enable_podman: no
 # nomad_driver_enable_raw_exec: no
 # nomad_driver_enable_java: no
 # nomad_driver_enable_qemu: no
 # nomad_driver_extra_configuration: {}
 ######################
 # nomad internal tls #
 ######################
 # nomad_enable_tls: "{{ enable_tls_internal }}"
 # nomad_tls_configuration:
 #   http: true
 #   rpc: true
 #   ca_file: "/etc/ssl/certs/ca-certificates.crt"
 #   cert_file: "{{ nomad_certificates_directory }}/cert.pem"
 #   key_file: "{{ nomad_certificates_directory }}/key.pem"
 #   verify_server_hostname: true
 # nomad_certificates_directory: "{{ hashicorp_nomad_config_dir }}/tls"
 # nomad_certificates_extra_files_dir:
 #   - src: "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}"
 #     dest: "{{ nomad_certificates_directory }}"
 #############################
 # nomad extra configuration #
 #############################
 # nomad_extra_configuration: {}
 # nomad_extra_files_list: []
--- a/playbooks/group_vars/all/consul.yml
+++ b/playbooks/group_vars/all/consul.yml
@ -3,18 +3,14 @@
 # Consul #
 ##########
-consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
+# hashistack_consul_config_dir:
-consul_data_dir: "/opt/consul"
+# hashistack_consul_data_dir:
-consul_certs_dir: "{{ consul_config_dir }}/tls"
+# hashistack_consul_certs_dir:
-consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
+# hashistack_consul_logs_dir:
-
+# hashistack_consul_envoy_install:
-consul_envoy_install: false
+# hashistack_consul_envoy_version:
-consul_envoy_version: latest
+# hashistack_consul_extra_files_list:
-
+# hashistack_consul_env_variables:
 consul_extra_files: true
 # consul_extra_files_list: []
 consul_env_variables: {}
 #######################
 # extra configuration #
@ -25,140 +21,89 @@ consul_env_variables: {}
 # option should be used to add pieces of configuration not
 # available through standard variables.
-# consul_extra_configuration: {}
+# hashistack_consul_extra_configuration:
 ###########
 # general #
 ###########
-# consul_domain: consul
+# hashistack_consul_domain:
-# consul_datacenter: dc1
+# hashistack_consul_datacenter:
-# consul_primary_datacenter: "{{ consul_datacenter }}"
+# hashistack_consul_primary_datacenter:
-# consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
+# hashistack_consul_gossip_encryption_key:
-# consul_enable_script_checks: false
+# hashistack_consul_enable_script_checks:
 #######################
 # leave configuration #
 #######################
-consul_leave_on_terminate: true
+# hashistack_consul_leave_on_terminate:
-consul_rejoin_after_leave: true
+# hashistack_consul_rejoin_after_leave:
 ######################
 # join configuration #
 ######################
-consul_join_configuration:
+# hashistack_consul_join_configuration:
  retry_join: |
    {{
      groups['consul_servers'] |
      map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
      list |
      to_json |
      from_json
    }}
  retry_interval: 30s
  retry_max: 0
 ########################
 # server configuration #
 ########################
-consul_enable_server: "{{ 'consul_servers' in group_names }}"
+# hashistack_consul_enable_server:
-consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
+# hashistack_consul_bootstrap_expect:
 ####################
 # ui configuration #
 ####################
-consul_ui_configuration:
+# hashistack_consul_ui_configuration:
  enabled: "{{ consul_enable_server }}"
 #########################
 # address configuration #
 #########################
-consul_bind_addr: "0.0.0.0"
+# hashistack_consul_bind_addr:
-consul_advertise_addr: "{{ api_interface_address }}"
+# hashistack_consul_advertise_addr:
-consul_address_configuration:
+# hashistack_consul_address_configuration:
  client_addr: "{{ consul_bind_addr }}"
  bind_addr: "{{ consul_advertise_addr }}"
  advertise_addr: "{{ consul_advertise_addr }}"
 #####################
 # ACL configuration #
 #####################
-consul_acl_configuration:
+# hashistack_consul_acl_configuration:
  enabled: true
  default_policy: "deny"
  enable_token_persistence: true
  tokens:
    agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
 consul_default_agent_policy: |
  node_prefix "" {
    policy = "write"
  }
  service_prefix "" {
    policy = "read"
  }
 ##############################
 # service mesh configuration #
 ##############################
-consul_mesh_configuration:
+# hashistack_consul_mesh_configuration:
  enabled: true
 #####################
 # DNS configuration #
 #####################
-consul_dns_configuration:
+# hashistack_consul_dns_configuration:
  allow_stale: true
  enable_truncate: true
  only_passing: true
 ################
 # internal tls #
 ################
-# consul_enable_tls: false
+# hashistack_consul_enable_tls:
-consul_tls_configuration:
+# hashistack_consul_tls_configuration:
  defaults:
    ca_file: "/etc/ssl/certs/ca-certificates.crt"
    cert_file: "{{ consul_certs_dir }}/fullchain.crt"
    key_file: "{{ consul_certs_dir }}/cert.key"
    verify_incoming: false
    verify_outgoing: true
  internal_rpc:
    verify_server_hostname: true
 consul_certificates_extra_files_dir: >
  {{
    [] if external_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
      'dest': "{{ consul_certs_dir }}"
    }]
  }}
 ###########################
 # telemetry configuration #
 ###########################
-consul_enable_prometheus_metrics: false
+# hashistack_consul_enable_prometheus_metrics:
-consul_prometheus_retention_time: 60s
+# hashistack_consul_prometheus_retention_time:
-consul_telemetry_configuration: {}
+# hashistack_consul_telemetry_configuration:
 ###########
 # logging #
 ###########
-# consul_log_level: info
+# hashistack_consul_log_level:
-consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+# hashistack_consul_enable_log_to_file:
-consul_log_to_file_configuration:
+# hashistack_consul_log_to_file_configuration:
  log_file: "{{ consul_logs_dir }}/consul.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30
--- a/playbooks/group_vars/all/consul_default.yml
+++ b/playbooks/group_vars/all/consul_default.yml
@ -0,0 +1,252 @@
 ---
 ##########
 # Consul #
 ##########
 hashistack_default_consul_config_dir: "{{ hashistack_remote_config_dir }}/consul.d"
 consul_config_dir: "{{ hashistack_consul_config_dir | default(hashistack_default_consul_config_dir) }}"
 hashistack_default_consul_data_dir: "/opt/consul"
 consul_data_dir: "{{ hashistack_consul_data_dir | default(hashistack_default_consul_data_dir)}}"
 hashistack_default_consul_certs_dir: "{{ consul_config_dir }}/tls"
 consul_certs_dir: "{{ hashistack_consul_certs_dir | default(hashistack_default_consul_certs_dir) }}"
 hashistack_default_consul_logs_dir: "{{ hashistack_remote_log_dir }}/consul"
 consul_logs_dir: "{{ hashistack_consul_logs_dir | default(hashistack_default_consul_logs_dir) }}"
 hashistack_default_consul_envoy_install: false
 consul_envoy_install: "{{ hashistack_consul_envoy_install | default(hashistack_default_consul_envoy_install) }}"
 hashistack_default_consul_envoy_version: latest
 consul_envoy_version: "{{ hashistack_consul_envoy_version | default(hashistack_default_consul_envoy_version) }}"
 consul_extra_files: true
 hashistack_default_consul_extra_files_list: []
 consul_extra_files_list: "{{ hashistack_consul_extra_files_list | default(hashistack_default_consul_extra_files_list) }}"
 hashistack_default_consul_env_variables: {}
 consul_env_variables: "{{ hashistack_consul_env_variables | default(hashistack_default_consul_env_variables) }}"
