feat: use override variables in globals.yml

playbooks/group_vars/all/globals.yml

@@ -54,49 +54,48 @@ consul_extra_configuration: {}
 consul_enable_tls: "{{ enable_tls_internal }}"
 
 consul_log_level: info
-
 #########
 # Vault #
 #########
 
-vault_cluster_name: vault
+# hashistack_vault_cluster_name: vault
-vault_bind_addr: "0.0.0.0"
+# hashistack_vault_bind_addr: "0.0.0.0"
-vault_cluster_addr: "{{ api_interface_address }}"
+# hashistack_vault_cluster_addr: "{{ api_interface_address }}"
-vault_enable_ui: true
+# hashistack_vault_enable_ui: true
-vault_disable_mlock: false
+# hashistack_vault_disable_mlock: false
-vault_disable_cache: false
+# hashistack_vault_disable_cache: false
 
-vault_extra_files_list: []
+# hashistack_vault_extra_files_list: []
-vault_extra_configuration: {}
+# hashistack_vault_extra_configuration: {}
 
-vault_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_vault_enable_tls: "{{ enable_tls_internal }}"
 
-vault_enable_service_registration: "{{ enable_consul | bool }}"
+# hashistack_vault_enable_service_registration: "{{ enable_consul | bool }}"
 
-vault_enable_plugins: false
+# hashistack_vault_enable_plugins: false
 
-vault_log_level: info
+# hashistack_vault_log_level: info
 
 #########
 # Nomad #
 #########
 
-nomad_region: global
+# hashistack_nomad_region: global
-nomad_datacenter: dc1
+# hashistack_nomad_datacenter: dc1
 
-nomad_extra_files_list: []
+# hashistack_nomad_extra_files_list: []
-nomad_extra_configuration: {}
+# hashistack_nomad_extra_configuration: {}
 
-nomad_autopilot_configuration: {}
+# hashistack_nomad_autopilot_configuration: {}
 
-nomad_driver_enable_docker: true
+# hashistack_nomad_driver_enable_docker: true
-nomad_driver_enable_podman: false
+# hashistack_nomad_driver_enable_podman: false
-nomad_driver_enable_raw_exec: false
+# hashistack_nomad_driver_enable_raw_exec: false
-nomad_driver_enable_java: false
+# hashistack_nomad_driver_enable_java: false
-nomad_driver_enable_qemu: false
+# hashistack_nomad_driver_enable_qemu: false
 
-nomad_driver_extra_configuration: {}
+# hashistack_nomad_driver_configuration: {}
 
-nomad_log_level: info
+# hashistack_nomad_log_level: info
 
-nomad_enable_tls: "{{ enable_tls_internal }}"
+# hashistack_nomad_enable_tls: "{{ enable_tls_internal }}"

playbooks/group_vars/all/nomad.yml

@@ -3,15 +3,12 @@
 # Nomad #
 #########
 
-nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
+# hashistack_nomad_config_dir:
-nomad_data_dir: "/opt/nomad"
+# hashistack_nomad_data_dir:
-nomad_certs_dir: "{{ nomad_config_dir }}/tls"
+# hashistack_nomad_certs_dir:
-nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
+# hashistack_nomad_logs_dir:
-
+# hashistack_nomad_extra_files_list:
-nomad_extra_files: true
+# hashistack_nomad_env_variables:
-# nomad_extra_files_list: []
-
-nomad_env_variables: {}
 
 #######################
 # extra configuration #
@@ -22,213 +19,94 @@ nomad_env_variables: {}
 # option should be used to add pieces of configuration not
 # available through standard variables.
 
-# nomad_extra_configuration: {}
+# hashistack_nomad_extra_configuration:
 
 ###########
 # general #
 ###########
 
-# nomad_region: global
+# hashistack_nomad_region:
-# nomad_datacenter: dc1
+# hashistack_nomad_datacenter:
 
 #########################
 # address configuration #
 #########################
 
-nomad_bind_addr: "0.0.0.0"
+# hashistack_nomad_bind_addr:
-nomad_advertise_addr: "{{ api_interface_address }}"
+# hashistack_nomad_advertise_addr:
-nomad_address_configuration:
+# hashistack_nomad_address_configuration:
-  bind_addr: "{{ nomad_bind_addr }}"
-  addresses:
-    http: "{{ nomad_advertise_addr }}"
-    rpc: "{{ nomad_advertise_addr }}"
-    serf: "{{ nomad_advertise_addr }}"
-  advertise:
-    http: "{{ nomad_advertise_addr }}"
-    rpc: "{{ nomad_advertise_addr }}"
-    serf: "{{ nomad_advertise_addr }}"
-  ports:
-    http: 4646
-    rpc: 4647
-    serf: 4648
 
