ansible-collections/hcp-ansible
ansible-collections/hcp-ansible
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects 1 Releases Wiki Activity

Compare commits

base: ansible-collections:2c9f538cefe9999781431cdb6e82436bb89bfcd7
Branches Tags
ansible-collections:main
ansible-collections:v0.10.0
ansible-collections:v0.9.0
ansible-collections:v0.8.2
ansible-collections:v0.8.1
ansible-collections:v0.8.0
ansible-collections:v0.7.0
ansible-collections:v0.6.2
ansible-collections:v0.6.1
ansible-collections:v0.6.0
ansible-collections:v0.5.0
ansible-collections:v0.4.0
ansible-collections:v0.3.0
ansible-collections:v0.2.0
ansible-collections:v0.1.0
..
compare: ansible-collections:b07cdea49cded1a5efb6d25193d70ecac29855b0
Branches Tags
ansible-collections:main
ansible-collections:v0.10.0
ansible-collections:v0.9.0
ansible-collections:v0.8.2
ansible-collections:v0.8.1
ansible-collections:v0.8.0
ansible-collections:v0.7.0
ansible-collections:v0.6.2
ansible-collections:v0.6.1
ansible-collections:v0.6.0
ansible-collections:v0.5.0
ansible-collections:v0.4.0
ansible-collections:v0.3.0
ansible-collections:v0.2.0
ansible-collections:v0.1.0

No commits in common. "2c9f538cefe9999781431cdb6e82436bb89bfcd7" and "b07cdea49cded1a5efb6d25193d70ecac29855b0" have entirely different histories.
2c9f538cef ... b07cdea49c

74 changed files with 0 additions and 3715 deletions
Show Stats Expand all files Collapse all files

8
molecule/consul_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.consul"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.consul"

37
molecule/consul_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: consul_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/consul_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/consul_default/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

170
molecule/consul_default/verify.yml
View File

@ -1,170 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: consul user and group"
block:
- name: "Getent user consul"
ansible.builtin.getent:
database: passwd
key: consul
register: consul_user
- name: "Getent group consul"
ansible.builtin.getent:
database: group
key: consul
register: consul_group
- name: "Verify consul user and group"
ansible.builtin.assert:
that:
- not consul_user.failed
- not consul_group.failed
- "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
- "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
- "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
- "'consul' in consul_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/consul"
block:
- name: "Stat binary /usr/local/bin/consul"
ansible.builtin.stat:
path: "/usr/local/bin/consul"
register: stat_usr_local_bin_consul
- name: "Verify binary /usr/local/bin/consul"
ansible.builtin.assert:
that:
- stat_usr_local_bin_consul.stat.exists
- stat_usr_local_bin_consul.stat.isreg
- stat_usr_local_bin_consul.stat.pw_name == 'root'
- stat_usr_local_bin_consul.stat.gr_name == 'root'
- stat_usr_local_bin_consul.stat.mode == '0755'
- name: "Test: directory /etc/consul.d"
block:
- name: "Stat directory /etc/consul.d"
ansible.builtin.stat:
path: "/etc/consul.d"
register: stat_etc_consul_d
- name: "Stat file /etc/consul.d/consul.env"
ansible.builtin.stat:
path: "/etc/consul.d/consul.env"
register: stat_etc_consul_d_consul_env
- name: "Stat file /etc/consul.d/consul.json"
ansible.builtin.stat:
path: "/etc/consul.d/consul.json"
register: stat_etc_consul_d_consul_json
- name: "Slurp file /etc/consul.d/consul.json"
ansible.builtin.slurp:
src: "/etc/consul.d/consul.json"
register: slurp_etc_consul_d_consul_json
- name: "Verify directory /etc/consul.d"
ansible.builtin.assert:
that:
- stat_etc_consul_d.stat.exists
- stat_etc_consul_d.stat.isdir
- stat_etc_consul_d.stat.pw_name == 'consul'
- stat_etc_consul_d.stat.gr_name == 'consul'
- stat_etc_consul_d.stat.mode == '0755'
- stat_etc_consul_d_consul_env.stat.exists
- stat_etc_consul_d_consul_env.stat.isreg
- stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_env.stat.mode == '0600'
- stat_etc_consul_d_consul_json.stat.exists
- stat_etc_consul_d_consul_json.stat.isreg
- stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_json.stat.mode == '0600'
- slurp_etc_consul_d_consul_json.content != ''
- name: "Test: directory /opt/consul"
block:
- name: "Stat directory /opt/consul"
ansible.builtin.stat:
path: "/opt/consul"
register: stat_opt_consul
- name: "Verify directory /opt/consul"
ansible.builtin.assert:
that:
- stat_opt_consul.stat.exists
- stat_opt_consul.stat.isdir
- stat_opt_consul.stat.pw_name == 'consul'
- stat_opt_consul.stat.gr_name == 'consul'
- stat_opt_consul.stat.mode == '0755'
- name: "Test: service consul"
block:
- name: "Get service consul"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/consul.service"
ansible.builtin.stat:
path: "/etc/systemd/system/consul.service"
register: stat_etc_systemd_system_consul_service
- name: "Slurp file /etc/systemd/system/consul.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/consul.service"
register: slurp_etc_systemd_system_consul_service
- name: "Verify service consul"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_consul_service.stat.exists
- stat_etc_systemd_system_consul_service.stat.isreg
- stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
- stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
- stat_etc_systemd_system_consul_service.stat.mode == '0644'
- slurp_etc_systemd_system_consul_service.content != ''
- ansible_facts.services['consul.service'] is defined
- ansible_facts.services['consul.service']['source'] == 'systemd'
- ansible_facts.services['consul.service']['state'] == 'running'
- ansible_facts.services['consul.service']['status'] == 'enabled'
- name: "Test: interaction consul"
block:
- name: "Command consul kv put"
ansible.builtin.command: "consul kv put foo bar"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_kv_put
- name: "Command consul kv get"
ansible.builtin.command: "consul kv get foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_kv_get
- name: "Command consul kv delete"
ansible.builtin.command: "consul kv delete foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_kv_delete
- name: "Command consul members"
ansible.builtin.command: "consul members"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
changed_when: false
register: consul_members
- name: "Verify consul interaction"
ansible.builtin.assert:
that:
- "'instance' in consul_members.stdout"
- consul_kv_put.stdout == 'Success! Data written to: foo'
- consul_kv_get.stdout == 'bar'
- consul_kv_delete.stdout == 'Success! Deleted key: foo'

8
molecule/consul_with_acl_enabled/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.consul"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.consul"

23
molecule/consul_with_acl_enabled/group_vars/all.yml
View File

@ -1,23 +0,0 @@
---
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: true
default_policy: "deny"
enable_token_persistence: true
tokens:
initial_management: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
agent: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
###########
# logging #
###########
consul_log_level: info
consul_enable_log_to_file: true
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30

37
molecule/consul_with_acl_enabled/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: consul_with_acl_enabled
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/consul_with_acl_enabled/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/consul_with_acl_enabled/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

176
molecule/consul_with_acl_enabled/verify.yml
View File

@ -1,176 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: consul user and group"
block:
- name: "Getent user consul"
ansible.builtin.getent:
database: passwd
key: consul
register: consul_user
- name: "Getent group consul"
ansible.builtin.getent:
database: group
key: consul
register: consul_group
- name: "Verify consul user and group"
ansible.builtin.assert:
that:
- not consul_user.failed
- not consul_group.failed
- "'consul' in consul_user.ansible_facts.getent_passwd.keys()"
- "'/home/consul' in consul_user.ansible_facts.getent_passwd['consul']"
- "'/bin/false' in consul_user.ansible_facts.getent_passwd['consul']"
- "'consul' in consul_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/consul"
block:
- name: "Stat binary /usr/local/bin/consul"
ansible.builtin.stat:
path: "/usr/local/bin/consul"
register: stat_usr_local_bin_consul
- name: "Verify binary /usr/local/bin/consul"
ansible.builtin.assert:
that:
- stat_usr_local_bin_consul.stat.exists
- stat_usr_local_bin_consul.stat.isreg
- stat_usr_local_bin_consul.stat.pw_name == 'root'
- stat_usr_local_bin_consul.stat.gr_name == 'root'
- stat_usr_local_bin_consul.stat.mode == '0755'
- name: "Test: directory /etc/consul.d"
block:
- name: "Stat directory /etc/consul.d"
ansible.builtin.stat:
path: "/etc/consul.d"
register: stat_etc_consul_d
- name: "Stat file /etc/consul.d/consul.env"
ansible.builtin.stat:
path: "/etc/consul.d/consul.env"
register: stat_etc_consul_d_consul_env
- name: "Stat file /etc/consul.d/consul.json"
ansible.builtin.stat:
path: "/etc/consul.d/consul.json"
register: stat_etc_consul_d_consul_json
- name: "Slurp file /etc/consul.d/consul.json"
ansible.builtin.slurp:
src: "/etc/consul.d/consul.json"
register: slurp_etc_consul_d_consul_json
- name: "Verify directory /etc/consul.d"
ansible.builtin.assert:
that:
- stat_etc_consul_d.stat.exists
- stat_etc_consul_d.stat.isdir
- stat_etc_consul_d.stat.pw_name == 'consul'
- stat_etc_consul_d.stat.gr_name == 'consul'
- stat_etc_consul_d.stat.mode == '0755'
- stat_etc_consul_d_consul_env.stat.exists
- stat_etc_consul_d_consul_env.stat.isreg
- stat_etc_consul_d_consul_env.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_env.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_env.stat.mode == '0600'
- stat_etc_consul_d_consul_json.stat.exists
- stat_etc_consul_d_consul_json.stat.isreg
- stat_etc_consul_d_consul_json.stat.pw_name == 'consul'
- stat_etc_consul_d_consul_json.stat.gr_name == 'consul'
- stat_etc_consul_d_consul_json.stat.mode == '0600'
- slurp_etc_consul_d_consul_json.content != ''
- name: "Test: directory /opt/consul"
block:
- name: "Stat directory /opt/consul"
ansible.builtin.stat:
path: "/opt/consul"
register: stat_opt_consul
- name: "Verify directory /opt/consul"
ansible.builtin.assert:
that:
- stat_opt_consul.stat.exists
- stat_opt_consul.stat.isdir
- stat_opt_consul.stat.pw_name == 'consul'
- stat_opt_consul.stat.gr_name == 'consul'
- stat_opt_consul.stat.mode == '0755'
- name: "Test: service consul"
block:
- name: "Get service consul"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/consul.service"
ansible.builtin.stat:
path: "/etc/systemd/system/consul.service"
register: stat_etc_systemd_system_consul_service
- name: "Slurp file /etc/systemd/system/consul.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/consul.service"
register: slurp_etc_systemd_system_consul_service
- name: "Verify service consul"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_consul_service.stat.exists
- stat_etc_systemd_system_consul_service.stat.isreg
- stat_etc_systemd_system_consul_service.stat.pw_name == 'root'
- stat_etc_systemd_system_consul_service.stat.gr_name == 'root'
- stat_etc_systemd_system_consul_service.stat.mode == '0644'
- slurp_etc_systemd_system_consul_service.content != ''
- ansible_facts.services['consul.service'] is defined
- ansible_facts.services['consul.service']['source'] == 'systemd'
- ansible_facts.services['consul.service']['state'] == 'running'
- ansible_facts.services['consul.service']['status'] == 'enabled'
- name: "Test: interaction consul"
vars:
acl_token: "1a1f2ce5-3730-47de-9a9c-89e037376bab"
block:
- name: "Command consul kv put"
ansible.builtin.command: "consul kv put foo bar"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_kv_put
- name: "Command consul kv get"
ansible.builtin.command: "consul kv get foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_kv_get
- name: "Command consul kv delete"
ansible.builtin.command: "consul kv delete foo"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_kv_delete
- name: "Command consul members"
ansible.builtin.command: "consul members"
environment:
CONSUL_HTTP_ADDR: "http://{{ ansible_default_ipv4.address }}:8500"
CONSUL_HTTP_TOKEN: "{{ acl_token }}"
changed_when: false
register: consul_members
- name: "Verify consul interaction"
ansible.builtin.assert:
that:
- "'instance' in consul_members.stdout"
- consul_kv_put.stdout == 'Success! Data written to: foo'
- consul_kv_get.stdout == 'bar'
- consul_kv_delete.stdout == 'Success! Deleted key: foo'

8
molecule/nomad_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.nomad"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.nomad"

37
molecule/nomad_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: nomad_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/nomad_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