 #######################
 # extra configuration #
 #######################
 # You should prioritize adding configuration
 # to the configuration entries below, this
 # option should be used to add pieces of configuration not
 # available through standard variables.
 hashistack_default_consul_extra_configuration: {}
 consul_extra_configuration: >-
  {{
    hashistack_default_consul_extra_configuration |
    combine((hashistack_consul_extra_configuration | default({})), recursive=true)
  }}
 ###########
 # general #
 ###########
 hashistack_default_consul_domain: consul
 consul_domain: "{{ hashistack_consul_domain | default(hashistack_default_consul_domain) }}"
 hashistack_default_consul_datacenter: dc1
 consul_datacenter: "{{ hashistack_consul_datacenter | default(hashistack_default_consul_datacenter) }}"
 hashistack_default_consul_primary_datacenter: "{{ consul_datacenter }}"
 consul_primary_datacenter: "{{ hashistack_consul_primary_datacenter | default(hashistack_default_consul_primary_datacenter) }}"
 hashistack_default_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
 consul_gossip_encryption_key: "{{ hashistack_consul_gossip_encryption_key | default(hashistack_default_consul_gossip_encryption_key) }}"
 hashistack_default_consul_enable_script_checks: false
 consul_enable_script_checks: "{{ hashistack_consul_enable_script_checks | default(hashistack_default_consul_enable_script_checks) }}"
 #######################
 # leave configuration #
 #######################
 hashistack_default_consul_leave_on_terminate: true
 consul_leave_on_terminate: "{{ hashistack_consul_leave_on_terminate | default(hashistack_default_consul_leave_on_terminate) }}"
 hashistack_default_consul_rejoin_after_leave: true
 consul_rejoin_after_leave: "{{ hashistack_consul_rejoin_after_leave | default(hashistack_default_consul_rejoin_after_leave) }}"
 ######################
 # join configuration #
 ######################
 hashistack_default_consul_join_configuration:
  retry_join: |
    {{
      groups['consul_servers'] |
      map('extract', hostvars, ['consul_address_configuration', 'bind_addr']) |
      list |
      to_json |
      from_json
    }}
  retry_interval: 30s
  retry_max: 0
 consul_join_configuration: >-
  {{
    hashistack_default_consul_join_configuration |
    combine((hashistack_consul_join_configuration | default({})), recursive=true)
  }}
 ########################
 # server configuration #
 ########################
 hashistack_default_consul_enable_server: "{{ 'consul_servers' in group_names }}"
 consul_enable_server: "{{ hashistack_consul_enable_server | default(hashistack_default_consul_enable_server) }}"
 hashistack_default_consul_bootstrap_expect: "{{ (groups['consul_servers'] | length) }}"
 consul_bootstrap_expect: "{{ hashistack_consul_bootstrap_expect | default(hashistack_default_consul_bootstrap_expect) }}"
 ####################
 # ui configuration #
 ####################
 hashistack_default_consul_ui_configuration:
  enabled: "{{ consul_enable_server }}"
 consul_ui_configuration: >-
  {{
    hashistack_default_consul_ui_configuration |
    combine((hashistack_consul_ui_configuration | default({})), recursive=true)
  }}
 #########################
 # address configuration #
 #########################
 hashistack_default_consul_bind_addr: "0.0.0.0"
 consul_bind_addr: "{{ hashistack_consul_bind_addr | default(hashistack_default_consul_bind_addr) }}"
 hashistack_default_consul_advertise_addr: "{{ api_interface_address }}"
 consul_advertise_addr: "{{ hashistack_consul_advertise_addr | default(hashistack_default_consul_advertise_addr) }}"
 hashistack_default_consul_address_configuration:
  client_addr: "{{ consul_bind_addr }}"
  bind_addr: "{{ consul_advertise_addr }}"
  advertise_addr: "{{ consul_advertise_addr }}"
 consul_address_configuration: >-
  {{
    hashistack_default_consul_address_configuration |
    combine((hashistack_consul_address_configuration | default({})), recursive=true)
  }}
 #####################
 # ACL configuration #
 #####################
 hashistack_default_consul_acl_configuration:
  enabled: true
  default_policy: "deny"
  enable_token_persistence: true
  tokens:
    agent: "{{ _credentials.consul.tokens.agent.secret_id }}"
 consul_acl_configuration: >-
  {{
    hashistack_default_consul_acl_configuration |
    combine((hashistack_consul_acl_configuration | default({})), recursive=true)
  }}
 consul_default_agent_policy: |
  node_prefix "" {
    policy = "write"
  }
  service_prefix "" {
    policy = "read"
  }
 ##############################
 # service mesh configuration #
 ##############################
 hashistack_default_consul_mesh_configuration:
  enabled: true
 consul_mesh_configuration: >-
  {{
    hashistack_default_consul_mesh_configuration |
    combine((hashistack_consul_mesh_configuration | default({})), recursive=true)
  }}
 #####################
 # DNS configuration #
 #####################
 hashistack_default_consul_dns_configuration:
  allow_stale: true
  enable_truncate: true
  only_passing: true
 consul_dns_configuration: >-
  {{
    hashistack_default_consul_dns_configuration |
    combine((hashistack_consul_dns_configuration | default({})), recursive=true)
  }}
 ################
 # internal tls #
 ################
 hashistack_default_consul_enable_tls: "{{ enable_tls_internal }}"
 consul_enable_tls: "{{ hashistack_consul_enable_tls | default(hashistack_default_consul_enable_tls) }}"
 hashistack_default_consul_tls_configuration:
  defaults:
    ca_file: "/etc/ssl/certs/ca-certificates.crt"
    cert_file: "{{ consul_certs_dir }}/fullchain.crt"
    key_file: "{{ consul_certs_dir }}/cert.key"
    verify_incoming: false
    verify_outgoing: true
  internal_rpc:
    verify_server_hostname: true
 consul_tls_configuration: >-
  {{
    hashistack_default_consul_tls_configuration |