 ###########################
 # autopilot configuration #
 ###########################
 
-# nomad_autopilot_configuration: {}
+# hashistack_nomad_autopilot_configuration:
 
 #######################
 # leave configuration #
 #######################
 
-nomad_leave_on_interrupt: false
+# hashistack_nomad_leave_on_interrupt:
-nomad_leave_on_terminate: false
+# hashistack_nomad_leave_on_terminate:
-
-########################
-# server configuration #
-########################
-
-nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
-nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
-nomad_server_configuration:
-  enabled: "{{ nomad_enable_server }}"
-  data_dir: "{{ nomad_data_dir }}/server"
-  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
-
-##############################
-# client configuration #
-##############################
-
-nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
-nomad_client_configuration:
-  enabled: "{{ nomad_enable_client }}"
-  state_dir: "{{ nomad_data_dir }}/client"
-  cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
-  bridge_network_name: nomad
-  bridge_network_subnet: "172.26.64.0/20"
-  node_pool: >-
-    {{
-      'ingress' if 'nomad_ingress' in group_names else
-      'controller' if 'nomad_servers' in group_names else
-      omit
-    }}
 
 ####################
 # ui configuration #
 ####################
 
-nomad_ui_configuration:
+# hashistack_nomad_ui_configuration:
-  enabled: "{{ nomad_enable_server }}"
 
 #########################
 # drivers configuration #
 #########################
 
-nomad_driver_enable_docker: true
+# hashistack_nomad_driver_enable_docker:
-nomad_driver_enable_podman: false
+# hashistack_nomad_driver_enable_podman:
-nomad_driver_enable_raw_exec: false
+# hashistack_nomad_driver_enable_raw_exec:
-nomad_driver_enable_java: false
+# hashistack_nomad_driver_enable_java:
-nomad_driver_enable_qemu: false
+# hashistack_nomad_driver_enable_qemu:
-
+# hashistack_nomad_driver_configuration:
-nomad_driver_configuration:
-  raw_exec:
-    enabled: false
-
-nomad_driver_extra_configuration: {}
 
 ###########
 # logging #
 ###########
 
-nomad_log_level: info
+# hashistack_nomad_log_level:
-nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+# hashistack_nomad_enable_log_to_file:
-nomad_log_to_file_configuration:
+# hashistack_nomad_log_to_file_configuration:
-  log_file: "{{ nomad_logs_dir }}/nomad.log"
-  log_rotate_duration: 24h
-  log_rotate_max_files: 30
 
 #####################
 # ACL configuration #
 #####################
 
-nomad_acl_configuration:
+# hashistack_nomad_acl_configuration:
-  enabled: true
-  token_ttl: 30s
-  policy_ttl: 60s
-  role_ttl: 60s
 
 ################
 # internal tls #
 ################
 
-# nomad_enable_tls: false
+# hashistack_nomad_enable_tls:
-nomad_tls_configuration:
+# hashistack_nomad_tls_configuration:
-  http: true
-  rpc: true
-  ca_file: "/etc/ssl/certs/ca-certificates.crt"
-  cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
-  key_file: "{{ nomad_certs_dir }}/cert.key"
-  verify_server_hostname: true
-
-nomad_certificates_extra_files_dir: >
-  {{
-    [] if external_tls_externally_managed_certs | bool else
-    [{
-      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
-      'dest': "{{ nomad_certs_dir }}"
-    }]
-  }}
 
 ###########################
 # telemetry configuration #
 ###########################
 
-nomad_telemetry_configuration:
+# hashistack_nomad_telemetry_configuration:
-  collection_interval: 10s
-  disable_hostname: false
-  use_node_name: false
-  publish_allocation_metrics: false
-  publish_node_metrics: false
-  prefix_filter: []
-  disable_dispatched_job_summary_metrics: false
-  prometheus_metrics: false
 