5
molecule/nomad_default/requirements.yml
View File

@ -1,5 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_repositories
- name: ednz_cloud.manage_apt_packages

170
molecule/nomad_default/verify.yml
View File

@ -1,170 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: nomad user and group"
block:
- name: "Getent user nomad"
ansible.builtin.getent:
database: passwd
key: nomad
register: nomad_user
- name: "Getent group nomad"
ansible.builtin.getent:
database: group
key: nomad
register: nomad_group
- name: "Verify nomad user and group"
ansible.builtin.assert:
that:
- not nomad_user.failed
- not nomad_group.failed
- "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()"
- "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'nomad' in nomad_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/nomad"
block:
- name: "Stat binary /usr/local/bin/nomad"
ansible.builtin.stat:
path: "/usr/local/bin/nomad"
register: stat_usr_local_bin_nomad
- name: "Verify binary /usr/local/bin/nomad"
ansible.builtin.assert:
that:
- stat_usr_local_bin_nomad.stat.exists
- stat_usr_local_bin_nomad.stat.isreg
- stat_usr_local_bin_nomad.stat.pw_name == 'root'
- stat_usr_local_bin_nomad.stat.gr_name == 'root'
- stat_usr_local_bin_nomad.stat.mode == '0755'
- name: "Test: directory /etc/nomad.d"
block:
- name: "Stat directory /etc/nomad.d"
ansible.builtin.stat:
path: "/etc/nomad.d"
register: stat_etc_nomad_d
- name: "Stat file /etc/nomad.d/nomad.env"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.env"
register: stat_etc_nomad_d_nomad_env
- name: "Stat file /etc/nomad.d/nomad.json"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.json"
register: stat_etc_nomad_d_nomad_json
- name: "Slurp file /etc/nomad.d/nomad.json"
ansible.builtin.slurp:
src: "/etc/nomad.d/nomad.json"
register: slurp_etc_nomad_d_nomad_json
- name: "Verify directory /etc/nomad.d"
ansible.builtin.assert:
that:
- stat_etc_nomad_d.stat.exists
- stat_etc_nomad_d.stat.isdir
- stat_etc_nomad_d.stat.pw_name == 'nomad'
- stat_etc_nomad_d.stat.gr_name == 'nomad'
- stat_etc_nomad_d.stat.mode == '0755'
- stat_etc_nomad_d_nomad_env.stat.exists
- stat_etc_nomad_d_nomad_env.stat.isreg
- stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.mode == '0600'
- stat_etc_nomad_d_nomad_json.stat.exists
- stat_etc_nomad_d_nomad_json.stat.isreg
- stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.mode == '0600'
- slurp_etc_nomad_d_nomad_json.content != ''
- name: "Test: directory /opt/nomad"
block:
- name: "Stat directory /opt/nomad"
ansible.builtin.stat:
path: "/opt/nomad"
register: stat_opt_nomad
- name: "Verify directory /opt/nomad"
ansible.builtin.assert:
that:
- stat_opt_nomad.stat.exists
- stat_opt_nomad.stat.isdir
- stat_opt_nomad.stat.pw_name == 'nomad'
- stat_opt_nomad.stat.gr_name == 'nomad'
- stat_opt_nomad.stat.mode == '0755'
- name: "Test: service nomad"
block:
- name: "Get service nomad"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/nomad.service"
ansible.builtin.stat:
path: "/etc/systemd/system/nomad.service"
register: stat_etc_systemd_system_nomad_service
- name: "Slurp file /etc/systemd/system/nomad.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/nomad.service"
register: slurp_etc_systemd_system_nomad_service
- name: "Verify service nomad"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_nomad_service.stat.exists
- stat_etc_systemd_system_nomad_service.stat.isreg
- stat_etc_systemd_system_nomad_service.stat.pw_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.gr_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.mode == '0644'
- slurp_etc_systemd_system_nomad_service.content != ''
- ansible_facts.services['nomad.service'] is defined
- ansible_facts.services['nomad.service']['source'] == 'systemd'
- ansible_facts.services['nomad.service']['state'] == 'running'
- ansible_facts.services['nomad.service']['status'] == 'enabled'
- name: "Test: interaction nomad"
block:
- name: "Command nomad var put"
ansible.builtin.command: "nomad var put secret/foobar foo=bar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_var_put
- name: "Command nomad var get"
ansible.builtin.command: "nomad var get secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_var_get
- name: "Command nomad var purge"
ansible.builtin.command: "nomad var purge secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_var_purge
- name: "Command nomad server members"
ansible.builtin.command: "nomad server members"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_server_members
- name: "Verify nomad interaction"
ansible.builtin.assert:
that:
- "'instance.global' in nomad_server_members.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout"
- nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!'

8
molecule/nomad_with_acl_enabled/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.nomad"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.nomad"

12
molecule/nomad_with_acl_enabled/group_vars/all.yml
View File

@ -1,12 +0,0 @@
---
# defaults file for hashicorp_nomad
#####################
# ACL configuration #
#####################
nomad_acl_configuration:
enabled: true
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s

37
molecule/nomad_with_acl_enabled/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: nomad_with_acl_enabled
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/nomad_with_acl_enabled/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

5
molecule/nomad_with_acl_enabled/requirements.yml
View File

@ -1,5 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_repositories
- name: ednz_cloud.manage_apt_packages

185
molecule/nomad_with_acl_enabled/verify.yml
View File

@ -1,185 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: nomad user and group"
block:
- name: "Getent user nomad"
ansible.builtin.getent:
database: passwd
key: nomad
register: nomad_user
- name: "Getent group nomad"
ansible.builtin.getent:
database: group
key: nomad
register: nomad_group
- name: "Verify nomad user and group"
ansible.builtin.assert:
that:
- not nomad_user.failed
- not nomad_group.failed
- "'nomad' in nomad_user.ansible_facts.getent_passwd.keys()"
- "'/home/nomad' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'/bin/false' in nomad_user.ansible_facts.getent_passwd['nomad']"
- "'nomad' in nomad_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/nomad"
block:
- name: "Stat binary /usr/local/bin/nomad"
ansible.builtin.stat:
path: "/usr/local/bin/nomad"
register: stat_usr_local_bin_nomad
- name: "Verify binary /usr/local/bin/nomad"
ansible.builtin.assert:
that:
- stat_usr_local_bin_nomad.stat.exists
- stat_usr_local_bin_nomad.stat.isreg
- stat_usr_local_bin_nomad.stat.pw_name == 'root'
- stat_usr_local_bin_nomad.stat.gr_name == 'root'
- stat_usr_local_bin_nomad.stat.mode == '0755'
- name: "Test: directory /etc/nomad.d"
block:
- name: "Stat directory /etc/nomad.d"
ansible.builtin.stat:
path: "/etc/nomad.d"
register: stat_etc_nomad_d
- name: "Stat file /etc/nomad.d/nomad.env"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.env"
register: stat_etc_nomad_d_nomad_env
- name: "Stat file /etc/nomad.d/nomad.json"
ansible.builtin.stat:
path: "/etc/nomad.d/nomad.json"
register: stat_etc_nomad_d_nomad_json
- name: "Slurp file /etc/nomad.d/nomad.json"
ansible.builtin.slurp:
src: "/etc/nomad.d/nomad.json"
register: slurp_etc_nomad_d_nomad_json
- name: "Verify directory /etc/nomad.d"
ansible.builtin.assert:
that:
- stat_etc_nomad_d.stat.exists
- stat_etc_nomad_d.stat.isdir
- stat_etc_nomad_d.stat.pw_name == 'nomad'
- stat_etc_nomad_d.stat.gr_name == 'nomad'
- stat_etc_nomad_d.stat.mode == '0755'
- stat_etc_nomad_d_nomad_env.stat.exists
- stat_etc_nomad_d_nomad_env.stat.isreg
- stat_etc_nomad_d_nomad_env.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_env.stat.mode == '0600'
- stat_etc_nomad_d_nomad_json.stat.exists
- stat_etc_nomad_d_nomad_json.stat.isreg
- stat_etc_nomad_d_nomad_json.stat.pw_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.gr_name == 'nomad'
- stat_etc_nomad_d_nomad_json.stat.mode == '0600'
- slurp_etc_nomad_d_nomad_json.content != ''
- name: "Test: directory /opt/nomad"
block:
- name: "Stat directory /opt/nomad"
ansible.builtin.stat:
path: "/opt/nomad"
register: stat_opt_nomad
- name: "Verify directory /opt/nomad"
ansible.builtin.assert:
that:
- stat_opt_nomad.stat.exists
- stat_opt_nomad.stat.isdir
- stat_opt_nomad.stat.pw_name == 'nomad'
- stat_opt_nomad.stat.gr_name == 'nomad'
- stat_opt_nomad.stat.mode == '0755'
- name: "Test: service nomad"
block:
- name: "Get service nomad"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/nomad.service"
ansible.builtin.stat:
path: "/etc/systemd/system/nomad.service"
register: stat_etc_systemd_system_nomad_service
- name: "Slurp file /etc/systemd/system/nomad.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/nomad.service"
register: slurp_etc_systemd_system_nomad_service
- name: "Verify service nomad"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_nomad_service.stat.exists
- stat_etc_systemd_system_nomad_service.stat.isreg
- stat_etc_systemd_system_nomad_service.stat.pw_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.gr_name == 'root'
- stat_etc_systemd_system_nomad_service.stat.mode == '0644'
- slurp_etc_systemd_system_nomad_service.content != ''
- ansible_facts.services['nomad.service'] is defined
- ansible_facts.services['nomad.service']['source'] == 'systemd'
- ansible_facts.services['nomad.service']['state'] == 'running'
- ansible_facts.services['nomad.service']['status'] == 'enabled'
- name: "Test: bootstrap acl nomad"
block:
- name: "Command nomad acl bootstrap"
ansible.builtin.command: "nomad acl bootstrap -json"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
changed_when: false
register: nomad_acl_bootstrap
- name: "Test: interaction nomad"
vars:
acl_token: "{{ nomad_acl_bootstrap.stdout|from_json|json_query('SecretID') }}"
block:
- name: "Command nomad var put"
ansible.builtin.command: "nomad var put secret/foobar foo=bar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_var_put
- name: "Command nomad var get"
ansible.builtin.command: "nomad var get secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_var_get
- name: "Command nomad var purge"
ansible.builtin.command: "nomad var purge secret/foobar"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_var_purge
- name: "Command nomad server members"
ansible.builtin.command: "nomad server members"
environment:
NOMAD_ADDR: "http://{{ ansible_default_ipv4.address }}:4646"
NOMAD_TOKEN: "{{ acl_token }}"
changed_when: false
register: nomad_server_members
- name: "Verify nomad interaction"
ansible.builtin.assert:
that:
- "'instance.global' in nomad_server_members.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_put.stdout"
- "'\"Items\": {\n \"foo\": \"bar\"\n }' in nomad_var_get.stdout"
- nomad_var_purge.stdout == 'Successfully purged variable \"secret/foobar\"!'