    combine((hashistack_consul_tls_configuration | default({})), recursive=true)
  }}
 consul_certificates_extra_files_dir: >
  {{
    [] if internal_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/consul/{{ inventory_hostname }}",
      'dest': "{{ consul_certs_dir }}"
    }]
  }}
 ###########################
 # telemetry configuration #
 ###########################
 hashistack_default_consul_enable_prometheus_metrics: false
 consul_enable_prometheus_metrics: "{{ hashistack_consul_enable_prometheus_metrics | default(hashistack_default_consul_enable_prometheus_metrics) }}"
 hashistack_default_consul_prometheus_retention_time: 60s
 consul_prometheus_retention_time: "{{ hashistack_consul_prometheus_retention_time | default(hashistack_default_consul_prometheus_retention_time) }}"
 hashistack_default_consul_telemetry_configuration: {}
 consul_telemetry_configuration: "{{ hashistack_consul_telemetry_configuration | default(hashistack_default_consul_telemetry_configuration) }}"
 ###########
 # logging #
 ###########
 hashistack_default_consul_log_level: info
 consul_log_level: "{{ hashistack_consul_log_level | default(hashistack_default_consul_log_level) }}"
 hashistack_default_consul_enable_log_to_file: "{{ enable_log_to_file | bool }}"
 consul_enable_log_to_file: "{{ hashistack_consul_enable_log_to_file | default(hashistack_default_consul_enable_log_to_file) }}"
 hashistack_default_consul_log_to_file_configuration:
  log_file: "{{ consul_logs_dir }}/consul.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30
 consul_log_to_file_configuration: >-
  {{
    hashistack_default_consul_log_to_file_configuration |
    combine((hashistack_consul_log_to_file_configuration | default({})), recursive=true)
  }}
--- a/playbooks/group_vars/all/globals.yml
+++ b/playbooks/group_vars/all/globals.yml
@ -11,10 +11,6 @@ nomad_version: "1.8.1"
 consul_version: "1.18.1"
 vault_version: "1.16.2"
 consul_fqdn: consul.ednz.lab
 vault_fqdn: vault.ednz.lab
 nomad_fqdn: nomad.ednz.lab
 api_interface: "eth0"
 api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
@ -24,79 +20,71 @@ api_interface_address: "{{ ansible_facts[api_interface]['ipv4']['address'] }}"
 enable_log_to_file: true
 ########################
 # external tls options #
 ########################
 enable_tls_external: false
 external_tls_externally_managed_certs: false
 ########################
 # internal tls options #
 ########################
 enable_tls_internal: false
 internal_tls_externally_managed_certs: false
 ##########
 # Consul #
 ##########
-consul_domain: consul
+# hashistack_consul_domain: consul
-consul_datacenter: dc1
+# hashistack_consul_datacenter: dc1
-consul_primary_datacenter: "{{ consul_datacenter }}"
+# hashistack_consul_primary_datacenter: "{{ consul_datacenter }}"
-consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
+# hashistack_consul_gossip_encryption_key: "{{ _credentials.consul.gossip_encryption_key }}"
-consul_enable_script_checks: false
+# hashistack_consul_enable_script_checks: false
-consul_extra_files_list: []
+# hashistack_consul_extra_files_list: []
-consul_extra_configuration: {}
+# hashistack_consul_extra_configuration: {}
-consul_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_consul_enable_tls: "{{ enable_tls_internal }}"
-consul_log_level: info
+# hashistack_consul_log_level: info
 #########
 # Vault #
 #########
-vault_cluster_name: vault
+# hashistack_vault_cluster_name: vault
-vault_bind_addr: "0.0.0.0"
+# hashistack_vault_bind_addr: "0.0.0.0"
-vault_cluster_addr: "{{ api_interface_address }}"
+# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
-vault_enable_ui: true
+# hashistack_vault_enable_ui: true
-vault_disable_mlock: false
+# hashistack_vault_disable_mlock: false
-vault_disable_cache: false
+# hashistack_vault_disable_cache: false
-vault_extra_files_list: []
+# hashistack_vault_extra_files_list: []
-vault_extra_configuration: {}
+# hashistack_vault_extra_configuration: {}
-vault_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
-vault_enable_service_registration: "{{ enable_consul | bool }}"
+# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
-vault_enable_plugins: false
+# hashistack_vault_enable_plugins: false
-vault_log_level: info
+# hashistack_vault_log_level: info
 #########
 # Nomad #
 #########
-nomad_region: global
+# hashistack_nomad_region: global
-nomad_datacenter: dc1
+# hashistack_nomad_datacenter: dc1
-nomad_extra_files_list: []
+# hashistack_nomad_extra_files_list: []
-nomad_extra_configuration: {}
+# hashistack_nomad_extra_configuration: {}
-nomad_autopilot_configuration: {}
+# hashistack_nomad_autopilot_configuration: {}
-nomad_driver_enable_docker: true
+# hashistack_nomad_driver_enable_docker: true
-nomad_driver_enable_podman: false
+# hashistack_nomad_driver_enable_podman: false
-nomad_driver_enable_raw_exec: false
+# hashistack_nomad_driver_enable_raw_exec: false
-nomad_driver_enable_java: false
+# hashistack_nomad_driver_enable_java: false
-nomad_driver_enable_qemu: false
+# hashistack_nomad_driver_enable_qemu: false
-nomad_driver_extra_configuration: {}
+# hashistack_nomad_driver_configuration: {}
-nomad_log_level: info
+# hashistack_nomad_log_level: info
-nomad_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"
--- a/playbooks/group_vars/all/nomad.yml
+++ b/playbooks/group_vars/all/nomad.yml
@ -3,15 +3,12 @@
 # Nomad #
 #########
-nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
+# hashistack_nomad_config_dir:
-nomad_data_dir: "/opt/nomad"
+# hashistack_nomad_data_dir:
-nomad_certs_dir: "{{ nomad_config_dir }}/tls"
+# hashistack_nomad_certs_dir:
-nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
+# hashistack_nomad_logs_dir:
-
+# hashistack_nomad_extra_files_list:
-nomad_extra_files: true
+# hashistack_nomad_env_variables:
 # nomad_extra_files_list: []
 nomad_env_variables: {}
 #######################
 # extra configuration #
@ -22,213 +19,94 @@ nomad_env_variables: {}
 # option should be used to add pieces of configuration not
 # available through standard variables.
-# nomad_extra_configuration: {}
+# hashistack_nomad_extra_configuration:
 ###########
 # general #
 ###########
-# nomad_region: global
+# hashistack_nomad_region:
-# nomad_datacenter: dc1
+# hashistack_nomad_datacenter:
 #########################
 # address configuration #
 #########################
-nomad_bind_addr: "0.0.0.0"
+# hashistack_nomad_bind_addr:
-nomad_advertise_addr: "{{ api_interface_address }}"
+# hashistack_nomad_advertise_addr:
-nomad_address_configuration:
+# hashistack_nomad_address_configuration:
  bind_addr: "{{ nomad_bind_addr }}"
  addresses:
    http: "{{ nomad_advertise_addr }}"
    rpc: "{{ nomad_advertise_addr }}"
    serf: "{{ nomad_advertise_addr }}"
  advertise:
    http: "{{ nomad_advertise_addr }}"
    rpc: "{{ nomad_advertise_addr }}"
    serf: "{{ nomad_advertise_addr }}"
  ports:
    http: 4646
    rpc: 4647
    serf: 4648
 ###########################
 # autopilot configuration #
 ###########################
-# nomad_autopilot_configuration: {}
+# hashistack_nomad_autopilot_configuration:
 #######################
 # leave configuration #
 #######################
-nomad_leave_on_interrupt: false
+# hashistack_nomad_leave_on_interrupt:
-nomad_leave_on_terminate: false
+# hashistack_nomad_leave_on_terminate:
 ########################
 # server configuration #
 ########################
 nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
 nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
 nomad_server_configuration:
  enabled: "{{ nomad_enable_server }}"
  data_dir: "{{ nomad_data_dir }}/server"
  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
 ##############################
 # client configuration #
 ##############################
 nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
 nomad_client_configuration:
  enabled: "{{ nomad_enable_client }}"
  state_dir: "{{ nomad_data_dir }}/client"
  cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
  bridge_network_name: nomad
  bridge_network_subnet: "172.26.64.0/20"
  node_pool: >-
    {{
      'ingress' if 'nomad_ingress' in group_names else
      'controller' if 'nomad_servers' in group_names else
      omit
    }}
 ####################
 # ui configuration #
 ####################
-nomad_ui_configuration:
+# hashistack_nomad_ui_configuration:
  enabled: "{{ nomad_enable_server }}"
 #########################
 # drivers configuration #
 #########################
-nomad_driver_enable_docker: true
+# hashistack_nomad_driver_enable_docker:
-nomad_driver_enable_podman: false
+# hashistack_nomad_driver_enable_podman:
-nomad_driver_enable_raw_exec: false
+# hashistack_nomad_driver_enable_raw_exec:
-nomad_driver_enable_java: false
+# hashistack_nomad_driver_enable_java:
-nomad_driver_enable_qemu: false
+# hashistack_nomad_driver_enable_qemu:
-
+# hashistack_nomad_driver_configuration:
 nomad_driver_configuration:
  raw_exec:
    enabled: false
 nomad_driver_extra_configuration: {}
 ###########
 # logging #
 ###########
-nomad_log_level: info
+# hashistack_nomad_log_level:
-nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+# hashistack_nomad_enable_log_to_file:
-nomad_log_to_file_configuration:
+# hashistack_nomad_log_to_file_configuration:
  log_file: "{{ nomad_logs_dir }}/nomad.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30
 #####################
 # ACL configuration #
 #####################
-nomad_acl_configuration:
+# hashistack_nomad_acl_configuration:
  enabled: true
  token_ttl: 30s
  policy_ttl: 60s
  role_ttl: 60s
 ################
 # internal tls #
 ################
-# nomad_enable_tls: false
+# hashistack_nomad_enable_tls:
-nomad_tls_configuration:
+# hashistack_nomad_tls_configuration:
  http: true
  rpc: true
  ca_file: "/etc/ssl/certs/ca-certificates.crt"
  cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
  key_file: "{{ nomad_certs_dir }}/cert.key"
  verify_server_hostname: true
 nomad_certificates_extra_files_dir: >
  {{
    [] if external_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
      'dest': "{{ nomad_certs_dir }}"
    }]
  }}
 ###########################
 # telemetry configuration #
 ###########################
-nomad_telemetry_configuration:
+# hashistack_nomad_telemetry_configuration:
  collection_interval: 10s
  disable_hostname: false
  use_node_name: false
  publish_allocation_metrics: false
  publish_node_metrics: false
  prefix_filter: []
  disable_dispatched_job_summary_metrics: false
  prometheus_metrics: false
 ######################
 # consul integration #
 ######################
-nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+# hashistack_nomad_enable_consul_integration:
-nomad_consul_integration_configuration:
+# hashistack_nomad_consul_integration_configuration:
-  address: >-
+# hashistack_nomad_consul_integration_tls_configuration:
-    127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
+# hashistack_nomad_consul_integration_server_configuration:
-  auto_advertise: true
+# hashistack_nomad_consul_integration_client_configuration:
-  ssl: "{{ consul_enable_tls | bool }}"
+# hashistack_nomad_consul_integration_client_tls_configuration:
  token: >-
    {{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
  tags: []
 nomad_consul_integration_tls_configuration:
  ca_file: "/etc/ssl/certs/ca-certificates.crt"
 nomad_consul_integration_server_configuration:
  server_auto_join: true
 nomad_consul_integration_client_configuration:
  client_auto_join: true
  grpc_address: >-
    127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
 nomad_consul_integration_client_tls_configuration:
  grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
 nomad_consul_integration_server_policy: |
  agent_prefix "" {
    policy = "read"
  }
  node_prefix "" {
    policy = "read"
  }
  service_prefix "" {
    policy = "write"
  }
  acl  = "write"
  mesh = "write"
 nomad_consul_integration_client_policy: |
  agent_prefix "" {
    policy = "read"
  }
  node_prefix "" {
    policy = "read"
  }
  service_prefix "" {
    policy = "write"
  }
 ############################
 # nomad vault integration #
 ############################
-nomad_enable_vault_integration: false
+# hashistack_nomad_enable_vault_integration:
-nomad_vault_integration_configuration: {}
+# hashistack_nomad_vault_integration_configuration:
--- a/playbooks/group_vars/all/nomad_default.yml
+++ b/playbooks/group_vars/all/nomad_default.yml
@ -0,0 +1,347 @@
 ---
 #########
 # Nomad #
 #########
 hashistack_default_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
 nomad_config_dir: "{{ hashistack_nomad_config_dir | default(hashistack_default_nomad_config_dir) }}"
 hashistack_default_nomad_data_dir: "/opt/nomad"
 nomad_data_dir: "{{ hashistack_nomad_data_dir | default(hashistack_default_nomad_data_dir) }}"
 hashistack_default_nomad_certs_dir: "{{ nomad_config_dir }}/tls"
 nomad_certs_dir: "{{ hashistack_nomad_certs_dir | default(hashistack_default_nomad_certs_dir) }}"
 hashistack_default_nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
 nomad_logs_dir: "{{ hashistack_nomad_logs_dir | default(hashistack_default_nomad_logs_dir) }}"
 nomad_extra_files: true
 hashistack_default_nomad_extra_files_list: []
 nomad_extra_files_list: "{{ hashistack_nomad_extra_files_list | default(hashistack_default_nomad_extra_files_list) }}"
 hashistack_default_nomad_env_variables: {}
 nomad_env_variables: "{{ hashistack_nomad_env_variables | default(hashistack_default_nomad_env_variables) }}"