 ######################
 # consul integration #
 ######################
 
-nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+# hashistack_nomad_enable_consul_integration:
-nomad_consul_integration_configuration:
+# hashistack_nomad_consul_integration_configuration:
-  address: >-
+# hashistack_nomad_consul_integration_tls_configuration:
-    127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
+# hashistack_nomad_consul_integration_server_configuration:
-  auto_advertise: true
+# hashistack_nomad_consul_integration_client_configuration:
-  ssl: "{{ consul_enable_tls | bool }}"
+# hashistack_nomad_consul_integration_client_tls_configuration:
-  token: >-
-    {{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id }}
-  tags: []
-
-nomad_consul_integration_tls_configuration:
-  ca_file: "/etc/ssl/certs/ca-certificates.crt"
-
-nomad_consul_integration_server_configuration:
-  server_auto_join: true
-
-nomad_consul_integration_client_configuration:
-  client_auto_join: true
-  grpc_address: >-
-    127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
-
-nomad_consul_integration_client_tls_configuration:
-  grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
-
-nomad_consul_integration_server_policy: |
-  agent_prefix "" {
-    policy = "read"
-  }
-  node_prefix "" {
-    policy = "read"
-  }
-  service_prefix "" {
-    policy = "write"
-  }
-  acl  = "write"
-  mesh = "write"
-
-nomad_consul_integration_client_policy: |
-  agent_prefix "" {
-    policy = "read"
-  }
-  node_prefix "" {
-    policy = "read"
-  }
-  service_prefix "" {
-    policy = "write"
-  }
 
 ############################
 # nomad vault integration #
 ############################
 
-nomad_enable_vault_integration: false
+# hashistack_nomad_enable_vault_integration:
-nomad_vault_integration_configuration: {}
+# hashistack_nomad_vault_integration_configuration:

playbooks/group_vars/all/nomad_default.yml

@@ -0,0 +1,347 @@
+---
+#########
+# Nomad #
+#########
+
+hashistack_default_nomad_config_dir: "{{ hashistack_remote_config_dir }}/nomad.d"
+nomad_config_dir: "{{ hashistack_nomad_config_dir | default(hashistack_default_nomad_config_dir) }}"
+
+hashistack_default_nomad_data_dir: "/opt/nomad"
+nomad_data_dir: "{{ hashistack_nomad_data_dir | default(hashistack_default_nomad_data_dir) }}"
+
+hashistack_default_nomad_certs_dir: "{{ nomad_config_dir }}/tls"
+nomad_certs_dir: "{{ hashistack_nomad_certs_dir | default(hashistack_default_nomad_certs_dir) }}"
+
+hashistack_default_nomad_logs_dir: "{{ hashistack_remote_log_dir }}/nomad"
+nomad_logs_dir: "{{ hashistack_nomad_logs_dir | default(hashistack_default_nomad_logs_dir) }}"
+
+nomad_extra_files: true
+
+hashistack_default_nomad_extra_files_list: []
+nomad_extra_files_list: "{{ hashistack_nomad_extra_files_list | default(hashistack_default_nomad_extra_files_list) }}"
+
+hashistack_default_nomad_env_variables: {}
+nomad_env_variables: "{{ hashistack_nomad_env_variables | default(hashistack_default_nomad_env_variables) }}"
+
+#######################
+# extra configuration #
+#######################
+
+# You should prioritize adding configuration
+# to the configuration entries below, this
+# option should be used to add pieces of configuration not
+# available through standard variables.
+
+hashistack_default_nomad_extra_configuration: {}
+nomad_extra_configuration: >-
+  {{
+    hashistack_default_nomad_extra_configuration |
+    combine((hashistack_nomad_extra_configuration | default({})), recursive=true)
+  }}
+
+###########
+# general #
+###########
+
+hashistack_default_nomad_region: global
+nomad_region: "{{ hashistack_nomad_region | default(hashistack_default_nomad_region) }}"
+
+hashistack_default_nomad_datacenter: dc1
+nomad_datacenter: "{{ hashistack_nomad_datacenter | default(hashistack_default_nomad_datacenter) }}"
+
+#########################
+# address configuration #
+#########################
+
+hashistack_default_nomad_bind_addr: "0.0.0.0"
+nomad_bind_addr: "{{ hashistack_nomad_bind_addr | default(hashistack_default_nomad_bind_addr) }}"
+
+hashistack_default_nomad_advertise_addr: "{{ api_interface_address }}"
+nomad_advertise_addr: "{{ hashistack_nomad_advertise_addr | default(hashistack_default_nomad_advertise_addr) }}"
+
+hashistack_default_nomad_address_configuration:
+  bind_addr: "{{ nomad_bind_addr }}"
+  addresses:
+    http: "{{ nomad_advertise_addr }}"
+    rpc: "{{ nomad_advertise_addr }}"
+    serf: "{{ nomad_advertise_addr }}"
+  advertise:
+    http: "{{ nomad_advertise_addr }}"
+    rpc: "{{ nomad_advertise_addr }}"
+    serf: "{{ nomad_advertise_addr }}"
+  ports:
+    http: 4646
+    rpc: 4647
+    serf: 4648
+nomad_address_configuration: >-
+  {{
+    hashistack_default_nomad_address_configuration |
+    combine((hashistack_nomad_address_configuration | default({})), recursive=true)
+  }}
+
+###########################
+# autopilot configuration #
+###########################
+
+hashistack_default_nomad_autopilot_configuration: {}
+nomad_autopilot_configuration: "{{ hashistack_nomad_autopilot_configuration | default(hashistack_default_nomad_autopilot_configuration) }}"
+
+#######################
+# leave configuration #
+#######################
+
+hashistack_default_nomad_leave_on_interrupt: false
+nomad_leave_on_interrupt: "{{ hashistack_nomad_leave_on_interrupt | default(hashistack_default_nomad_leave_on_interrupt) }}"
+
+hashistack_default_nomad_leave_on_terminate: false
+nomad_leave_on_terminate: "{{ hashistack_nomad_leave_on_terminate | default(hashistack_default_nomad_leave_on_terminate) }}"
+
+########################
+# server configuration #
+########################
+
+nomad_enable_server: "{{ ('nomad_servers' in group_names) | bool }}"
+nomad_server_bootstrap_expect: "{{ (groups['nomad_servers'] | length) }}"
+nomad_server_configuration:
+  enabled: "{{ nomad_enable_server }}"
+  data_dir: "{{ nomad_data_dir }}/server"
+  encrypt: "{{ _credentials.nomad.gossip_encryption_key }}"
+
+##############################
+# client configuration #
+##############################
+
+nomad_enable_client: "{{ ('nomad_clients' in group_names) | bool }}"
+nomad_client_configuration:
+  enabled: "{{ nomad_enable_client }}"
+  state_dir: "{{ nomad_data_dir }}/client"
+  cni_path: "{{ cni_plugins_install_path | default('/opt/cni/bin') }}"
+  bridge_network_name: nomad
+  bridge_network_subnet: "172.26.64.0/20"
+  node_pool: >-
+    {{
+      'ingress' if 'nomad_ingress' in group_names else
+      'controller' if 'nomad_servers' in group_names else
+      omit
+    }}
+
+####################
+# ui configuration #
+####################
+
+hashistack_default_nomad_ui_configuration:
+  enabled: "{{ nomad_enable_server }}"
+nomad_ui_configuration: >-
+  {{
+    hashistack_default_nomad_ui_configuration |
+    combine((hashistack_nomad_ui_configuration | default({})), recursive=true)
+  }}
+
+#########################
+# drivers configuration #
+#########################
+
+hashistack_default_nomad_driver_enable_docker: true
+nomad_driver_enable_docker: "{{ hashistack_nomad_driver_enable_docker | default(hashistack_default_nomad_driver_enable_docker) }}"
+
+hashistack_default_nomad_driver_enable_podman: false
+nomad_driver_enable_podman: "{{ hashistack_nomad_driver_enable_podman | default(hashistack_default_nomad_driver_enable_podman) }}"
+
+hashistack_default_nomad_driver_enable_raw_exec: false
+nomad_driver_enable_raw_exec: "{{ hashistack_nomad_driver_enable_raw_exec | default(hashistack_default_nomad_driver_enable_raw_exec) }}"
+
+hashistack_default_nomad_driver_enable_java: false
+nomad_driver_enable_java: "{{ hashistack_nomad_driver_enable_java | default(hashistack_default_nomad_driver_enable_java) }}"
+
+hashistack_default_nomad_driver_enable_qemu: false
+nomad_driver_enable_qemu: "{{ hashistack_nomad_driver_enable_qemu | default(hashistack_default_nomad_driver_enable_qemu) }}"
+
+hashistack_default_nomad_driver_configuration:
+  raw_exec:
+    enabled: "{{ nomad_driver_enable_raw_exec }}"