8
molecule/vault_default/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.vault"

37
molecule/vault_default/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: vault_default
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/vault_default/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/vault_default/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

185
molecule/vault_default/verify.yml
View File

@ -1,185 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: vault user and group"
block:
- name: "Getent user vault"
ansible.builtin.getent:
database: passwd
key: vault
register: vault_user
- name: "Getent group vault"
ansible.builtin.getent:
database: group
key: vault
register: vault_group
- name: "Verify vault user and group"
ansible.builtin.assert:
that:
- not vault_user.failed
- not vault_group.failed
- "'vault' in vault_user.ansible_facts.getent_passwd.keys()"
- "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']"
- "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']"
- "'vault' in vault_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/vault"
block:
- name: "Stat binary /usr/local/bin/vault"
ansible.builtin.stat:
path: "/usr/local/bin/vault"
register: stat_usr_local_bin_vault
- name: "Verify binary /usr/local/bin/vault"
ansible.builtin.assert:
that:
- stat_usr_local_bin_vault.stat.exists
- stat_usr_local_bin_vault.stat.isreg
- stat_usr_local_bin_vault.stat.pw_name == 'root'
- stat_usr_local_bin_vault.stat.gr_name == 'root'
- stat_usr_local_bin_vault.stat.mode == '0755'
- name: "Test: directory /etc/vault.d"
block:
- name: "Stat directory /etc/vault.d"
ansible.builtin.stat:
path: "/etc/vault.d"
register: stat_etc_vault_d
- name: "Stat file /etc/vault.d/vault.env"
ansible.builtin.stat:
path: "/etc/vault.d/vault.env"
register: stat_etc_vault_d_vault_env
- name: "Stat file /etc/vault.d/vault.json"
ansible.builtin.stat:
path: "/etc/vault.d/vault.json"
register: stat_etc_vault_d_vault_json
- name: "Slurp file /etc/vault.d/vault.json"
ansible.builtin.slurp:
src: "/etc/vault.d/vault.json"
register: slurp_etc_vault_d_vault_json
- name: "Verify directory /etc/vault.d"
ansible.builtin.assert:
that:
- stat_etc_vault_d.stat.exists
- stat_etc_vault_d.stat.isdir
- stat_etc_vault_d.stat.pw_name == 'vault'
- stat_etc_vault_d.stat.gr_name == 'vault'
- stat_etc_vault_d.stat.mode == '0755'
- stat_etc_vault_d_vault_env.stat.exists
- stat_etc_vault_d_vault_env.stat.isreg
- stat_etc_vault_d_vault_env.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_env.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_env.stat.mode == '0600'
- stat_etc_vault_d_vault_json.stat.exists
- stat_etc_vault_d_vault_json.stat.isreg
- stat_etc_vault_d_vault_json.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_json.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_json.stat.mode == '0600'
- slurp_etc_vault_d_vault_json.content != ''
- name: "Test: directory /opt/vault"
block:
- name: "Stat directory /opt/vault"
ansible.builtin.stat:
path: "/opt/vault"
register: stat_opt_vault
- name: "Verify directory /opt/vault"
ansible.builtin.assert:
that:
- stat_opt_vault.stat.exists
- stat_opt_vault.stat.isdir
- stat_opt_vault.stat.pw_name == 'vault'
- stat_opt_vault.stat.gr_name == 'vault'
- stat_opt_vault.stat.mode == '0755'
- name: "Test: service vault"
block:
- name: "Get service vault"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/vault.service"
ansible.builtin.stat:
path: "/etc/systemd/system/vault.service"
register: stat_etc_systemd_system_vault_service
- name: "Slurp file /etc/systemd/system/vault.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/vault.service"
register: slurp_etc_systemd_system_vault_service
- name: "Verify service vault"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_vault_service.stat.exists
- stat_etc_systemd_system_vault_service.stat.isreg
- stat_etc_systemd_system_vault_service.stat.pw_name == 'root'
- stat_etc_systemd_system_vault_service.stat.gr_name == 'root'
- stat_etc_systemd_system_vault_service.stat.mode == '0644'
- slurp_etc_systemd_system_vault_service.content != ''
- ansible_facts.services['vault.service'] is defined
- ansible_facts.services['vault.service']['source'] == 'systemd'
- ansible_facts.services['vault.service']['state'] == 'running'
- ansible_facts.services['vault.service']['status'] == 'enabled'
- name: "Test: bootstrap vault cluster"
block:
- name: "Command vault operator init"
ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -format=json"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
changed_when: false
register: vault_operator_init
- name: "Test: unseal vault cluster"
vars:
vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}"
block:
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json {{ vault_unseal_keys[0] }}"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
changed_when: false
register: vault_operator_unseal_0
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json {{ vault_unseal_keys[1] }}"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
changed_when: false
register: vault_operator_unseal_1
- name: "Verify vault operator unseal"
vars:
vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}"
vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}"
ansible.builtin.assert:
that:
- vault_seal_state_0
- not vault_seal_state_1
- name: "Test: vault interaction"
vars:
root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}"
block:
- name: "Command vault secret enable"
ansible.builtin.command: "vault secrets enable -version=1 kv"
environment:
VAULT_ADDR: http://{{ ansible_default_ipv4.address }}:8200
VAULT_TOKEN: "{{ root_token }}"
changed_when: false
register: vault_secret_enable
- name: "Verify vault interaction"
ansible.builtin.assert:
that:
- vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/'

8
molecule/vault_with_raft_enabled/converge.yml
View File

@ -1,8 +0,0 @@
---
- name: Converge
hosts: all
become: true
tasks:
- name: "Include ednz_cloud.hashistack.vault"
ansible.builtin.include_role:
name: "ednz_cloud.hashistack.vault"

13
molecule/vault_with_raft_enabled/group_vars/all.yml
View File

@ -1,13 +0,0 @@
---
# defaults file for hashicorp_vault
#########################
# storage configuration #
#########################
vault_storage_configuration:
raft:
path: "{{ vault_data_dir }}"
node_id: "{{ ansible_hostname }}"
retry_join:
- leader_api_addr: "http://{{ vault_cluster_addr }}:8200"

37
molecule/vault_with_raft_enabled/molecule.yml
View File

@ -1,37 +0,0 @@
---
dependency:
name: galaxy
options:
requirements-file: ./requirements.yml
driver:
name: docker
platforms:
- name: instance
image: geerlingguy/docker-${MOLECULE_TEST_OS}-ansible
command: ""
volumes:
- /sys/fs/cgroup:/sys/fs/cgroup
cgroupns_mode: host
privileged: true
pre_build_image: true
provisioner:
name: ansible
config_options:
defaults:
remote_tmp: /tmp/.ansible
verifier:
name: ansible
scenario:
name: vault_with_raft_enabled
test_sequence:
- dependency
- cleanup
- destroy
- syntax
- create
- prepare
- converge
- idempotence
- verify
- cleanup
- destroy

13
molecule/vault_with_raft_enabled/prepare.yml
View File

@ -1,13 +0,0 @@
---
- name: Prepare
hosts: all
become: true
tasks:
- name: "Install pre-required system packages"
ansible.builtin.include_role:
name: ednz_cloud.manage_apt_packages
vars:
manage_apt_packages_list:
- name: unzip
version: latest
state: present

4
molecule/vault_with_raft_enabled/requirements.yml
View File

@ -1,4 +0,0 @@
---
# requirements file for molecule
roles:
- name: ednz_cloud.manage_apt_packages

185
molecule/vault_with_raft_enabled/verify.yml
View File

@ -1,185 +0,0 @@
---
- name: Verify
hosts: all
gather_facts: true
become: true
tasks:
- name: "Test: vault user and group"
block:
- name: "Getent user vault"
ansible.builtin.getent:
database: passwd
key: vault
register: vault_user
- name: "Getent group vault"
ansible.builtin.getent:
database: group
key: vault
register: vault_group
- name: "Verify vault user and group"
ansible.builtin.assert:
that:
- not vault_user.failed
- not vault_group.failed
- "'vault' in vault_user.ansible_facts.getent_passwd.keys()"
- "'/home/vault' in vault_user.ansible_facts.getent_passwd['vault']"
- "'/bin/false' in vault_user.ansible_facts.getent_passwd['vault']"
- "'vault' in vault_group.ansible_facts.getent_group.keys()"
- name: "Test: binary /usr/local/bin/vault"
block:
- name: "Stat binary /usr/local/bin/vault"
ansible.builtin.stat:
path: "/usr/local/bin/vault"
register: stat_usr_local_bin_vault
- name: "Verify binary /usr/local/bin/vault"
ansible.builtin.assert:
that:
- stat_usr_local_bin_vault.stat.exists
- stat_usr_local_bin_vault.stat.isreg
- stat_usr_local_bin_vault.stat.pw_name == 'root'
- stat_usr_local_bin_vault.stat.gr_name == 'root'
- stat_usr_local_bin_vault.stat.mode == '0755'
- name: "Test: directory /etc/vault.d"
block:
- name: "Stat directory /etc/vault.d"
ansible.builtin.stat:
path: "/etc/vault.d"
register: stat_etc_vault_d
- name: "Stat file /etc/vault.d/vault.env"
ansible.builtin.stat:
path: "/etc/vault.d/vault.env"
register: stat_etc_vault_d_vault_env
- name: "Stat file /etc/vault.d/vault.json"
ansible.builtin.stat:
path: "/etc/vault.d/vault.json"
register: stat_etc_vault_d_vault_json
- name: "Slurp file /etc/vault.d/vault.json"
ansible.builtin.slurp:
src: "/etc/vault.d/vault.json"
register: slurp_etc_vault_d_vault_json
- name: "Verify directory /etc/vault.d"
ansible.builtin.assert:
that:
- stat_etc_vault_d.stat.exists
- stat_etc_vault_d.stat.isdir
- stat_etc_vault_d.stat.pw_name == 'vault'
- stat_etc_vault_d.stat.gr_name == 'vault'
- stat_etc_vault_d.stat.mode == '0755'
- stat_etc_vault_d_vault_env.stat.exists
- stat_etc_vault_d_vault_env.stat.isreg
- stat_etc_vault_d_vault_env.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_env.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_env.stat.mode == '0600'
- stat_etc_vault_d_vault_json.stat.exists
- stat_etc_vault_d_vault_json.stat.isreg
- stat_etc_vault_d_vault_json.stat.pw_name == 'vault'
- stat_etc_vault_d_vault_json.stat.gr_name == 'vault'
- stat_etc_vault_d_vault_json.stat.mode == '0600'
- slurp_etc_vault_d_vault_json.content != ''
- name: "Test: directory /opt/vault"
block:
- name: "Stat directory /opt/vault"
ansible.builtin.stat:
path: "/opt/vault"
register: stat_opt_vault
- name: "Verify directory /opt/vault"
ansible.builtin.assert:
that:
- stat_opt_vault.stat.exists
- stat_opt_vault.stat.isdir
- stat_opt_vault.stat.pw_name == 'vault'
- stat_opt_vault.stat.gr_name == 'vault'
- stat_opt_vault.stat.mode == '0755'
- name: "Test: service vault"
block:
- name: "Get service vault"
ansible.builtin.service_facts:
- name: "Stat file /etc/systemd/system/vault.service"
ansible.builtin.stat:
path: "/etc/systemd/system/vault.service"
register: stat_etc_systemd_system_vault_service
- name: "Slurp file /etc/systemd/system/vault.service"
ansible.builtin.slurp:
src: "/etc/systemd/system/vault.service"
register: slurp_etc_systemd_system_vault_service
- name: "Verify service vault"
ansible.builtin.assert:
that:
- stat_etc_systemd_system_vault_service.stat.exists
- stat_etc_systemd_system_vault_service.stat.isreg
- stat_etc_systemd_system_vault_service.stat.pw_name == 'root'
- stat_etc_systemd_system_vault_service.stat.gr_name == 'root'
- stat_etc_systemd_system_vault_service.stat.mode == '0644'
- slurp_etc_systemd_system_vault_service.content != ''
- ansible_facts.services['vault.service'] is defined
- ansible_facts.services['vault.service']['source'] == 'systemd'
- ansible_facts.services['vault.service']['state'] == 'running'
- ansible_facts.services['vault.service']['status'] == 'enabled'
- name: "Test: bootstrap vault cluster"
block:
- name: "Command vault operator init"
ansible.builtin.command: "vault operator init -non-interactive -key-shares=3 -key-threshold=2 -tls-skip-verify -format=json"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
changed_when: false
register: vault_operator_init
- name: "Test: unseal vault cluster"
vars:
vault_unseal_keys: "{{ vault_operator_init.stdout|from_json|json_query('unseal_keys_hex') }}"
block:
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[0] }}"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
changed_when: false
register: vault_operator_unseal_0
- name: "Command vault operator unseal"
ansible.builtin.command: "vault operator unseal -format=json -tls-skip-verify {{ vault_unseal_keys[1] }}"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
changed_when: false
register: vault_operator_unseal_1
- name: "Verify vault operator unseal"
vars:
vault_seal_state_0: "{{ vault_operator_unseal_0.stdout|from_json|json_query('sealed') }}"
vault_seal_state_1: "{{ vault_operator_unseal_1.stdout|from_json|json_query('sealed') }}"
ansible.builtin.assert:
that:
- vault_seal_state_0
- not vault_seal_state_1
- name: "Test: vault interaction"
vars:
root_token: "{{ vault_operator_init.stdout|from_json|json_query('root_token') }}"
block:
- name: "Command vault secret enable"
ansible.builtin.command: "vault secrets enable -version=1 -tls-skip-verify kv"
environment:
VAULT_ADDR: "http://{{ ansible_default_ipv4.address }}:8200"
VAULT_TOKEN: "{{ root_token }}"
changed_when: false
register: vault_secret_enable
- name: "Verify vault interaction"
ansible.builtin.assert:
that:
- vault_secret_enable.stdout == 'Success! Enabled the kv secrets engine at: kv/'