 #######################
 # extra configuration #
 #######################
 # You should prioritize adding configuration
 # to the configuration entries below, this
 # option should be used to add pieces of configuration not
 # available through standard variables.
 hashistack_default_nomad_extra_configuration: {}
 nomad_extra_configuration: >-
  {{
    hashistack_default_nomad_extra_configuration |
    combine((hashistack_nomad_extra_configuration | default({})), recursive=true)
  }}
 ###########
 # general #
 ###########
 hashistack_default_nomad_region: global
 nomad_region: "{{ hashistack_nomad_region | default(hashistack_default_nomad_region) }}"
 hashistack_default_nomad_datacenter: dc1
 nomad_datacenter: "{{ hashistack_nomad_datacenter | default(hashistack_default_nomad_datacenter) }}"
 #########################
 # address configuration #
 #########################
 hashistack_default_nomad_bind_addr: "0.0.0.0"
 nomad_bind_addr: "{{ hashistack_nomad_bind_addr | default(hashistack_default_nomad_bind_addr) }}"
 hashistack_default_nomad_advertise_addr: "{{ api_interface_address }}"
 nomad_advertise_addr: "{{ hashistack_nomad_advertise_addr | default(hashistack_default_nomad_advertise_addr) }}"
 hashistack_default_nomad_address_configuration:
  bind_addr: "{{ nomad_bind_addr }}"
  addresses:
    http: "{{ nomad_advertise_addr }}"
    rpc: "{{ nomad_advertise_addr }}"
    serf: "{{ nomad_advertise_addr }}"
  advertise:
    http: "{{ nomad_advertise_addr }}"
    rpc: "{{ nomad_advertise_addr }}"
    serf: "{{ nomad_advertise_addr }}"
  ports:
    http: 4646
    rpc: 4647
    serf: 4648
 nomad_address_configuration: >-
  {{
    hashistack_default_nomad_address_configuration |
    combine((hashistack_nomad_address_configuration | default({})), recursive=true)
  }}
 ###########################
 # autopilot configuration #
 ###########################
 hashistack_default_nomad_autopilot_configuration: {}
 nomad_autopilot_configuration: "{{ hashistack_nomad_autopilot_configuration | default(hashistack_default_nomad_autopilot_configuration) }}"
 #######################
 # leave configuration #
 #######################
 hashistack_default_nomad_leave_on_interrupt: false
 nomad_leave_on_interrupt: "{{ hashistack_nomad_leave_on_interrupt | default(hashistack_default_nomad_leave_on_interrupt) }}"
 hashistack_default_nomad_leave_on_terminate: false
 nomad_leave_on_terminate: "{{ hashistack_nomad_leave_on_terminate | default(hashistack_default_nomad_leave_on_terminate) }}"
 ########################
 # server configuration #
 ########################
 nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
 nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
 nomad_server_configuration:
  enabled: "{{ nomad_enable_server }}"
  data_dir: "{{ nomad_data_dir }}/server"
  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
 ##############################
 # client configuration #
 ##############################
 nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
 nomad_client_configuration:
  enabled: "{{ nomad_enable_client }}"
  state_dir: "{{ nomad_data_dir }}/client"
  cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
  bridge_network_name: nomad
  bridge_network_subnet: "172.26.64.0/20"
  node_pool: >-
    {{
      'ingress' if 'nomad_ingress' in group_names else
      'controller' if 'nomad_servers' in group_names else
      omit
    }}
 ####################
 # ui configuration #
 ####################
 hashistack_default_nomad_ui_configuration:
  enabled: "{{ nomad_enable_server }}"
 nomad_ui_configuration: >-
  {{
    hashistack_default_nomad_ui_configuration |
    combine((hashistack_nomad_ui_configuration | default({})), recursive=true)
  }}
 #########################
 # drivers configuration #
 #########################
 hashistack_default_nomad_driver_enable_docker: true
 nomad_driver_enable_docker: "{{ hashistack_nomad_driver_enable_docker | default(hashistack_default_nomad_driver_enable_docker) }}"
 hashistack_default_nomad_driver_enable_podman: false
 nomad_driver_enable_podman: "{{ hashistack_nomad_driver_enable_podman | default(hashistack_default_nomad_driver_enable_podman) }}"
 hashistack_default_nomad_driver_enable_raw_exec: false
 nomad_driver_enable_raw_exec: "{{ hashistack_nomad_driver_enable_raw_exec | default(hashistack_default_nomad_driver_enable_raw_exec) }}"
 hashistack_default_nomad_driver_enable_java: false
 nomad_driver_enable_java: "{{ hashistack_nomad_driver_enable_java | default(hashistack_default_nomad_driver_enable_java) }}"
 hashistack_default_nomad_driver_enable_qemu: false
 nomad_driver_enable_qemu: "{{ hashistack_nomad_driver_enable_qemu | default(hashistack_default_nomad_driver_enable_qemu) }}"
 hashistack_default_nomad_driver_configuration:
  raw_exec:
    enabled: "{{ nomad_driver_enable_raw_exec }}"
 nomad_driver_configuration: >-
  {{
    hashistack_default_nomad_driver_configuration |
    combine((hashistack_nomad_driver_configuration | default({})), recursive=true)
  }}
 nomad_driver_extra_configuration: {}
 ###########
 # logging #
 ###########
 hashistack_default_nomad_log_level: info
 nomad_log_level: "{{ hashistack_nomad_log_level | default(hashistack_default_nomad_log_level) }}"
 hashistack_default_nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
 nomad_enable_log_to_file: "{{ hashistack_nomad_enable_log_to_file | default(hashistack_default_nomad_enable_log_to_file) }}"
 hashistack_default_nomad_log_to_file_configuration:
  log_file: "{{ nomad_logs_dir }}/nomad.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30
 nomad_log_to_file_configuration: >-
  {{
    hashistack_default_nomad_log_to_file_configuration |
    combine((hashistack_nomad_log_to_file_configuration | default({})), recursive=true)
  }}
 #####################
 # ACL configuration #
 #####################
 hashistack_default_nomad_acl_configuration:
  enabled: true
  token_ttl: 30s
  policy_ttl: 60s
  role_ttl: 60s
 nomad_acl_configuration: >-
  {{
    hashistack_default_nomad_acl_configuration |
    combine((hashistack_nomad_acl_configuration | default({})), recursive=true)
  }}
 ################
 # internal tls #
 ################
 hashistack_default_nomad_enable_tls: "{{ enable_tls_internal }}"
 nomad_enable_tls: "{{ hashistack_nomad_enable_tls | default(hashistack_default_nomad_enable_tls) }}"
 hashistack_default_nomad_tls_configuration:
  http: true
  rpc: true
  ca_file: "/etc/ssl/certs/ca-certificates.crt"
  cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
  key_file: "{{ nomad_certs_dir }}/cert.key"
  verify_server_hostname: true
 nomad_tls_configuration: >-
  {{
    hashistack_default_nomad_tls_configuration |
    combine((hashistack_nomad_tls_configuration | default({})), recursive=true)
  }}
 nomad_certificates_extra_files_dir: >
  {{
    [] if internal_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
      'dest': "{{ nomad_certs_dir }}"
    }]
  }}
 ###########################
 # telemetry configuration #
 ###########################
 hashistack_default_nomad_telemetry_configuration:
  collection_interval: 10s
  disable_hostname: false
  use_node_name: false
  publish_allocation_metrics: false
  publish_node_metrics: false
  prefix_filter: []
  disable_dispatched_job_summary_metrics: false
  prometheus_metrics: false
 nomad_telemetry_configuration: >-
  {{
    hashistack_default_nomad_telemetry_configuration |
    combine((hashistack_nomad_telemetry_configuration | default({})), recursive=true)
  }}
 ######################
 # consul integration #
 ######################
 hashistack_default_nomad_enable_consul_integration: "{{ enable_consul | bool }}"