+nomad_driver_configuration: >-
+  {{
+    hashistack_default_nomad_driver_configuration |
+    combine((hashistack_nomad_driver_configuration | default({})), recursive=true)
+  }}
+
+nomad_driver_extra_configuration: {}
+
+###########
+# logging #
+###########
+
+hashistack_default_nomad_log_level: info
+nomad_log_level: "{{ hashistack_nomad_log_level | default(hashistack_default_nomad_log_level) }}"
+
+hashistack_default_nomad_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+nomad_enable_log_to_file: "{{ hashistack_nomad_enable_log_to_file | default(hashistack_default_nomad_enable_log_to_file) }}"
+
+hashistack_default_nomad_log_to_file_configuration:
+  log_file: "{{ nomad_logs_dir }}/nomad.log"
+  log_rotate_duration: 24h
+  log_rotate_max_files: 30
+nomad_log_to_file_configuration: >-
+  {{
+    hashistack_default_nomad_log_to_file_configuration |
+    combine((hashistack_nomad_log_to_file_configuration | default({})), recursive=true)
+  }}
+
+#####################
+# ACL configuration #
+#####################
+
+hashistack_default_nomad_acl_configuration:
+  enabled: true
+  token_ttl: 30s
+  policy_ttl: 60s
+  role_ttl: 60s
+nomad_acl_configuration: >-
+  {{
+    hashistack_default_nomad_acl_configuration |
+    combine((hashistack_nomad_acl_configuration | default({})), recursive=true)
+  }}
+
+################
+# internal tls #
+################
+
+hashistack_default_nomad_enable_tls: false
+nomad_enable_tls: "{{ hashistack_nomad_enable_tls | default(hashistack_default_nomad_enable_tls) }}"
+
+hashistack_default_nomad_tls_configuration:
+  http: true
+  rpc: true
+  ca_file: "/etc/ssl/certs/ca-certificates.crt"
+  cert_file: "{{ nomad_certs_dir }}/fullchain.crt"
+  key_file: "{{ nomad_certs_dir }}/cert.key"
+  verify_server_hostname: true
+nomad_tls_configuration: >-
+  {{
+    hashistack_default_nomad_tls_configuration |
+    combine((hashistack_nomad_tls_configuration | default({})), recursive=true)
+  }}
+
+nomad_certificates_extra_files_dir: >
+  {{
+    [] if internal_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/nomad/{{ inventory_hostname }}",
+      'dest': "{{ nomad_certs_dir }}"
+    }]
+  }}
+
+###########################
+# telemetry configuration #
+###########################
+
+hashistack_default_nomad_telemetry_configuration:
+  collection_interval: 10s
+  disable_hostname: false
+  use_node_name: false
+  publish_allocation_metrics: false
+  publish_node_metrics: false
+  prefix_filter: []
+  disable_dispatched_job_summary_metrics: false
+  prometheus_metrics: false
+nomad_telemetry_configuration: >-
+  {{
+    hashistack_default_nomad_telemetry_configuration |
+    combine((hashistack_nomad_telemetry_configuration | default({})), recursive=true)
+  }}
+
+######################
+# consul integration #
+######################
+
+hashistack_default_nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+nomad_enable_consul_integration: "{{ hashistack_nomad_enable_consul_integration | default(hashistack_default_nomad_enable_consul_integration) }}"
+
+hashistack_default_nomad_consul_integration_configuration:
+  address: >-
+    127.0.0.1:{{ consul_api_port[consul_api_scheme] }}
+  auto_advertise: true
+  ssl: "{{ consul_enable_tls | bool }}"
+  token: >-
+    {{
+      _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else
+      _credentials.consul.tokens.nomad.client.secret_id
+    }}
+  tags: []
+nomad_consul_integration_configuration: >-
+  {{
+    hashistack_default_nomad_consul_integration_configuration |
+    combine((hashistack_nomad_consul_integration_configuration | default({})), recursive=true)
+  }}
+
+hashistack_default_nomad_consul_integration_tls_configuration:
+  ca_file: "/etc/ssl/certs/ca-certificates.crt"
+nomad_consul_integration_tls_configuration: >-
+  {{
+    hashistack_default_nomad_consul_integration_tls_configuration |
+    combine((hashistack_nomad_consul_integration_tls_configuration | default({})), recursive=true)
+  }}
+
+hashistack_default_nomad_consul_integration_server_configuration:
+  server_auto_join: true
+nomad_consul_integration_server_configuration: >-
+  {{
+    hashistack_default_nomad_consul_integration_server_configuration |
+    combine((hashistack_nomad_consul_integration_server_configuration | default({})), recursive=true)
+  }}
+
+hashistack_default_nomad_consul_integration_client_configuration:
+  client_auto_join: true
+  grpc_address: >-
+    127.0.0.1:{{ consul_grpc_port[consul_api_scheme] }}
+nomad_consul_integration_client_configuration: >-
+  {{
+    hashistack_default_nomad_consul_integration_client_configuration |
+    combine((hashistack_nomad_consul_integration_client_configuration | default({})), recursive=true)
+  }}
+
+hashistack_default_nomad_consul_integration_client_tls_configuration:
+  grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
+nomad_consul_integration_client_tls_configuration: >-
+  {{
+    hashistack_default_nomad_consul_integration_client_tls_configuration |
+    combine((hashistack_nomad_consul_integration_client_tls_configuration | default({})), recursive=true)
+  }}
+
+nomad_consul_integration_server_policy: |
+  agent_prefix "" {
+    policy = "read"
+  }
+  node_prefix "" {
+    policy = "read"
+  }
+  service_prefix "" {
+    policy = "write"
+  }
+  acl  = "write"
+  mesh = "write"
+
+nomad_consul_integration_client_policy: |
+  agent_prefix "" {
+    policy = "read"
+  }
+  node_prefix "" {
+    policy = "read"
+  }
+  service_prefix "" {
+    policy = "write"
+  }
+
+############################
+# nomad vault integration #
+############################
+
+hashistack_default_nomad_enable_vault_integration: false
+nomad_enable_vault_integration: "{{ hashistack_nomad_enable_vault_integration | default(hashistack_default_nomad_enable_vault_integration) }}"
+
+hashistack_default_nomad_vault_integration_configuration: {}
+nomad_vault_integration_configuration: >-
+  {{
+    hashistack_default_nomad_vault_integration_configuration |
+    combine((hashistack_nomad_vault_integration_configuration | default({})), recursive=true)
+  }}