146
roles/consul/defaults/main.yml
View File

@ -1,146 +0,0 @@
---
# defaults file for hashicorp_consul
consul_version: "latest"
consul_start_service: true
consul_config_dir: "/etc/consul.d"
consul_data_dir: "/opt/consul"
consul_certs_dir: "{{ consul_config_dir }}/tls"
consul_logs_dir: "/var/log/consul"
consul_envoy_install: false
consul_envoy_version: latest
consul_extra_files: false
consul_extra_files_list: []
consul_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
consul_extra_configuration: {}
###########
# general #
###########
consul_domain: consul
consul_datacenter: dc1
consul_primary_datacenter: "{{ consul_datacenter }}"
consul_gossip_encryption_key: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
consul_enable_script_checks: false
#######################
# leave configuration #
#######################
consul_leave_on_terminate: true
consul_rejoin_after_leave: true
######################
# join configuration #
######################
consul_join_configuration:
retry_join:
- "{{ ansible_default_ipv4.address }}"
retry_interval: 30s
retry_max: 0
########################
# server configuration #
########################
consul_enable_server: true
consul_bootstrap_expect: 1
####################
# ui configuration #
####################
consul_ui_configuration:
enabled: "{{ consul_enable_server }}"
#########################
# address configuration #
#########################
consul_bind_addr: "0.0.0.0"
consul_advertise_addr: "{{ ansible_default_ipv4.address }}"
consul_address_configuration:
client_addr: "{{ consul_bind_addr }}"
bind_addr: "{{ consul_advertise_addr }}"
advertise_addr: "{{ consul_advertise_addr }}"
#####################
# ACL configuration #
#####################
consul_acl_configuration:
enabled: false
default_policy: "deny"
enable_token_persistence: true
# tokens:
# agent: ""
##############################
# service mesh configuration #
##############################
consul_mesh_configuration:
enabled: false
#####################
# DNS configuration #
#####################
consul_dns_configuration:
allow_stale: true
enable_truncate: true
only_passing: true
################
# internal tls #
################
consul_enable_tls: false
consul_tls_configuration:
defaults:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ consul_certs_dir }}/cert.pem"
key_file: "{{ consul_certs_dir }}/key.pem"
verify_incoming: false
verify_outgoing: true
internal_rpc:
verify_server_hostname: true
consul_certificates_extra_files_dir:
[]
# - src: ""
# dest: "{{ consul_certs_dir }}"
###########################
# telemetry configuration #
###########################
consul_enable_prometheus_metrics: false
consul_prometheus_retention_time: 60s
consul_telemetry_configuration: {}
###########
# logging #
###########
consul_log_level: info
consul_enable_log_to_file: false
consul_log_to_file_configuration:
log_file: "{{ consul_logs_dir }}/consul.log"
log_rotate_duration: 24h
log_rotate_max_files: 30

2
roles/consul/handlers/main.yml
View File

@ -1,2 +0,0 @@
---
# handlers file for hashicorp_consul

26
roles/consul/meta/main.yml
View File

@ -1,26 +0,0 @@
---
# meta file for hashicorp_consul
galaxy_info:
namespace: "ednz_cloud"
role_name: "hashicorp_consul"
author: "Bertrand Lanson"
description: "Install and configure hashicorp consul for debian-based distros."
license: "license (BSD, MIT)"
min_ansible_version: "2.10"
platforms:
- name: Ubuntu
versions:
- focal
- jammy
- noble
- name: Debian
versions:
- bullseye
- bookworm
galaxy_tags:
- "ubuntu"
- "debian"
- "hashicorp"
- "consul"
dependencies: []

74
roles/consul/tasks/configure.yml
View File

@ -1,74 +0,0 @@
---
# task/configure file for hashicorp_consul
- name: "Consul | Create consul.env"
ansible.builtin.template:
src: consul.env.j2
dest: "{{ consul_config_dir }}/consul.env"
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0600"
register: _consul_env_file
- name: "Consul | Copy consul.json template"
ansible.builtin.template:
src: consul.json.j2
dest: "{{ consul_config_dir }}/consul.json"
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0600"
register: _consul_config_file
- name: "Consul | Set restart-check variable"
ansible.builtin.set_fact:
_consul_service_need_restart: true
when: _consul_env_file.changed or
_consul_config_file.changed
- name: "Consul | Copy extra configuration files"
when: consul_extra_files
block:
- name: "Consul | Get extra file types"
ansible.builtin.stat:
path: "{{ item.src }}"
loop: "{{ consul_extra_files_list }}"
register: consul_extra_file_stat
delegate_to: localhost
- name: "Consul | Set list for file sources"
vars:
_consul_file_sources: []
ansible.builtin.set_fact:
_consul_file_sources: "{{ _consul_file_sources + [item.item] }}"
when: item.stat.isreg
loop: "{{ consul_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Consul | Set list for directory sources"
vars:
_consul_dir_sources: []
ansible.builtin.set_fact:
_consul_dir_sources: "{{ _consul_dir_sources + [item.item] }}"
when: item.stat.isdir
loop: "{{ consul_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Consul | Template extra file sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest | regex_replace('\\.j2$', '') }}"
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0700"
loop: "{{ _consul_file_sources }}"
when: _consul_file_sources is defined
- name: "Consul | Template extra directory sources"
ansible.builtin.include_tasks: recursive_copy_extra_dirs.yml
loop: "{{ _consul_dir_sources }}"
loop_control:
loop_var: dir_source_item
when: _consul_dir_sources is defined

141
roles/consul/tasks/install.yml
View File

@ -1,141 +0,0 @@
---
# task/install file for hashicorp_consul
- name: "Consul | Get latest release of consul"
when: consul_version == 'latest'
block:
- name: "Consul | Get latest consul release from github api"
ansible.builtin.uri:
url: "{{ consul_github_api }}/{{ consul_github_project }}/releases/latest"
return_content: true
register: _consul_latest_release
- name: "Consul | Set wanted consul version to latest tag"
ansible.builtin.set_fact:
_consul_wanted_version: "{{ _consul_latest_release.json['tag_name']|regex_replace('v', '') }}"
- name: "Consul | Set wanted consul version to {{ consul_version }}"
ansible.builtin.set_fact:
_consul_wanted_version: "{{ consul_version|regex_replace('v', '') }}"
when: consul_version != 'latest'
- name: "Consul | Get current consul version"
block:
- name: "Consul | Stat consul version file"
ansible.builtin.stat:
path: "{{ consul_config_dir }}/.version"
changed_when: false
check_mode: false
register: _consul_version_file
- name: "Consul | Get current consul version"
ansible.builtin.slurp:
src: "{{ _consul_version_file.stat.path }}"
when:
- _consul_version_file.stat.exists
- _consul_version_file.stat.isreg
register: _consul_current_version
- name: "Consul | Download and install consul binary"
when: _consul_current_version is not defined
or _consul_wanted_version != (_consul_current_version.content|default('')|b64decode)
block:
- name: "Consul | Set consul package name to download"
ansible.builtin.set_fact:
_consul_package_name: >-
consul_{{ _consul_wanted_version }}_linux_{{ consul_deb_architecture_map[ansible_architecture] }}.zip
_consul_shasum_file_name: >-
consul_{{ _consul_wanted_version }}_SHA256SUMS
- name: "Consul | Download checksum file for consul archive"
ansible.builtin.get_url:
url: "{{ consul_repository_url }}/{{ _consul_wanted_version }}/{{ _consul_shasum_file_name }}"
dest: "/tmp/{{ _consul_shasum_file_name }}"
mode: "0644"
register: _consul_checksum_file
until: _consul_checksum_file is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Consul | Extract correct checksum from checksum file"
ansible.builtin.command:
cmd: 'grep "{{ _consul_package_name }}" /tmp/{{ _consul_shasum_file_name }}'
changed_when: false
register: _consul_expected_checksum_line
- name: "Consul | Parse the expected checksum"
ansible.builtin.set_fact:
_consul_expected_checksum: "{{ _consul_expected_checksum_line.stdout.split()[0] }}"
- name: "Consul | Download consul binary archive"
ansible.builtin.get_url:
url: "{{ consul_repository_url }}/{{ _consul_wanted_version }}/{{ _consul_package_name }}"
dest: "/tmp/{{ _consul_package_name }}"
mode: "0644"
checksum: "sha256:{{ _consul_expected_checksum }}"
register: _consul_binary_archive
until: _consul_binary_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Consul | Create temporary directory for archive decompression"
ansible.builtin.file:
path: /tmp/consul
state: directory
mode: "0755"
- name: "Consul | Unpack consul archive"
ansible.builtin.unarchive:
src: "/tmp/{{ _consul_package_name }}"
dest: "/tmp/consul"
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0755"
remote_src: true
- name: "Consul | Copy consul binary to {{ consul_binary_path }}"
ansible.builtin.copy:
src: /tmp/consul/consul
dest: "{{ consul_binary_path }}"
owner: root
group: root
mode: "0755"
remote_src: true
force: true
- name: "Consul | Update consul version file"
ansible.builtin.copy:
content: "{{ _consul_wanted_version }}"
dest: "{{ consul_config_dir }}/.version"
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0600"
- name: "Consul | Set restart-check variable"
ansible.builtin.set_fact:
_consul_service_need_restart: true
- name: "Consul | Cleanup temporary directory"
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /tmp/consul
- /tmp/{{ _consul_package_name }}
- /tmp/{{ _consul_shasum_file_name }}
- name: "Consul | Copy systemd service file for consul"
ansible.builtin.template:
src: "consul.service.j2"
dest: "/etc/systemd/system/{{ consul_service_name }}.service"
owner: root
group: root
mode: "0644"
register: _consul_unit_file
- name: "Consul | Set reload-check & restart-check variable"
ansible.builtin.set_fact:
_consul_service_need_reload: true
_consul_service_need_restart: true
when: _consul_unit_file.changed # noqa: no-handler

65
roles/consul/tasks/install_envoy.yml
View File

@ -1,65 +0,0 @@
---
# task/install_envoy file for hashicorp_consul
- name: "Consul | Get release for envoy:{{ consul_envoy_version }}"
vars:
_envoy_url_ext: "{% if consul_envoy_version == 'latest'%}releases{% else %}releases/tags{% endif %}"
ansible.builtin.uri:
url: "{{ consul_github_api }}/{{ consul_envoy_github_project }}/{{ _envoy_url_ext }}/{{ consul_envoy_version }}"
return_content: true
register: _envoy_new_release
- name: "Consul | Check if envoy is already installed"
ansible.builtin.stat:
path: "{{ consul_data_dir }}/envoy/version"
changed_when: false
check_mode: false
register: _envoy_is_installed
- name: "Consul | Check current envoy version"
ansible.builtin.command: "cat {{ consul_data_dir }}/envoy/version"
changed_when: false
check_mode: false
register: _envoy_old_release
when: _envoy_is_installed.stat.exists
- name: "Consul | Set facts for wanted envoy release"
ansible.builtin.set_fact:
consul_envoy_wanted_version: "{{ _envoy_new_release.json['tag_name']|regex_replace('v', '') }}"
when: _envoy_new_release.json is defined
and (_envoy_new_release.json | length > 0)
- name: "Consul | Set facts for current envoy release"
ansible.builtin.set_fact:
consul_envoy_current_version: "{{ _envoy_old_release.stdout | regex_replace('v', '') }}"
when: _envoy_old_release.stdout is defined
and (_envoy_old_release.stdout | length > 0)
- name: "Consul | Create envoy directory"
ansible.builtin.file:
path: "{{ consul_data_dir }}/envoy"
state: directory
mode: "0775"
- name: "Consul | Install envoy"
when: consul_envoy_current_version is not defined
or consul_envoy_wanted_version not in consul_envoy_current_version
block:
- name: "Consul | Remove old compose binary if different"
ansible.builtin.file:
path: "{{ consul_envoy_binary_path }}"
state: absent
register: _envoy_binary_removed
- name: "Consul | Download and install envoy version:{{ consul_envoy_version }}"
ansible.builtin.get_url:
url: "{{ consul_github_url }}/{{ consul_envoy_github_project }}/releases/download/v{{ consul_envoy_wanted_version }}/envoy-{{ consul_envoy_wanted_version }}-linux-{{ consul_envoy_architecture }} "
dest: "{{ consul_envoy_binary_path }}"
owner: root
group: root
mode: "0755"
- name: "Consul | Update version file"
ansible.builtin.copy:
content: "{{ consul_envoy_wanted_version }}"
dest: "{{ consul_data_dir }}/envoy/version"
mode: "0600"