 nomad_enable_consul_integration: "{{ hashistack_nomad_enable_consul_integration | default(hashistack_default_nomad_enable_consul_integration) }}"
 hashistack_default_nomad_consul_integration_configuration:
  address: >-
    127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
  auto_advertise: true
  ssl: "{{ consul_enable_tls | bool }}"
  token: >-
    {{
      _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else
      _credentials.consul.tokens.nomad.client.secret_id
    }}
  tags: []
 nomad_consul_integration_configuration: >-
  {{
    hashistack_default_nomad_consul_integration_configuration |
    combine((hashistack_nomad_consul_integration_configuration | default({})), recursive=true)
  }}
 hashistack_default_nomad_consul_integration_tls_configuration:
  ca_file: "/etc/ssl/certs/ca-certificates.crt"
 nomad_consul_integration_tls_configuration: >-
  {{
    hashistack_default_nomad_consul_integration_tls_configuration |
    combine((hashistack_nomad_consul_integration_tls_configuration | default({})), recursive=true)
  }}
 hashistack_default_nomad_consul_integration_server_configuration:
  server_auto_join: true
 nomad_consul_integration_server_configuration: >-
  {{
    hashistack_default_nomad_consul_integration_server_configuration |
    combine((hashistack_nomad_consul_integration_server_configuration | default({})), recursive=true)
  }}
 hashistack_default_nomad_consul_integration_client_configuration:
  client_auto_join: true
  grpc_address: >-
    127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
 nomad_consul_integration_client_configuration: >-
  {{
    hashistack_default_nomad_consul_integration_client_configuration |
    combine((hashistack_nomad_consul_integration_client_configuration | default({})), recursive=true)
  }}
 hashistack_default_nomad_consul_integration_client_tls_configuration:
  grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
 nomad_consul_integration_client_tls_configuration: >-
  {{
    hashistack_default_nomad_consul_integration_client_tls_configuration |
    combine((hashistack_nomad_consul_integration_client_tls_configuration | default({})), recursive=true)
  }}
 nomad_consul_integration_server_policy: |
  agent_prefix "" {
    policy = "read"
  }
  node_prefix "" {
    policy = "read"
  }
  service_prefix "" {
    policy = "write"
  }
  acl  = "write"
  mesh = "write"
 nomad_consul_integration_client_policy: |
  agent_prefix "" {
    policy = "read"
  }
  node_prefix "" {
    policy = "read"
  }
  service_prefix "" {
    policy = "write"
  }
 ############################
 # nomad vault integration #
 ############################
 hashistack_default_nomad_enable_vault_integration: false
 nomad_enable_vault_integration: "{{ hashistack_nomad_enable_vault_integration | default(hashistack_default_nomad_enable_vault_integration) }}"
 hashistack_default_nomad_vault_integration_configuration: {}
 nomad_vault_integration_configuration: >-
  {{
    hashistack_default_nomad_vault_integration_configuration |
    combine((hashistack_nomad_vault_integration_configuration | default({})), recursive=true)
  }}
--- a/playbooks/group_vars/all/vault.yml
+++ b/playbooks/group_vars/all/vault.yml
@ -3,15 +3,12 @@
 # Vault #
 #########
-vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
+# hashistack_vault_config_dir:
-vault_data_dir: "/opt/vault"
+# hashistack_vault_data_dir:
-vault_certs_dir: "{{ vault_config_dir }}/tls"
+# hashistack_vault_certs_dir:
-vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
+# hashistack_vault_logs_dir:
-
+# hashistack_vault_extra_files_list:
-vault_extra_files: true
+# hashistack_vault_env_variables:
 # vault_extra_files_list: []
 vault_env_variables: {}
 #######################
 # extra configuration #
@ -22,103 +19,57 @@ vault_env_variables: {}
 # option should be used to add pieces of configuration not
 # available through standard variables.
-# vault_extra_configuration: {}
+# hashistack_vault_extra_configuration:
 ###########
 # general #
 ###########
-# vault_cluster_name: vault
+# hashistack_vault_cluster_name:
-# vault_bind_addr: "0.0.0.0"
+# hashistack_vault_bind_addr:
-# vault_cluster_addr: "{{ api_interface_address }}"
+# hashistack_vault_cluster_addr:
-# vault_enable_ui: true
+# hashistack_vault_enable_ui:
-# vault_disable_mlock: false
+# hashistack_vault_disable_mlock:
-# vault_disable_cache: false
+# hashistack_vault_disable_cache:
 ######################
 # seal configuration #
 ######################
-vault_seal_configuration:
+# hashistack_vault_seal_configuration:
  key_shares: 3
  key_threshold: 2
 #########################
 # storage configuration #
 #########################
-vault_storage_configuration:
+# hashistack_vault_storage_configuration:
  raft:
    path: "{{ vault_data_dir }}"
    node_id: "{{ ansible_hostname }}"
    retry_join: >-
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]
 ##########################
 # listener configuration #
 ##########################
-# vault_enable_tls: false
+# hashistack_vault_enable_tls:
-vault_listener_configuration:
+# hashistack_vault_listener_configuration:
-  - tcp:
+# hashistack_vault_tls_listener_configuration:
      address: "{{ vault_cluster_addr }}:8200"
      tls_disable: true
 vault_tls_listener_configuration:
  - tcp:
      tls_disable: false
      tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
      tls_key_file: "{{ vault_certs_dir }}/cert.key"
      tls_disable_client_certs: true
 vault_certificates_extra_files_dir: >
  {{
    [] if external_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
      'dest': "{{ vault_certs_dir }}"
    }]
  }}
 vault_extra_listener_configuration: []
 ########################
 # service registration #
 ########################
-# vault_enable_service_registration: "{{ enable_consul | bool }}"
+# hashistack_vault_enable_service_registration:
-vault_service_registration_configuration:
+# hashistack_vault_service_registration_configuration:
  consul:
    address: >-
      127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
    token: "{{ _credentials.consul.tokens.vault.secret_id }}"
 vault_service_registration_policy: |
  service "vault" {
    policy = "write"
  }
 #########################
 # plugins configuration #
 #########################
-# vault_enable_plugins: false
+# hashistack_vault_enable_plugins:
-vault_plugins_directory: "{{ vault_config_dir }}/plugins"
+# hashistack_vault_plugins_directory:
 #################
 # vault logging #
 #################
-# vault_log_level: info
+# hashistack_vault_log_level:
-vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+# hashistack_vault_enable_log_to_file:
-vault_log_to_file_configuration:
+# hashistack_vault_log_to_file_configuration:
  log_file: "{{ vault_logs_dir }}/vault.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30
--- a/playbooks/group_vars/all/vault_default.yml
+++ b/playbooks/group_vars/all/vault_default.yml
@ -0,0 +1,174 @@
 ---
 #########
 # Vault #
 #########
 hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
 vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}"
 hashistack_default_vault_data_dir: "/opt/vault"
 vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}"
 hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls"
 vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}"
 hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
 vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}"
 vault_extra_files: true
 hashistack_default_vault_extra_files_list: []
 vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}"
 hashistack_default_vault_env_variables: {}
 vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}"