playbooks/group_vars/all/vault.yml

@@ -3,15 +3,12 @@
 # Vault #
 #########
 
-vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
+# hashistack_vault_config_dir:
-vault_data_dir: "/opt/vault"
+# hashistack_vault_data_dir:
-vault_certs_dir: "{{ vault_config_dir }}/tls"
+# hashistack_vault_certs_dir:
-vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
+# hashistack_vault_logs_dir:
-
+# hashistack_vault_extra_files_list:
-vault_extra_files: true
+# hashistack_vault_env_variables:
-# vault_extra_files_list: []
-
-vault_env_variables: {}
 
 #######################
 # extra configuration #
@@ -22,103 +19,57 @@ vault_env_variables: {}
 # option should be used to add pieces of configuration not
 # available through standard variables.
 
-# vault_extra_configuration: {}
+# hashistack_vault_extra_configuration:
 
 ###########
 # general #
 ###########
 
-# vault_cluster_name: vault
+# hashistack_vault_cluster_name:
-# vault_bind_addr: "0.0.0.0"
+# hashistack_vault_bind_addr:
-# vault_cluster_addr: "{{ api_interface_address }}"
+# hashistack_vault_cluster_addr:
-# vault_enable_ui: true
+# hashistack_vault_enable_ui:
-# vault_disable_mlock: false
+# hashistack_vault_disable_mlock:
-# vault_disable_cache: false
+# hashistack_vault_disable_cache:
 
 ######################
 # seal configuration #
 ######################
 
-vault_seal_configuration:
+# hashistack_vault_seal_configuration:
-  key_shares: 3
-  key_threshold: 2
 
 #########################
 # storage configuration #
 #########################
 
-vault_storage_configuration:
+# hashistack_vault_storage_configuration:
-  raft:
-    path: "{{ vault_data_dir }}"
-    node_id: "{{ ansible_hostname }}"
-    retry_join: >-
-      [
-      {% for host in groups['vault_servers'] %}
-        {
-          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
-        }{% if not loop.last %},{% endif %}
-      {% endfor %}
-      ]
 
 ##########################
 # listener configuration #
 ##########################
 
-# vault_enable_tls: false
+# hashistack_vault_enable_tls:
-vault_listener_configuration:
+# hashistack_vault_listener_configuration:
-  - tcp:
+# hashistack_vault_tls_listener_configuration:
-      address: "{{ vault_cluster_addr }}:8200"
-      tls_disable: true
-
-vault_tls_listener_configuration:
-  - tcp:
-      tls_disable: false
-      tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
-      tls_key_file: "{{ vault_certs_dir }}/cert.key"
-      tls_disable_client_certs: true
-
-vault_certificates_extra_files_dir: >
-  {{
-    [] if external_tls_externally_managed_certs | bool else
-    [{
-      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
-      'dest': "{{ vault_certs_dir }}"
-    }]
-  }}
-
-vault_extra_listener_configuration: []
 