47
roles/consul/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
# task/main file for hashicorp_consul
- name: "Consul | Set reload-check & restart-check variable"
ansible.builtin.set_fact:
_consul_service_need_reload: false
_consul_service_need_restart: false
- name: "Consul | Import merge_variables.yml"
ansible.builtin.include_tasks: merge_variables.yml
- name: "Consul | Import prerequisites.yml"
ansible.builtin.include_tasks: prerequisites.yml
- name: "Consul | Import install_envoy.yml"
ansible.builtin.include_tasks: install_envoy.yml
when: consul_envoy_install
- name: "Consul | Import install.yml"
ansible.builtin.include_tasks: "install.yml"
- name: "Consul | Import configure.yml"
ansible.builtin.include_tasks: configure.yml
- name: "Consul | Populate service facts"
ansible.builtin.service_facts:
- name: "Consul | Set restart-check variable"
ansible.builtin.set_fact:
_consul_service_need_restart: true
when: ansible_facts.services[consul_service_name~'.service'].state != 'running'
- name: "Consul | Enable service: {{ consul_service_name }}"
ansible.builtin.service:
name: "{{ consul_service_name }}"
enabled: true
- name: "Consul | Reload systemd daemon"
ansible.builtin.systemd:
daemon_reload: true
when: _consul_service_need_reload
- name: "Consul | Start service: {{ consul_service_name }}"
ansible.builtin.service:
name: "{{ consul_service_name }}"
state: restarted
throttle: 1
when: _consul_service_need_restart

94
roles/consul/tasks/merge_variables.yml
View File

@ -1,94 +0,0 @@
---
# task/merge_variables file for hashicorp_consul
- name: "Consul | Merge stringified configuration"
vars:
_config_to_merge: "{{ consul_configuration_string }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
- name: "Consul | Merge server specific stringified configuration"
vars:
_config_to_merge: "{{ consul_server_configuration_string }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
when:
- consul_enable_server
- name: "Consul | Merge addresses configuration"
vars:
_config_to_merge: "{{ consul_address_configuration }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Consul | Merge TLS configuration"
when: consul_enable_tls
block:
- name: "Consul | Merge TLS configuration"
vars:
_config_to_merge:
tls: "{{ consul_tls_configuration }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Consul | Add certificates directory to extra_files_dir"
ansible.builtin.set_fact:
consul_extra_files_list: "{{
consul_extra_files_list +
consul_certificates_extra_files_dir
| unique
| sort
}}"
- name: "Consul | Merge extra configuration settings"
vars:
_config_to_merge: "{{ consul_extra_configuration }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Consul | Merge log to file configuration"
vars:
_config_to_merge: "{{ consul_log_to_file_configuration }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_enable_log_to_file
- name: "Consul | Merge telemetry configuration"
block:
- name: "Consul | Merge prometheus metrics configuration"
vars:
_config_to_merge:
prometheus_retention_time: "{{ consul_prometheus_retention_time }}"
ansible.builtin.set_fact:
consul_telemetry_configuration: "{{
consul_telemetry_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: consul_enable_prometheus_metrics
- name: "Consul | Merge telemtry configuration"
vars:
_config_to_merge:
telemetry: "{{ consul_telemetry_configuration }}"
ansible.builtin.set_fact:
consul_configuration: "{{
consul_configuration |
combine(_config_to_merge, recursive=true)
}}"

46
roles/consul/tasks/prerequisites.yml
View File

@ -1,46 +0,0 @@
---
# task/prerequisites file for hashicorp_consul
- name: "Consul | Create group {{ consul_group }}"
ansible.builtin.group:
name: "{{ consul_group }}"
state: present
- name: "Consul | Create user {{ consul_user }}"
ansible.builtin.user:
name: "{{ consul_user }}"
group: "{{ consul_group }}"
shell: /bin/false
state: present
- name: "Consul | Create directory {{ consul_config_dir }}"
ansible.builtin.file:
path: "{{ consul_config_dir }}"
state: directory
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0755"
- name: "Consul | Create directory {{ consul_data_dir}}"
ansible.builtin.file:
path: "{{ consul_data_dir }}"
state: directory
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0755"
- name: "Consul | Create directory {{ consul_certs_dir }}"
ansible.builtin.file:
path: "{{ consul_certs_dir }}"
state: directory
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0755"
- name: "Consul | Create directory {{ consul_logs_dir }}"
ansible.builtin.file:
path: "{{ consul_logs_dir }}"
state: directory
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0755"
when: consul_enable_log_to_file

27
roles/consul/tasks/recursive_copy_extra_dirs.yml
View File

@ -1,27 +0,0 @@
---
# task/recursive_copy_extra_dirs file for hashicorp_consul
- name: "Consul | Ensure destination directory exists"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}"
recurse: true
state: directory
mode: "0775"
- name: "Consul | Create extra directory sources"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}/{{ item.path }}"
recurse: true
state: directory
mode: "0775"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'directory'
- name: "Consul | Template extra directory sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ dir_source_item.dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
owner: "{{ consul_user }}"
group: "{{ consul_group }}"
mode: "0700"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'file'

4
roles/consul/templates/consul.env.j2
View File

@ -1,4 +0,0 @@
# {{ ansible_managed }}
{% for item in consul_env_variables %}
{{ item }}="{{ consul_env_variables[item] }}"
{% endfor %}

1
roles/consul/templates/consul.json.j2
View File

@ -1 +0,0 @@
{{ consul_configuration|to_nice_json }}

20
roles/consul/templates/consul.service.j2
View File

@ -1,20 +0,0 @@
[Unit]
Description=Consul
Documentation=https://developer.hashicorp.com/consul/docs
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ consul_config_dir }}/consul.json
[Service]
EnvironmentFile=-{{ consul_config_dir }}/consul.env
User={{ consul_user }}
Group={{ consul_group }}
ExecStart={{ consul_binary_path }} agent -config-dir={{ consul_config_dir }}
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGTERM
Restart=on-failure
LimitNOFILE=65536
[Install]
WantedBy=multi-user.target

58
roles/consul/vars/main.yml
View File

@ -1,58 +0,0 @@
---
# vars file for hashicorp_consul
consul_user: consul
consul_group: consul
consul_binary_path: /usr/local/bin/consul
consul_envoy_binary_path: /usr/local/bin/envoy
consul_deb_architecture_map:
x86_64: "amd64"
aarch64: "arm64"
armv7l: "arm"
armv6l: "arm"
consul_envoy_architecture_map:
x86_64: "x86_64"
aarch64: "aarch64"
consul_architecture: "{{ consul_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
consul_envoy_architecture: "{{ consul_envoy_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
consul_service_name: "consul"
consul_github_api: https://api.github.com/repos
consul_envoy_github_project: envoyproxy/envoy
consul_github_project: hashicorp/consul
consul_github_url: https://github.com
consul_repository_url: https://releases.hashicorp.com/consul
consul_configuration:
domain: "{{ consul_domain }}"
datacenter: "{{ consul_datacenter }}"
primary_datacenter: "{{ consul_primary_datacenter }}"
data_dir: "{{ consul_data_dir }}"
encrypt: "{{ consul_gossip_encryption_key }}"
server: "{{ consul_enable_server }}"
ui_config: "{{ consul_ui_configuration }}"
connect: "{{ consul_mesh_configuration }}"
leave_on_terminate: "{{ consul_leave_on_terminate }}"
rejoin_after_leave: "{{ consul_rejoin_after_leave }}"
enable_script_checks: "{{ consul_enable_script_checks }}"
enable_syslog: true
acl: "{{ consul_acl_configuration }}"
dns_config: "{{ consul_dns_configuration }}"
log_level: "{{ consul_log_level }}"
ports:
dns: 8600
server: 8300
serf_lan: 8301
serf_wan: 8302
sidecar_min_port: 21000
sidecar_max_port: 21255
expose_min_port: 21500
expose_max_port: 21755
consul_configuration_string: |
ports:
http: {{ ('8500'|int) if not consul_enable_tls else ('-1' | int) }}
https: {{ ('8501'|int) if consul_enable_tls else ('-1' | int) }}
grpc: {{ ('8502'|int) if not consul_enable_tls else ('-1' | int) }}
grpc_tls: {{ ('8503'|int) if consul_enable_tls else ('-1' | int) }}
consul_server_configuration_string: |
bootstrap_expect: {{ consul_bootstrap_expect }}

204
roles/nomad/defaults/main.yml
View File

@ -1,204 +0,0 @@
---
# defaults file for hashicorp_nomad
nomad_version: "latest"
nomad_start_service: true
nomad_config_dir: "/etc/nomad.d"
nomad_data_dir: "/opt/nomad"
nomad_certs_dir: "{{ nomad_config_dir }}/tls"
nomad_logs_dir: "/var/log/nomad"
nomad_cni_plugins_install: true
nomad_cni_plugins_version: latest
nomad_cni_plugins_install_path: /opt/cni/bin
nomad_extra_files: false
nomad_extra_files_list: []
nomad_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
nomad_extra_configuration: {}
###########
# general #
###########
nomad_region: global
nomad_datacenter: dc1
#########################
# address configuration #
#########################
nomad_bind_addr: "0.0.0.0"
nomad_advertise_addr: "{{ ansible_default_ipv4.address }}"
nomad_address_configuration:
bind_addr: "{{ nomad_bind_addr }}"
addresses:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
advertise:
http: "{{ nomad_advertise_addr }}"
rpc: "{{ nomad_advertise_addr }}"
serf: "{{ nomad_advertise_addr }}"
ports:
http: 4646
rpc: 4647
serf: 4648
###########################
# autopilot configuration #
###########################
nomad_autopilot_configuration: {}
#######################
# leave configuration #
#######################
nomad_leave_on_interrupt: false
nomad_leave_on_terminate: false
########################
# server configuration #
########################
nomad_enable_server: true
nomad_server_bootstrap_expect: 1
nomad_server_configuration:
enabled: "{{ nomad_enable_server }}"
data_dir: "{{ nomad_data_dir }}/server"
encrypt: "{{ 'mysupersecretgossipencryptionkey'|b64encode }}"
server_join:
retry_join:
- "{{ ansible_default_ipv4.address }}"
##############################
# client configuration #
##############################
nomad_enable_client: false
nomad_client_configuration:
enabled: "{{ nomad_enable_client }}"
state_dir: "{{ nomad_data_dir }}/client"
cni_path: "{{ nomad_cni_plugins_install_path }}" # "/opt/cni/bin"
bridge_network_name: nomad
bridge_network_subnet: "172.26.64.0/20"
####################
# ui configuration #
####################
nomad_ui_configuration:
enabled: "{{ nomad_enable_server }}"
#########################
# drivers configuration #
#########################
nomad_driver_enable_docker: true
nomad_driver_enable_podman: false
nomad_driver_enable_raw_exec: false
nomad_driver_enable_java: false
nomad_driver_enable_qemu: false
nomad_driver_configuration:
raw_exec:
enabled: false
nomad_driver_extra_configuration: {}
###########
# logging #
###########
nomad_log_level: info
nomad_enable_log_to_file: false
nomad_log_to_file_configuration:
log_file: "{{ nomad_logs_dir }}/nomad.log"
log_rotate_duration: 24h
log_rotate_max_files: 30
#####################
# ACL configuration #
#####################
nomad_acl_configuration:
enabled: false
token_ttl: 30s
policy_ttl: 60s
role_ttl: 60s
################
# internal tls #
################
nomad_enable_tls: false
nomad_tls_configuration:
http: true
rpc: true
ca_file: "/etc/ssl/certs/ca-certificates.crt"
cert_file: "{{ nomad_certs_dir }}/cert.pem"
key_file: "{{ nomad_certs_dir }}/key.pem"
verify_server_hostname: true
nomad_certificates_extra_files_dir:
[]
# - src: ""
# dest: "{{ nomad_certs_dir }}"
###########################
# telemetry configuration #
###########################
nomad_telemetry_configuration:
collection_interval: 10s
disable_hostname: false
use_node_name: false
publish_allocation_metrics: false
publish_node_metrics: false
prefix_filter: []
disable_dispatched_job_summary_metrics: false
prometheus_metrics: false
######################
# consul integration #
######################
nomad_enable_consul_integration: false
nomad_consul_integration_configuration:
address: "127.0.0.1:8500"
auto_advertise: true
ssl: false
token: ""
tags: []
nomad_consul_integration_tls_configuration:
ca_file: "/etc/ssl/certs/ca-certificates.crt"
nomad_consul_integration_server_configuration:
server_auto_join: true
nomad_consul_integration_client_configuration:
client_auto_join: true
grpc_address: "127.0.0.1:8502"
nomad_consul_integration_client_tls_configuration:
grpc_ca_file: "/etc/ssl/certs/ca-certificates.crt"
############################
# nomad vault integration #
############################
nomad_enable_vault_integration: false
nomad_vault_integration_configuration: {}