 #######################
 # extra configuration #
 #######################
 # You should prioritize adding configuration
 # to the configuration entries below, this
 # option should be used to add pieces of configuration not
 # available through standard variables.
 hashistack_default_vault_extra_configuration: {}
 vault_extra_configuration: >-
  {{
    hashistack_default_vault_extra_configuration |
    combine((hashistack_vault_extra_configuration | default({})), recursive=true)
  }}
 ###########
 # general #
 ###########
 hashistack_default_vault_cluster_name: vault
 vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}"
 hashistack_default_vault_bind_addr: "0.0.0.0"
 vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}"
 hashistack_default_vault_cluster_addr: "{{ api_interface_address }}"
 vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}"
 hashistack_default_vault_enable_ui: true
 vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}"
 hashistack_default_vault_disable_mlock: false
 vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}"
 hashistack_default_vault_disable_cache: false
 vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}"
 ######################
 # seal configuration #
 ######################
 hashistack_default_vault_seal_configuration:
  key_shares: 3
  key_threshold: 2
 vault_seal_configuration: >-
  {{
    hashistack_default_vault_seal_configuration |
    combine((hashistack_vault_seal_configuration | default({})), recursive=true)
  }}
 #########################
 # storage configuration #
 #########################
 hashistack_default_vault_storage_configuration:
  raft:
    path: "{{ vault_data_dir }}"
    node_id: "{{ ansible_hostname }}"
    retry_join: >-
      [
      {% for host in groups['vault_servers'] %}
        {
          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
        }{% if not loop.last %},{% endif %}
      {% endfor %}
      ]
 vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}"
 ##########################
 # listener configuration #
 ##########################
 hashistack_default_vault_enable_tls: false
 vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}"
 hashistack_default_vault_listener_configuration:
  - tcp:
      address: "{{ vault_cluster_addr }}:8200"
      tls_disable: true
 vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}"
 hashistack_default_vault_tls_listener_configuration:
  - tcp:
      tls_disable: false
      tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
      tls_key_file: "{{ vault_certs_dir }}/cert.key"
      tls_disable_client_certs: true
 vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}"
 vault_certificates_extra_files_dir: >
  {{
    [] if internal_tls_externally_managed_certs | bool else
    [{
      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
      'dest': "{{ vault_certs_dir }}"
    }]
  }}
 vault_extra_listener_configuration: []
 ########################
 # service registration #
 ########################
 hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}"
 vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}"
 hashistack_default_vault_service_registration_configuration:
  consul:
    address: >-
      127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
    token: "{{ _credentials.consul.tokens.vault.secret_id }}"
 vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}"
 vault_service_registration_policy: |
  service "vault" {
    policy = "write"
  }
 #########################
 # plugins configuration #
 #########################
 hashistack_default_vault_enable_plugins: false
 vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}"
 hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins"
 vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}"
 #################
 # vault logging #
 #################
 hashistack_default_vault_log_level: info
 vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}"
 hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
 vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}"
 hashistack_default_vault_log_to_file_configuration:
  log_file: "{{ vault_logs_dir }}/vault.log"
  log_rotate_duration: 24h
  log_rotate_max_files: 30
 vault_log_to_file_configuration: >-
  {{
    hashistack_default_vault_log_to_file_configuration |
    combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true)
  }}
--- a/plugins/modules/nomad_acl_bootstrap.py
+++ b/plugins/modules/nomad_acl_bootstrap.py
@ -11,6 +11,8 @@ module: ednz_cloud.hashistack.nomad_acl_bootstrap
 short_description: Manages the ACL bootstrap of HashiCorp Nomad.
 version_added: "0.1.0"
 description:
    - This module bootstraps HashiCorp Nomad ACL, ensuring that it is securely set up for use.
--- a/roles/requirements.yml
+++ b/roles/requirements.yml
@ -13,21 +13,3 @@ roles:
  - name: ednz_cloud.install_docker
    src: https://github.com/ednz-cloud/install_docker.git
    version: main
  - name: ednz_cloud.docker_systemd_service
    src: https://github.com/ednz-cloud/docker_systemd_service.git
    version: main
  - name: ednz_cloud.deploy_haproxy
    src: https://github.com/ednz-cloud/deploy_haproxy.git
    version: main
  - name: ednz_cloud.deploy_keepalived
    src: https://github.com/ednz-cloud/deploy_keepalived.git
    version: main
  - name: ednz_cloud.hashicorp_nomad
    src: https://github.com/ednz-cloud/hashicorp_nomad.git
    version: v0.4.1
  - name: ednz_cloud.hashicorp_consul
    src: https://github.com/ednz-cloud/hashicorp_consul.git
    version: v0.2.1
  - name: ednz_cloud.hashicorp_vault
    src: https://github.com/ednz-cloud/hashicorp_vault.git
    version: v0.2.1
Author	SHA1	Message	Date
Bertrand Lanson	30b07ccec4	chore: add more tags to collection metadata Some checks failed development / Check commit compliance (push) Successful in 5s Details pull-requests-open / Check commit compliance (pull_request) Successful in 9s Details build-deploy / Bump version and create changelog with commitizen (push) Has been cancelled Details	2024-09-16 20:15:24 +02:00
Bertrand Lanson	3a6586719b	ci: add nomad and consul tests, only run tests when they change All checks were successful development / Check commit compliance (push) Successful in 5s Details pull-requests-open / Check commit compliance (pull_request) Successful in 7s Details	2024-09-16 19:43:52 +02:00
Bertrand Lanson	74180864f8	chore: remove unused dependencies from roles/requirements.yml All checks were successful development / Check commit compliance (push) Successful in 5s Details test / Retrieve Credentials (pull_request) Successful in 1s Details pull-requests-open / Check commit compliance (pull_request) Successful in 8s Details test / end_to_end_vault (vault_default, debian11) (pull_request) Successful in 1m37s Details test / end_to_end_vault (vault_default, debian12) (pull_request) Successful in 1m59s Details test / end_to_end_vault (vault_default, ubuntu2004) (pull_request) Successful in 1m38s Details test / end_to_end_vault (vault_default, ubuntu2204) (pull_request) Successful in 1m43s Details test / end_to_end_vault (vault_default, ubuntu2404) (pull_request) Successful in 1m53s Details test / end_to_end_vault (vault_with_raft_enabled, debian11) (pull_request) Successful in 1m45s Details test / end_to_end_vault (vault_with_raft_enabled, debian12) (pull_request) Successful in 1m56s Details test / end_to_end_vault (vault_with_raft_enabled, ubuntu2004) (pull_request) Successful in 1m49s Details test / end_to_end_vault (vault_with_raft_enabled, ubuntu2204) (pull_request) Successful in 1m50s Details test / end_to_end_vault (vault_with_raft_enabled, ubuntu2404) (pull_request) Successful in 1m52s Details	2024-09-15 23:21:04 +02:00