 ########################
 # service registration #
 ########################
 
-# vault_enable_service_registration: "{{ enable_consul | bool }}"
+# hashistack_vault_enable_service_registration:
-vault_service_registration_configuration:
+# hashistack_vault_service_registration_configuration:
-  consul:
-    address: >-
-      127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
-    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
-    token: "{{ _credentials.consul.tokens.vault.secret_id }}"
-
-vault_service_registration_policy: |
-  service "vault" {
-    policy = "write"
-  }
 
 #########################
 # plugins configuration #
 #########################
 
-# vault_enable_plugins: false
+# hashistack_vault_enable_plugins:
-vault_plugins_directory: "{{ vault_config_dir }}/plugins"
+# hashistack_vault_plugins_directory:
 
 #################
 # vault logging #
 #################
 
-# vault_log_level: info
+# hashistack_vault_log_level:
-vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+# hashistack_vault_enable_log_to_file:
-vault_log_to_file_configuration:
+# hashistack_vault_log_to_file_configuration:
-  log_file: "{{ vault_logs_dir }}/vault.log"
-  log_rotate_duration: 24h
-  log_rotate_max_files: 30

playbooks/group_vars/all/vault_default.yml

@@ -0,0 +1,174 @@
+---
+#########
+# Vault #
+#########
+
+hashistack_default_vault_config_dir: "{{ hashistack_remote_config_dir }}/vault.d"
+vault_config_dir: "{{ hashistack_vault_config_dir | default(hashistack_default_vault_config_dir) }}"
+
+hashistack_default_vault_data_dir: "/opt/vault"
+vault_data_dir: "{{ hashistack_vault_data_dir | default(hashistack_default_vault_data_dir) }}"
+
+hashistack_default_vault_certs_dir: "{{ vault_config_dir }}/tls"
+vault_certs_dir: "{{ hashistack_vault_certs_dir | default(hashistack_default_vault_certs_dir) }}"
+
+hashistack_default_vault_logs_dir: "{{ hashistack_remote_log_dir }}/vault"
+vault_logs_dir: "{{ hashistack_vault_logs_dir | default(hashistack_default_vault_logs_dir) }}"
+
+vault_extra_files: true
+
+hashistack_default_vault_extra_files_list: []
+vault_extra_files_list: "{{ hashistack_vault_extra_files_list | default(hashistack_default_vault_extra_files_list) }}"
+
+hashistack_default_vault_env_variables: {}
+vault_env_variables: "{{ hashistack_vault_env_variables | default(hashistack_default_vault_env_variables) }}"
+
+#######################
+# extra configuration #
+#######################
+
+# You should prioritize adding configuration
+# to the configuration entries below, this
+# option should be used to add pieces of configuration not
+# available through standard variables.
+
+hashistack_default_vault_extra_configuration: {}
+vault_extra_configuration: >-
+  {{
+    hashistack_default_vault_extra_configuration |
+    combine((hashistack_vault_extra_configuration | default({})), recursive=true)
+  }}
+
+###########
+# general #
+###########
+
+hashistack_default_vault_cluster_name: vault
+vault_cluster_name: "{{ hashistack_vault_cluster_name | default(hashistack_default_vault_cluster_name) }}"
+
+hashistack_default_vault_bind_addr: "0.0.0.0"
+vault_bind_addr: "{{ hashistack_vault_bind_addr | default(hashistack_default_vault_bind_addr) }}"
+
+hashistack_default_vault_cluster_addr: "{{ api_interface_address }}"
+vault_cluster_addr: "{{ hashistack_vault_cluster_addr | default(hashistack_default_vault_cluster_addr) }}"
+
+hashistack_default_vault_enable_ui: true
+vault_enable_ui: "{{ hashistack_vault_enable_ui | default(hashistack_default_vault_enable_ui) }}"
+
+hashistack_default_vault_disable_mlock: false
+vault_disable_mlock: "{{ hashistack_vault_disable_mlock | default(hashistack_default_vault_disable_mlock) }}"
+
+hashistack_default_vault_disable_cache: false
+vault_disable_cache: "{{ hashistack_vault_disable_cache | default(hashistack_default_vault_disable_cache) }}"
+
+######################
+# seal configuration #
+######################
+
+hashistack_default_vault_seal_configuration:
+  key_shares: 3
+  key_threshold: 2
+vault_seal_configuration: >-
+  {{
+    hashistack_default_vault_seal_configuration |
+    combine((hashistack_vault_seal_configuration | default({})), recursive=true)
+  }}
+
+#########################
+# storage configuration #
+#########################