2
roles/nomad/handlers/main.yml
View File

@ -1,2 +0,0 @@
---
# handlers file for hashicorp_nomad

26
roles/nomad/meta/main.yml
View File

@ -1,26 +0,0 @@
---
# meta file for hashicorp_nomad
galaxy_info:
namespace: "ednz_cloud"
role_name: "hashicorp_nomad"
author: "Bertrand Lanson"
description: "Install and configure hashicorp nomad for debian-based distros."
license: "license (BSD, MIT)"
min_ansible_version: "2.10"
platforms:
- name: Ubuntu
versions:
- focal
- jammy
- noble
- name: Debian
versions:
- bullseye
- bookworm
galaxy_tags:
- "ubuntu"
- "debian"
- "hashicorp"
- "nomad"
dependencies: []

78
roles/nomad/tasks/cni_install.yml
View File

@ -1,78 +0,0 @@
---
# task/cni_install file for hashicorp_nomad
- name: "Nomad | Get release for cni_plugins:{{ nomad_cni_plugins_version }}"
vars:
_cni_plugins_url_ext: "{% if nomad_cni_plugins_version == 'latest'%}releases{% else %}releases/tags{% endif %}"
ansible.builtin.uri:
url: "{{ nomad_github_api }}/{{ nomad_cni_github_project }}/{{ _cni_plugins_url_ext }}/{{ nomad_cni_plugins_version }}"
return_content: true
register: _cni_plugins_new_release
- name: "Nomad | Check if cni plugin is already installed"
ansible.builtin.stat:
path: "{{ nomad_cni_plugins_install_path }}/version"
changed_when: false
check_mode: false
register: _cni_plugins_is_installed
- name: "Nomad | Check current cni plugin version"
ansible.builtin.command: "cat {{ nomad_cni_plugins_install_path }}/version"
changed_when: false
check_mode: false
register: _cni_plugins_old_release
when: _cni_plugins_is_installed.stat.exists
- name: "Nomad | Set facts for wanted cni plugins release"
ansible.builtin.set_fact:
nomad_cni_plugins_wanted_version: "{{ _cni_plugins_new_release.json['tag_name']|regex_replace('v', '') }}"
when: _cni_plugins_new_release.json is defined
and (_cni_plugins_new_release.json | length > 0)
- name: "Nomad | Set facts for current cni plugins release"
ansible.builtin.set_fact:
nomad_cni_plugins_current_version: "{{ _cni_plugins_old_release.stdout | regex_replace('v', '') }}"
when: _cni_plugins_old_release.stdout is defined
and (_cni_plugins_old_release.stdout | length > 0)
- name: "Nomad | Create cni directory"
ansible.builtin.file:
path: "{{ nomad_cni_plugins_install_path }}"
state: directory
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
- name: "Nomad | Install cni plugins"
when: nomad_cni_plugins_current_version is not defined
or nomad_cni_plugins_wanted_version not in nomad_cni_plugins_current_version
block:
- name: "Nomad | Install cni plugins version:{{ nomad_cni_plugins_version }}"
ansible.builtin.get_url:
url: "{{ nomad_github_url }}/{{ nomad_cni_github_project }}/releases/download/v{{ nomad_cni_plugins_wanted_version }}/cni-plugins-linux-{{ nomad_architecture }}-v{{ nomad_cni_plugins_wanted_version }}.tgz"
dest: "/tmp/cni_plugin.tgz"
mode: "0644"
register: _cni_plugins_download_archive
until: _cni_plugins_download_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Nomad | Unpack cni plugins"
ansible.builtin.unarchive:
src: "/tmp/cni_plugin.tgz"
dest: "{{ nomad_cni_plugins_install_path }}"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
remote_src: true
- name: "Nomad | Remove temporary archive"
ansible.builtin.file:
path: "/tmp/cni_plugin.tgz"
state: absent
- name: "Nomad | Update version file"
ansible.builtin.copy:
content: "{{ nomad_cni_plugins_wanted_version }}"
dest: "{{ nomad_cni_plugins_install_path }}/version"
mode: "0600"

74
roles/nomad/tasks/configure.yml
View File

@ -1,74 +0,0 @@
---
# task/configure file for hashicorp_nomad
- name: "Nomad | Create nomad.env"
ansible.builtin.template:
src: nomad.env.j2
dest: "{{ nomad_config_dir }}/nomad.env"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0600"
register: _nomad_env_file
- name: "Nomad | Copy nomad.json template"
ansible.builtin.template:
src: nomad.json.j2
dest: "{{ nomad_config_dir }}/nomad.json"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0600"
register: _nomad_config_file
- name: "Nomad | Set restart-check variable"
ansible.builtin.set_fact:
_nomad_service_need_restart: true
when: _nomad_env_file.changed or
_nomad_config_file.changed
- name: "Nomad | Copy extra configuration files"
when: nomad_extra_files
block:
- name: "Nomad | Get extra file types"
ansible.builtin.stat:
path: "{{ item.src }}"
loop: "{{ nomad_extra_files_list }}"
register: nomad_extra_file_stat
delegate_to: localhost
- name: "Nomad | Set list for file sources"
vars:
_nomad_file_sources: []
ansible.builtin.set_fact:
_nomad_file_sources: "{{ _nomad_file_sources + [item.item] }}"
when: item.stat.isreg
loop: "{{ nomad_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Nomad | Set list for directory sources"
vars:
_nomad_dir_sources: []
ansible.builtin.set_fact:
_nomad_dir_sources: "{{ _nomad_dir_sources + [item.item] }}"
when: item.stat.isdir
loop: "{{ nomad_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Nomad | Template extra file sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest | regex_replace('\\.j2$', '') }}"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0700"
loop: "{{ _nomad_file_sources }}"
when: _nomad_file_sources is defined
- name: "Nomad | Template extra directory sources"
ansible.builtin.include_tasks: recursive_copy_extra_dirs.yml
loop: "{{ _nomad_dir_sources }}"
loop_control:
loop_var: dir_source_item
when: _nomad_dir_sources is defined

140
roles/nomad/tasks/install.yml
View File

@ -1,140 +0,0 @@
---
- name: "Nomad | Get latest release of nomad"
when: nomad_version == 'latest'
block:
- name: "Nomad | Get latest nomad release from github api"
ansible.builtin.uri:
url: "{{ nomad_github_api }}/hashicorp/nomad/releases/latest"
return_content: true
register: _nomad_latest_release
- name: "Nomad | Set wanted nomad version to latest tag"
ansible.builtin.set_fact:
_nomad_wanted_version: "{{ _nomad_latest_release.json['tag_name']|regex_replace('v', '') }}"
- name: "Nomad | Set wanted nomad version to {{ nomad_version }}"
ansible.builtin.set_fact:
_nomad_wanted_version: "{{ nomad_version|regex_replace('v', '') }}"
when: nomad_version != 'latest'
- name: "Nomad | Get current nomad version"
block:
- name: "Nomad | Stat nomad version file"
ansible.builtin.stat:
path: "{{ nomad_config_dir }}/.version"
changed_when: false
check_mode: false
register: _nomad_version_file
- name: "Nomad | Get current nomad version"
ansible.builtin.slurp:
src: "{{ _nomad_version_file.stat.path }}"
when:
- _nomad_version_file.stat.exists
- _nomad_version_file.stat.isreg
register: _nomad_current_version
- name: "Nomad | Download and install nomad binary"
when: _nomad_current_version is not defined
or _nomad_wanted_version != (_nomad_current_version.content|default('')|b64decode)
block:
- name: "Nomad | Set nomad package name to download"
ansible.builtin.set_fact:
_nomad_package_name: >-
nomad_{{ _nomad_wanted_version }}_linux_{{ nomad_deb_architecture_map[ansible_architecture] }}.zip
_nomad_shasum_file_name: >-
nomad_{{ _nomad_wanted_version }}_SHA256SUMS
- name: "Nomad | Download checksum file for nomad archive"
ansible.builtin.get_url:
url: "{{ nomad_repository_url }}/{{ _nomad_wanted_version }}/{{ _nomad_shasum_file_name }}"
dest: "/tmp/{{ _nomad_shasum_file_name }}"
mode: "0644"
register: _nomad_checksum_file
until: _nomad_checksum_file is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Nomad | Extract correct checksum from checksum file"
ansible.builtin.command:
cmd: 'grep "{{ _nomad_package_name }}" /tmp/{{ _nomad_shasum_file_name }}'
changed_when: false
register: _nomad_expected_checksum_line
- name: "Nomad | Parse the expected checksum"
ansible.builtin.set_fact:
_nomad_expected_checksum: "{{ _nomad_expected_checksum_line.stdout.split()[0] }}"
- name: "Nomad | Download nomad binary archive"
ansible.builtin.get_url:
url: "{{ nomad_repository_url }}/{{ _nomad_wanted_version }}/{{ _nomad_package_name }}"
dest: "/tmp/{{ _nomad_package_name }}"
mode: "0644"
checksum: "sha256:{{ _nomad_expected_checksum }}"
register: _nomad_binary_archive
until: _nomad_binary_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Nomad | Create temporary directory for archive decompression"
ansible.builtin.file:
path: /tmp/nomad
state: directory
mode: "0755"
- name: "Nomad | Unpack nomad archive"
ansible.builtin.unarchive:
src: "/tmp/{{ _nomad_package_name }}"
dest: "/tmp/nomad"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
remote_src: true
- name: "Nomad | Copy nomad binary to {{ nomad_binary_path }}"
ansible.builtin.copy:
src: /tmp/nomad/nomad
dest: "{{ nomad_binary_path }}"
owner: root
group: root
mode: "0755"
remote_src: true
force: true
- name: "Nomad | Update nomad version file"
ansible.builtin.copy:
content: "{{ _nomad_wanted_version }}"
dest: "{{ nomad_config_dir }}/.version"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0600"
- name: "Nomad | Set restart-check variable"
ansible.builtin.set_fact:
_nomad_service_need_restart: true
- name: "Nomad | Cleanup temporary directory"
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /tmp/nomad
- /tmp/{{ _nomad_package_name }}
- /tmp/{{ _nomad_shasum_file_name }}
- name: "Nomad | Copy systemd service file for nomad"
ansible.builtin.template:
src: "nomad.service.j2"
dest: "/etc/systemd/system/nomad.service"
owner: root
group: root
mode: "0644"
register: _nomad_unit_file
- name: "Nomad | Set reload-check & restart-check variable"
ansible.builtin.set_fact:
_nomad_service_need_reload: true
_nomad_service_need_restart: true
when: _nomad_unit_file.changed # noqa: no-handler

47
roles/nomad/tasks/main.yml
View File

@ -1,47 +0,0 @@
---
# task/main file for hashicorp_nomad
- name: "Nomad | Set reload-check & restart-check variable"
ansible.builtin.set_fact:
_nomad_service_need_reload: false
_nomad_service_need_restart: false
- name: "Nomad | Import merge_variables.yml"
ansible.builtin.include_tasks: merge_variables.yml
- name: "Nomad | Import prerequisites.yml"
ansible.builtin.include_tasks: prerequisites.yml
- name: "Nomad | Import install.yml"
ansible.builtin.include_tasks: install.yml
- name: "Nomad | Import cni_install.yml"
ansible.builtin.include_tasks: cni_install.yml
when: nomad_cni_plugins_install
- name: "Nomad | Import configure.yml"
ansible.builtin.include_tasks: configure.yml
- name: "Nomad | Populate service facts"
ansible.builtin.service_facts:
- name: "Nomad | Set restart-check variable"
ansible.builtin.set_fact:
_nomad_service_need_restart: true
when: ansible_facts.services[nomad_service_name~'.service'].state != 'running'
- name: "Nomad | Enable service: {{ nomad_service_name }}"
ansible.builtin.service:
name: "{{ nomad_service_name }}"
enabled: true
- name: "Nomad | Reload systemd daemon"
ansible.builtin.systemd:
daemon_reload: true
when: _nomad_service_need_reload
- name: "Nomad | Start service: {{ nomad_service_name }}"
ansible.builtin.service:
name: "{{ nomad_service_name }}"
state: restarted
throttle: 1
when: _nomad_service_need_restart