Bertrand Lanson	9fad4928b2	ci: pass secets to reusable workflow Some checks failed development / Check commit compliance (push) Successful in 5s Details test / Retrieve Credentials (pull_request) Successful in 1s Details pull-requests-open / Check commit compliance (pull_request) Successful in 9s Details test / end_to_end_vault (vault_default, debian11) (pull_request) Failing after 13s Details test / end_to_end_vault (vault_default, debian12) (pull_request) Failing after 13s Details test / end_to_end_vault (vault_default, ubuntu2004) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_default, ubuntu2204) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_default, ubuntu2404) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_with_raft_enabled, debian11) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_with_raft_enabled, debian12) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_with_raft_enabled, ubuntu2004) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_with_raft_enabled, ubuntu2204) (pull_request) Failing after 6s Details test / end_to_end_vault (vault_with_raft_enabled, ubuntu2404) (pull_request) Failing after 6s Details	2024-09-15 23:08:47 +02:00
Bertrand Lanson	2441791ffe	ci: pass secets to reusable workflow Some checks failed development / Check commit compliance (push) Successful in 5s Details test / Retrieve Credentials (pull_request) Successful in 1s Details pull-requests-open / Check commit compliance (pull_request) Successful in 10s Details test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 9s Details test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 9s Details test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 4s Details	2024-09-15 23:04:14 +02:00
Bertrand Lanson	c291ff2f68	ci: pass secets to reusable workflow Some checks failed development / Check commit compliance (push) Successful in 6s Details test / Retrieve Credentials (pull_request) Successful in 1s Details pull-requests-open / Check commit compliance (pull_request) Successful in 12s Details test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 33s Details test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 40s Details test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 2s Details	2024-09-15 23:01:50 +02:00
Bertrand Lanson	65cccdbae5	ci: pass secets to reusable workflow Some checks failed development / Check commit compliance (push) Successful in 5s Details test / Retrieve Credentials (pull_request) Successful in 2s Details test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 6s Details test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 8s Details test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 0s Details test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 1s Details test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 0s Details test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 1s Details test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 0s Details test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 1s Details test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 0s Details test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 1s Details pull-requests-open / Check commit compliance (pull_request) Successful in 10s Details	2024-09-15 23:00:26 +02:00
Bertrand Lanson	530034556d	ci: pass secets to reusable workflow All checks were successful development / Check commit compliance (push) Successful in 5s Details test / end_to_end_vault (debian11, vault_default) (pull_request) Successful in 8s Details test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Successful in 7s Details test / end_to_end_vault (debian12, vault_default) (pull_request) Successful in 1s Details test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Successful in 2s Details test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Successful in 1s Details test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Successful in 2s Details test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Successful in 1s Details test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Successful in 2s Details test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Successful in 1s Details test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Successful in 2s Details pull-requests-open / Check commit compliance (pull_request) Successful in 9s Details	2024-09-15 22:51:47 +02:00
Bertrand Lanson	d4c4bb1cf1	ci: do not use matrix inside reusable workflow Some checks failed development / Check commit compliance (push) Successful in 5s Details test / end_to_end_vault (debian11, vault_default) (pull_request) Failing after 7s Details test / end_to_end_vault (debian12, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (debian11, vault_with_raft_enabled) (pull_request) Failing after 7s Details test / end_to_end_vault (debian12, vault_with_raft_enabled) (pull_request) Failing after 1s Details test / end_to_end_vault (ubuntu2004, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2004, vault_with_raft_enabled) (pull_request) Failing after 1s Details test / end_to_end_vault (ubuntu2204, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2204, vault_with_raft_enabled) (pull_request) Failing after 1s Details test / end_to_end_vault (ubuntu2404, vault_default) (pull_request) Failing after 2s Details test / end_to_end_vault (ubuntu2404, vault_with_raft_enabled) (pull_request) Failing after 1s Details pull-requests-open / Check commit compliance (pull_request) Successful in 11s Details	2024-09-15 22:47:29 +02:00
Bertrand Lanson	844e2584de	ci: fix path for workflow Some checks are pending test / end_to_end_vault (pull_request) Waiting to run Details development / Check commit compliance (push) Successful in 5s Details pull-requests-open / Check commit compliance (pull_request) Successful in 12s Details	2024-09-15 22:43:11 +02:00
Bertrand Lanson	32e09b9cc2	ci: test reusable workflows Some checks failed development / Check commit compliance (push) Successful in 5s Details test / end_to_end_vault (pull_request) Failing after 5s Details pull-requests-open / Check commit compliance (pull_request) Successful in 10s Details	2024-09-15 22:42:29 +02:00
Bertrand Lanson	cdb94d9848	test: adjust globals.yml for tls and no_tls multinode setups All checks were successful development / Check commit compliance (push) Successful in 5s Details pull-requests-open / Check commit compliance (pull_request) Successful in 9s Details	2024-09-15 21:38:55 +02:00
Bertrand Lanson	7567e09191	feat: add default variables files for nomad and vault All checks were successful development / Check commit compliance (push) Successful in 5s Details	2024-09-15 21:37:10 +02:00
Bertrand Lanson	a1f336e7e7	feat: add override options for all consul variables All checks were successful development / Check commit compliance (push) Successful in 5s Details	2024-09-15 21:36:29 +02:00
Bertrand Lanson	bf73df226a	feat: use override variables in globals.yml All checks were successful development / Check commit compliance (push) Successful in 26s Details	2024-09-11 22:20:53 +02:00
Bertrand Lanson	a5c72c969f	feat: add ovveride options for vault variables	2024-09-11 22:20:28 +02:00
Bertrand Lanson	0e89312874	feat: add ovveride options for nomad variables	2024-09-11 22:20:12 +02:00
Bertrand Lanson	c551fb7b04	feat: add version documentation to nomad_acl_bootstrap module	2024-09-10 22:03:46 +02:00