+
+hashistack_default_vault_storage_configuration:
+  raft:
+    path: "{{ vault_data_dir }}"
+    node_id: "{{ ansible_hostname }}"
+    retry_join: >-
+      [
+      {% for host in groups['vault_servers'] %}
+        {
+          'leader_api_addr': '{{ "https" if vault_enable_tls else "http"}}://{{ hostvars[host].api_interface_address }}:8200'
+        }{% if not loop.last %},{% endif %}
+      {% endfor %}
+      ]
+vault_storage_configuration: "{{ hashistack_vault_storage_configuration | default(hashistack_default_vault_storage_configuration) }}"
+##########################
+# listener configuration #
+##########################
+
+hashistack_default_vault_enable_tls: false
+vault_enable_tls: "{{ hashistack_vault_enable_tls | default(hashistack_default_vault_enable_tls) }}"
+
+hashistack_default_vault_listener_configuration:
+  - tcp:
+      address: "{{ vault_cluster_addr }}:8200"
+      tls_disable: true
+vault_listener_configuration: "{{ hashistack_vault_listener_configuration | default(hashistack_default_vault_listener_configuration) }}"
+
+hashistack_default_vault_tls_listener_configuration:
+  - tcp:
+      tls_disable: false
+      tls_cert_file: "{{ vault_certs_dir }}/fullchain.crt"
+      tls_key_file: "{{ vault_certs_dir }}/cert.key"
+      tls_disable_client_certs: true
+vault_tls_listener_configuration: "{{ hashistack_vault_tls_listener_configuration | default(hashistack_default_vault_tls_listener_configuration) }}"
+
+vault_certificates_extra_files_dir: >
+  {{
+    [] if external_tls_externally_managed_certs | bool else
+    [{
+      'src': "{{ hashistack_sub_configuration_directories['certificates'] }}/vault/{{ inventory_hostname }}",
+      'dest': "{{ vault_certs_dir }}"
+    }]
+  }}
+
+vault_extra_listener_configuration: []
+
+########################
+# service registration #
+########################
+
+hashistack_default_vault_enable_service_registration: "{{ enable_consul | bool }}"
+vault_enable_service_registration: "{{ hashistack_vault_enable_service_registration | default(hashistack_default_vault_enable_service_registration) }}"
+
+hashistack_default_vault_service_registration_configuration:
+  consul:
+    address: >-
+      127.0.0.1:{{ hostvars[groups['consul_servers'][0]].consul_api_port[hostvars[groups['consul_servers'][0]].consul_api_scheme] }}
+    scheme: "{{ hostvars[groups['consul_servers'][0]].consul_api_scheme }}"
+    token: "{{ _credentials.consul.tokens.vault.secret_id }}"
+vault_service_registration_configuration: "{{ hashistack_vault_service_registration_configuration | default(hashistack_default_vault_service_registration_configuration) }}"
+
+vault_service_registration_policy: |
+  service "vault" {
+    policy = "write"
+  }
+
+#########################
+# plugins configuration #
+#########################
+
+hashistack_default_vault_enable_plugins: false
+vault_enable_plugins: "{{ hashistack_vault_enable_plugins | default(hashistack_default_vault_enable_plugins) }}"
+
+hashistack_default_vault_plugins_directory: "{{ vault_config_dir }}/plugins"
+vault_plugins_directory: "{{ hashistack_vault_plugins_directory | default(hashistack_default_vault_plugins_directory) }}"
+
+#################
+# vault logging #
+#################
+
+hashistack_default_vault_log_level: info
+vault_log_level: "{{ hashistack_vault_log_level | default(hashistack_default_vault_log_level) }}"
+
+hashistack_default_vault_enable_log_to_file: "{{ enable_log_to_file | bool }}"
+vault_enable_log_to_file: "{{ hashistack_vault_enable_log_to_file | default(hashistack_default_vault_enable_log_to_file) }}"
+
+hashistack_default_vault_log_to_file_configuration:
+  log_file: "{{ vault_logs_dir }}/vault.log"
+  log_rotate_duration: 24h
+  log_rotate_max_files: 30
+vault_log_to_file_configuration: >-
+  {{
+    hashistack_default_vault_log_to_file_configuration |
+    combine((hashistack_vault_log_to_file_configuration | default({})), recursive=true)
+  }}

plugins/modules/nomad_acl_bootstrap.py

@@ -11,6 +11,8 @@ module: ednz_cloud.hashistack.nomad_acl_bootstrap
 
 short_description: Manages the ACL bootstrap of HashiCorp Nomad.
 
+version_added: "0.1.0"
+
 description:
     - This module bootstraps HashiCorp Nomad ACL, ensuring that it is securely set up for use.