150
roles/nomad/tasks/merge_variables.yml
View File

@ -1,150 +0,0 @@
---
# task/merge_variables file for hashicorp_nomad
- name: "Nomad | Merge stringified configuration"
vars:
_config_to_merge: "{{ nomad_configuration_string }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge|from_yaml, recursive=true)
}}"
- name: "Nomad | Merge addresses configuration"
vars:
_config_to_merge: "{{ nomad_address_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul integration configuration"
when:
- nomad_enable_consul_integration | bool
block:
- name: "Nomad | Merge consul tls configuration"
when:
- nomad_consul_integration_configuration.ssl is defined
- nomad_consul_integration_configuration.ssl | bool
block:
- name: "Nomad | Merge consul default client configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_tls_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul configuration for nomad servers"
when:
- nomad_enable_server
block:
- name: "Nomad | Merge consul default server configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_server_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul configuration for nomad clients"
when:
- nomad_enable_client
block:
- name: "Nomad | Merge consul default client configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_client_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge consul tls client configuration"
vars:
_config_to_merge: "{{ nomad_consul_integration_client_tls_configuration }}"
ansible.builtin.set_fact:
nomad_consul_integration_configuration: "{{
nomad_consul_integration_configuration |
combine(_config_to_merge, recursive=true)
}}"
when:
- nomad_consul_integration_configuration.ssl is defined
- nomad_consul_integration_configuration.ssl | bool
- name: "Nomad | Merge consul block into main configuration"
vars:
_config_to_merge:
consul: "{{ nomad_consul_integration_configuration }}"
ansible.builtin.set_fact:
hashicorp_nomad_configuration: "{{
hashicorp_nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge TLS configuration"
when: nomad_enable_tls | bool
block:
- name: "Nomad | Merge TLS configuration"
vars:
_config_to_merge:
tls: "{{ nomad_tls_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Add certificates directory to extra_files_dir"
ansible.builtin.set_fact:
nomad_extra_files_list: "{{
nomad_extra_files_list +
nomad_certificates_extra_files_dir
| unique
| sort
}}"
- name: "Nomad | Merge plugin configuration"
vars:
_config_to_merge:
plugin: "{{
nomad_driver_configuration |
combine(nomad_driver_extra_configuration, recursive=true)
}}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: nomad_enable_client | bool
- name: "Nomad | Merge extra configuration settings"
vars:
_config_to_merge: "{{ nomad_extra_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Nomad | Merge log to file configuration"
vars:
_config_to_merge: "{{ nomad_log_to_file_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: nomad_enable_log_to_file
- name: "Nomad | Merge telemetry configuration"
vars:
_config_to_merge:
telemetry: "{{ nomad_telemetry_configuration }}"
ansible.builtin.set_fact:
nomad_configuration: "{{
nomad_configuration |
combine(_config_to_merge, recursive=true)
}}"

46
roles/nomad/tasks/prerequisites.yml
View File

@ -1,46 +0,0 @@
---
# task/prerequisites file for hashicorp_nomad
- name: "Nomad | Create group {{ nomad_group }}"
ansible.builtin.group:
name: "{{ nomad_user }}"
state: present
- name: "Nomad | Create user {{ nomad_user }}"
ansible.builtin.user:
name: "{{ nomad_user }}"
group: "{{ nomad_group }}"
shell: /bin/false
state: present
- name: "Nomad | Create directory {{ nomad_config_dir }}"
ansible.builtin.file:
path: "{{ nomad_config_dir }}"
state: directory
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
- name: "Nomad | Create directory {{ nomad_data_dir }}"
ansible.builtin.file:
path: "{{ nomad_data_dir }}"
state: directory
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
- name: "Nomad | Create directory {{ nomad_certs_dir }}"
ansible.builtin.file:
path: "{{ nomad_certs_dir }}"
state: directory
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
- name: "Nomad | Create directory {{ nomad_logs_dir }}"
ansible.builtin.file:
path: "{{ nomad_logs_dir }}"
state: directory
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0755"
when: nomad_enable_log_to_file

27
roles/nomad/tasks/recursive_copy_extra_dirs.yml
View File

@ -1,27 +0,0 @@
---
# task/recursive_copy_extra_dirs file for hashicorp_nomad
- name: "Nomad | Ensure destination directory exists"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}"
recurse: true
state: directory
mode: "0775"
- name: "Nomad | Create extra directory sources"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}/{{ item.path }}"
recurse: true
state: directory
mode: "0775"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'directory'
- name: "Nomad | Template extra directory sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ dir_source_item.dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
owner: "{{ nomad_user }}"
group: "{{ nomad_group }}"
mode: "0700"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'file'

4
roles/nomad/templates/nomad.env.j2
View File

@ -1,4 +0,0 @@
# {{ ansible_managed }}
{% for item in nomad_env_variables %}
{{ item }}="{{ nomad_env_variables[item] }}"
{% endfor %}

1
roles/nomad/templates/nomad.json.j2
View File

@ -1 +0,0 @@
{{ nomad_configuration|to_nice_json }}

33
roles/nomad/templates/nomad.service.j2
View File

@ -1,33 +0,0 @@
[Unit]
Description=Nomad
Documentation=https://developer.hashicorp.com/nomad/docs
Wants=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ nomad_config_dir }}/nomad.json
{% if nomad_configuration.consul.address is defined %}
Wants=consul.service
After=consul.service
{% endif %}
[Service]
EnvironmentFile=-{{ nomad_config_dir }}/nomad.env
{% if not (nomad_configuration.client.enabled is defined and nomad_configuration.client.enabled) %}
User={{ nomad_user }}
Group={{ nomad_group }}
{% else %}
User=root
Group=root
{% endif %}
ExecStart={{ nomad_binary_path }} agent -config {{ nomad_config_dir }}/nomad.json
ExecReload=/bin/kill -HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
LimitNOFILE=65536
LimitNPROC=infinity
RestartSec=2
TasksMax=infinity
OOMScoreAdjust=-1000
[Install]
WantedBy=multi-user.target

33
roles/nomad/vars/main.yml
View File

@ -1,33 +0,0 @@
---
# vars file for hashicorp_nomad
nomad_user: nomad
nomad_group: nomad
nomad_binary_path: /usr/local/bin/nomad
nomad_deb_architecture_map:
x86_64: "amd64"
aarch64: "arm64"
armv7l: "arm"
armv6l: "arm"
nomad_architecture: "{{ nomad_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
nomad_service_name: "nomad"
nomad_github_api: https://api.github.com/repos
nomad_cni_github_project: containernetworking/plugins
nomad_github_project: hashicorp/nomad
nomad_github_url: https://github.com
nomad_repository_url: https://releases.hashicorp.com/nomad
nomad_configuration:
datacenter: "{{ nomad_datacenter }}"
region: "{{ nomad_region }}"
data_dir: "{{ nomad_data_dir }}"
leave_on_interrupt: "{{ nomad_leave_on_interrupt }}"
leave_on_terminate: "{{ nomad_leave_on_terminate }}"
acl: "{{ nomad_acl_configuration }}"
server: "{{ nomad_server_configuration }}"
client: "{{ nomad_client_configuration }}"
ui: "{{ nomad_ui_configuration }}"
log_level: "{{ nomad_log_level }}"
nomad_configuration_string: |
server:
bootstrap_expect: {{ nomad_server_bootstrap_expect }}

96
roles/vault/defaults/main.yml
View File

@ -1,96 +0,0 @@
---
# defaults file for hashicorp_vault
vault_version: latest
vault_start_service: true
vault_config_dir: "/etc/vault.d"
vault_data_dir: "/opt/vault"
vault_certs_dir: "{{ vault_config_dir }}/tls"
vault_logs_dir: "/var/log/vault"
vault_extra_files: false
vault_extra_files_list: []
vault_env_variables: {}
#######################
# extra configuration #
#######################
# You should prioritize adding configuration
# to the configuration entries below, this
# option should be used to add pieces of configuration not
# available through standard variables.
vault_extra_configuration: {}
###########
# general #
###########
vault_cluster_name: vault
vault_bind_addr: "0.0.0.0"
vault_cluster_addr: "{{ ansible_default_ipv4.address }}"
vault_enable_ui: true
vault_disable_mlock: false
vault_disable_cache: false
#########################
# storage configuration #
#########################
vault_storage_configuration:
file:
path: "{{ vault_data_dir }}"
##########################
# listener configuration #
##########################
vault_enable_tls: false
vault_listener_configuration:
tcp:
address: "{{ vault_cluster_addr }}:8200"
tls_disable: true
vault_tls_listener_configuration:
tcp:
tls_disable: false
tls_cert_file: "{{ vault_certs_dir }}/cert.pem"
tls_key_file: "{{ vault_certs_dir }}/key.pem"
tls_disable_client_certs: true
vault_certificates_extra_files_dir:
[]
# - src: ""
# dest: "{{ vault_certs_dir }}"
vault_extra_listener_configuration: {}
########################
# service registration #
########################
vault_enable_service_registration: false
vault_service_registration_configuration:
consul:
address: "127.0.0.1:8500"
scheme: "http"
token: ""
#########################
# plugins configuration #
#########################
vault_enable_plugins: false
vault_plugins_directory: "{{ vault_config_dir }}/plugins"
#################
# vault logging #
#################
vault_log_level: info
vault_enable_log_to_file: false
vault_log_to_file_configuration:
log_file: "{{ vault_logs_dir }}/vault.log"
log_rotate_duration: 24h
log_rotate_max_files: 30

2
roles/vault/handlers/main.yml
View File

@ -1,2 +0,0 @@
---
# handlers file for hashicorp_vault

26
roles/vault/meta/main.yml
View File

@ -1,26 +0,0 @@
---
# meta file for hashicorp_vault
galaxy_info:
namespace: "ednz_cloud"
role_name: "hashicorp_vault"
author: "Bertrand Lanson"
description: "Install and configure hashicorp vault for debian-based distros."
license: "license (BSD, MIT)"
min_ansible_version: "2.10"
platforms:
- name: Ubuntu
versions:
- focal
- jammy
- noble
- name: Debian
versions:
- bullseye
- bookworm
galaxy_tags:
- "ubuntu"
- "debian"
- "hashicorp"
- "vault"
dependencies: []

74
roles/vault/tasks/configure.yml
View File

@ -1,74 +0,0 @@
---
# task/configure file for hashicorp_vault
- name: "Vault | Create vault.env"
ansible.builtin.template:
src: vault.env.j2
dest: "{{ vault_config_dir }}/vault.env"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0600"
register: _vault_env_file
- name: "Vault | Copy vault.json template"
ansible.builtin.template:
src: vault.json.j2
dest: "{{ vault_config_dir }}/vault.json"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0600"
register: _vault_config_file
- name: "Vault | Set restart-check variable"
ansible.builtin.set_fact:
_vault_service_need_restart: true
when: _vault_env_file.changed or
_vault_config_file.changed
- name: "Vault | Copy extra configuration files"
when: vault_extra_files
block:
- name: "Vault | Get extra file types"
ansible.builtin.stat:
path: "{{ item.src }}"
loop: "{{ vault_extra_files_list }}"
register: vault_extra_file_stat
delegate_to: localhost
- name: "Vault | Set list for file sources"
vars:
_vault_file_sources: []
ansible.builtin.set_fact:
_vault_file_sources: "{{ _vault_file_sources + [item.item] }}"
when: item.stat.isreg
loop: "{{ vault_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Vault | Set list for directory sources"
vars:
_vault_dir_sources: []
ansible.builtin.set_fact:
_vault_dir_sources: "{{ _vault_dir_sources + [item.item] }}"
when: item.stat.isdir
loop: "{{ vault_extra_file_stat.results }}"
loop_control:
loop_var: item
delegate_to: localhost
- name: "Vault | Template extra file sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ item.dest | regex_replace('\\.j2$', '') }}"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0700"
loop: "{{ _vault_file_sources }}"
when: _vault_file_sources is defined
- name: "Vault | Template extra directory sources"
ansible.builtin.include_tasks: recursive_copy_extra_dirs.yml
loop: "{{ _vault_dir_sources }}"
loop_control:
loop_var: dir_source_item
when: _vault_dir_sources is defined

151
roles/vault/tasks/install.yml
View File

@ -1,151 +0,0 @@
---
# task/install file for hashicorp_vault
- name: "Vault | Get latest release of vault"
when: vault_version == 'latest'
block:
- name: "Vault | Get latest vault release from github api"
ansible.builtin.uri:
url: "{{ vault_github_api }}/hashicorp/vault/releases/latest"
return_content: true
register: _vault_latest_release
- name: "Vault | Set wanted vault version to latest tag"
ansible.builtin.set_fact:
_vault_wanted_version: "{{ _vault_latest_release.json['tag_name']|regex_replace('v', '') }}"
- name: "Vault | Set wanted vault version to {{ vault_version }}"
ansible.builtin.set_fact:
_vault_wanted_version: "{{ vault_version|regex_replace('v', '') }}"
when: vault_version != 'latest'
- name: "Vault | Get current vault version"
block:
- name: "Vault | Stat vault version file"
ansible.builtin.stat:
path: "{{ vault_config_dir }}/.version"
changed_when: false
check_mode: false
register: _vault_version_file
- name: "Vault | Get current vault version"
ansible.builtin.slurp:
src: "{{ _vault_version_file.stat.path }}"
when:
- _vault_version_file.stat.exists
- _vault_version_file.stat.isreg
register: _vault_current_version
- name: "Vault | Download and install vault binary"
when: _vault_current_version is not defined
or _vault_wanted_version != (_vault_current_version.content|default('')|b64decode)
block:
- name: "Vault | Set vault package name to download"
ansible.builtin.set_fact:
_vault_package_name: >-
vault_{{ _vault_wanted_version }}_linux_{{ vault_deb_architecture_map[ansible_architecture] }}.zip
_vault_shasum_file_name: >-
vault_{{ _vault_wanted_version }}_SHA256SUMS
- name: "Vault | Download checksum file for vault archive"
ansible.builtin.get_url:
url: "{{ vault_repository_url }}/{{ _vault_wanted_version }}/{{ _vault_shasum_file_name }}"
dest: "/tmp/{{ _vault_shasum_file_name }}"
mode: "0644"
register: _vault_checksum_file
until: _vault_checksum_file is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Vault | Extract correct checksum from checksum file"
ansible.builtin.command:
cmd: 'grep "{{ _vault_package_name }}" /tmp/{{ _vault_shasum_file_name }}'
changed_when: false
register: _vault_expected_checksum_line
- name: "Vault | Parse the expected checksum"
ansible.builtin.set_fact:
_vault_expected_checksum: "{{ _vault_expected_checksum_line.stdout.split()[0] }}"
- name: "Vault | Download vault binary archive"
ansible.builtin.get_url:
url: "{{ vault_repository_url }}/{{ _vault_wanted_version }}/{{ _vault_package_name }}"
dest: "/tmp/{{ _vault_package_name }}"
mode: "0644"
checksum: "sha256:{{ _vault_expected_checksum }}"
register: _vault_binary_archive
until: _vault_binary_archive is succeeded
retries: 5
delay: 2
check_mode: false
- name: "Vault | Create temporary directory for archive decompression"
ansible.builtin.file:
path: /tmp/vault
state: directory
mode: "0755"
- name: "Vault | Unpack vault archive"
ansible.builtin.unarchive:
src: "/tmp/{{ _vault_package_name }}"
dest: "/tmp/vault"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0755"
remote_src: true
- name: "Vault | Copy vault binary to {{ vault_binary_path }}"
ansible.builtin.copy:
src: /tmp/vault/vault
dest: "{{ vault_binary_path }}"
owner: root
group: root
mode: "0755"
remote_src: true
force: true
- name: "Vault | Update vault version file"
ansible.builtin.copy:
content: "{{ _vault_wanted_version }}"
dest: "{{ vault_config_dir }}/.version"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0600"
- name: "Vault | Set restart-check variable"
ansible.builtin.set_fact:
_vault_service_need_restart: true
- name: "Vault | Cleanup temporary directory"
ansible.builtin.file:
path: "{{ item }}"
state: absent
loop:
- /tmp/vault
- /tmp/{{ _vault_package_name }}
- /tmp/{{ _vault_shasum_file_name }}
- name: "Vault | Copy systemd service file for vault"
ansible.builtin.template:
src: "vault.service.j2"
dest: "/etc/systemd/system/{{ vault_service_name }}.service"
owner: root
group: root
mode: "0644"
register: _vault_unit_file
- name: "Vault | Set reload-check & restart-check variable"
ansible.builtin.set_fact:
_vault_service_need_reload: true
_vault_service_need_restart: true
when: _vault_unit_file.changed # noqa: no-handler
- name: "Vault | Copy systemd service file for vault"
ansible.builtin.template:
src: "vault.service.j2"
dest: "/etc/systemd/system/vault.service"
owner: root
group: root
mode: "0644"
notify:
- "systemctl-daemon-reload"

43
roles/vault/tasks/main.yml
View File

@ -1,43 +0,0 @@
---
# task/main file for hashicorp_vault
- name: "Vault | Set reload-check & restart-check variable"
ansible.builtin.set_fact:
_vault_service_need_reload: false
_vault_service_need_restart: false
- name: "Vault | Import merge_variables.yml"
ansible.builtin.include_tasks: merge_variables.yml
- name: "Vault | Import prerequisites.yml"
ansible.builtin.include_tasks: prerequisites.yml
- name: "Vault | Import install.yml"
ansible.builtin.include_tasks: "install.yml"
- name: "Vault | Import configure.yml"
ansible.builtin.include_tasks: configure.yml
- name: "Vault | Populate service facts"
ansible.builtin.service_facts:
- name: "Vault | Set restart-check variable"
ansible.builtin.set_fact:
_vault_service_need_restart: true
when: ansible_facts.services[vault_service_name~'.service'].state != 'running'
- name: "Vault | Enable service: {{ vault_service_name }}"
ansible.builtin.service:
name: "{{ vault_service_name }}"
enabled: true
- name: "Vault | Reload systemd daemon"
ansible.builtin.systemd:
daemon_reload: true
when: _vault_service_need_reload
- name: "Vault | Start service: {{ vault_service_name }}"
ansible.builtin.service:
name: "{{ vault_service_name }}"
state: restarted
throttle: 1
when: _vault_service_need_restart

73
roles/vault/tasks/merge_variables.yml
View File

@ -1,73 +0,0 @@
---
# task/merge_variables file for hashicorp_vault
- name: "Vault | Merge listener configuration"
block:
- name: "Vault | Merge tls listener configuration"
vars:
_config_to_merge: "{{ vault_tls_listener_configuration }}"
ansible.builtin.set_fact:
vault_listener_configuration: "{{
vault_listener_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: vault_enable_tls
- name: "Vault | Merge extra listener configuration"
vars:
_config_to_merge: "{{ vault_extra_listener_configuration }}"
ansible.builtin.set_fact:
vault_listener_configuration: "{{
vault_listener_configuration |
combine(_config_to_merge, recursive=true)
}}"
- name: "Vault | Add certificates directory to extra_files_dir"
ansible.builtin.set_fact:
vault_extra_files_list: "{{
vault_extra_files_list +
vault_certificates_extra_files_dir
| unique
| sort
}}"
- name: "Vault | Merge service registration configuration"
vars:
_config_to_merge:
service_registration: "{{ vault_service_registration_configuration }}"
ansible.builtin.set_fact:
vault_configuration: "{{
vault_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: vault_enable_service_registration
- name: "Vault | Merge plugins configuration"
vars:
_config_to_merge:
plugin_directory: "{{ vault_plugins_directory }}"
ansible.builtin.set_fact:
vault_configuration: "{{
vault_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: vault_enable_plugins
- name: "Vault | Merge logging configuration"
vars:
_config_to_merge: "{{ vault_log_to_file_configuration }}"
ansible.builtin.set_fact:
vault_configuration: "{{
vault_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: vault_enable_log_to_file
- name: "Vault | Merge extra configuration settings"
vars:
_config_to_merge: "{{ vault_extra_configuration }}"
ansible.builtin.set_fact:
vault_configuration: "{{
vault_configuration |
combine(_config_to_merge, recursive=true)
}}"
when: vault_extra_configuration is defined

46
roles/vault/tasks/prerequisites.yml
View File

@ -1,46 +0,0 @@
---
# task/prerequisites file for hashicorp_vault
- name: "Vault | Create group {{ vault_group }}"
ansible.builtin.group:
name: "{{ vault_group }}"
state: present
- name: "Vault | Create user {{ vault_user }}"
ansible.builtin.user:
name: "{{ vault_user }}"
group: "{{ vault_group }}"
shell: /bin/false
state: present
- name: "Vault | Create directory {{ vault_config_dir }}"
ansible.builtin.file:
path: "{{ vault_config_dir }}"
state: directory
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0755"
- name: "Vault | Create directory {{ vault_data_dir}}"
ansible.builtin.file:
path: "{{ vault_data_dir }}"
state: directory
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0755"
- name: "Vault | Create directory {{ vault_certs_dir }}"
ansible.builtin.file:
path: "{{ vault_certs_dir }}"
state: directory
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0755"
- name: "Vault | Create directory {{ vault_logs_dir }}"
ansible.builtin.file:
path: "{{ vault_logs_dir }}"
state: directory
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0755"
when: vault_enable_log_to_file

26
roles/vault/tasks/recursive_copy_extra_dirs.yml
View File

@ -1,26 +0,0 @@
---
# task/recursive_copy_extra_dirs file for hashicorp_vault
- name: "Vault | Ensure destination directory exists"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}"
recurse: true
state: directory
mode: "0775"
- name: "Vault | Create extra directory sources"
ansible.builtin.file:
path: "{{ dir_source_item.dest }}/{{ item.path }}"
state: directory
mode: "0775"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'directory'
- name: "Vault | Template extra directory sources"
ansible.builtin.template:
src: "{{ item.src }}"
dest: "{{ dir_source_item.dest }}/{{ item.path | regex_replace('\\.j2$', '') }}"
owner: "{{ vault_user }}"
group: "{{ vault_group }}"
mode: "0700"
with_community.general.filetree: "{{ dir_source_item.src }}/"
when: item.state == 'file'

4
roles/vault/templates/vault.env.j2
View File

@ -1,4 +0,0 @@
# {{ ansible_managed }}
{% for item in vault_env_variables %}
{{ item }}="{{ vault_env_variables[item] }}"
{% endfor %}

1
roles/vault/templates/vault.json.j2
View File

@ -1 +0,0 @@
{{ vault_configuration|to_nice_json }}

38
roles/vault/templates/vault.service.j2
View File

@ -1,38 +0,0 @@
[Unit]
Description="HashiCorp Vault - A tool for managing secrets"
Documentation=https://www.vaultproject.io/docs/
Requires=network-online.target
After=network-online.target
ConditionFileNotEmpty={{ vault_config_dir }}/vault.json
StartLimitIntervalSec=60
StartLimitBurst=3
{% if vault_configuration.storage.consul is defined or vault_configuration.service_registration.consul is defined %}
Wants=consul.service
After=consul.service
{% endif %}
[Service]
Type=notify
EnvironmentFile=-{{ vault_config_dir }}/vault.env
User={{ vault_user }}
Group={{ vault_group }}
ProtectSystem=full
ProtectHome=read-only
PrivateTmp=yes
PrivateDevices=yes
SecureBits=keep-caps
AmbientCapabilities=CAP_IPC_LOCK
CapabilityBoundingSet=CAP_SYSLOG CAP_IPC_LOCK
NoNewPrivileges=yes
ExecStart={{ vault_binary_path }} server -config={{ vault_config_dir }}
ExecReload=/bin/kill --signal HUP $MAINPID
KillMode=process
KillSignal=SIGINT
Restart=on-failure
RestartSec=5
TimeoutStopSec=30
LimitNOFILE=65536
LimitMEMLOCK=infinity
[Install]
WantedBy=multi-user.target

26
roles/vault/vars/main.yml
View File

@ -1,26 +0,0 @@
---
# vars file for hashicorp_vault
vault_user: "vault"
vault_group: "vault"
vault_binary_path: /usr/local/bin/vault
vault_deb_architecture_map:
x86_64: "amd64"
aarch64: "arm64"
armv7l: "arm"
armv6l: "arm"
vault_architecture: "{{ vault_deb_architecture_map[ansible_architecture] | default(ansible_architecture) }}"
vault_service_name: "vault"
vault_github_api: https://api.github.com/repos
vault_github_project: hashicorp/vault
vault_github_url: https://github.com
vault_repository_url: https://releases.hashicorp.com/vault
vault_configuration:
cluster_name: "{{ vault_cluster_name }}"
cluster_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ vault_cluster_addr }}:8201"
api_addr: "{{ 'https' if vault_enable_tls else 'http'}}://{{ vault_cluster_addr }}:8200"
ui: "{{ vault_enable_ui }}"
disable_mlock: "{{ vault_disable_mlock }}"
disable_cache: "{{ vault_disable_cache }}"
listener: "{{ vault_listener_configuration }}"
storage: "{{ vault_storage_configuration }}"