docs/extra_configuration.md

@@ -0,0 +1 @@
+# Adding extra configuration options

docs/haproxy_servers.md

@@ -35,7 +35,7 @@ Note that not all versions of haproxy are available as a package on all supporte
 deployment_method: "docker"
 ```
 
-### General Settings
+### General settings
 
 There aren't many settings that you can configure to deploy the HAProxy frontends. First you'll need to configure a Virtual IP, and pass it in the `globals.yml` configuration file.
 

docs/nomad_clusters.md

@@ -0,0 +1,82 @@
+# Deploying a Nomad cluster
+
+This documentation explains each steps necessary to successfully deploy a Nomad cluster using the ednz_cloud.hashistack ansible collection.
+
+## Prerequisites
+
+You should, before attempting any deployment, have read through the [Quick Start Guide](./quick_start.md). These steps are necessary in order to ensure smooth operations going forward.
+
+## Variables
+
+### Basics
+
+First, in order to deploy a nomad cluster, you need to enable it.
+
+```yaml
+enable_nomad: "yes"
+```
+
+Selecting the nomad version to install is done with the `nomad_version` variable.
+
+```yaml
+nomad_version: latest
+```
+
+The vault version can either be `latest` or `X.Y.Z`.
+
+For production deployment, it is recommended to use the `X.Y.Z` syntax.
+
+### General settings
+
+First, you can change some general settings for nomad, like the dc and region options.
+
+```yaml
+nomad_datacenter: dc1
+nomad_region: global
+```
+
+### ACLs settings
+
+By default, ACLs are enabled on nomad, and automatically bootstrapped.
+You can change this by editing the `nomad_acl_configuration` variable:
+
+```yaml
+nomad_acl_configuration:
+  enabled: true
+  token_ttl: 30s
+  policy_ttl: 60s
+  role_ttl: 60s
+```
+
+### Consul integration settings
+
+By default, if consul if also enabled, nomad will use it to register itself as a consul service and also use consul to automatically join the cluster.
+
+```yaml
+nomad_enable_consul_integration: "{{ enable_consul | bool }}"
+nomad_consul_integration_configuration:
+  address: "127.0.0.1:{{ hashicorp_consul_configuration.ports.https if consul_enable_tls else hashicorp_consul_configuration.ports.http }}"
+  auto_advertise: true
+  ssl: "{{ consul_enable_tls | bool }}"
+  token: "{{ _credentials.consul.tokens.nomad.server.secret_id if nomad_enable_server else _credentials.consul.tokens.nomad.client.secret_id}}"
+  tags: []
+```
+
+Optionally, you can add tags to you nomad services, or disable the consul integration if you don't plan on using it.
+
+### Vault integration settings
+
+Vault integration for nomad is by default disabled, as it requires some vault configuration that is out of the scope of this collection.
+
+You can, once you have deployed and configured vault (or if you are using an external vault not managed by the collection), enable the integration
+
+```yaml
+nomad_enable_vault_integration: false
+nomad_vault_integration_configuration: {}
+```
+
+For configuration options, please refer to the [Official Documentation](https://developer.hashicorp.com/nomad/docs/configuration/vault)
+
+### Drivers settings
+
+### Internal TLS

docs/quick_start.md

@@ -111,3 +111,5 @@ ansible-galaxy install -r ./collections/ansible_collections/ednz_cloud/hashistac
 This will install roles that are not packaged with the collection, but are still required in order to run the playbooks.
 
 You should now have some roles inside `./roles/`.
+
+## Generate Credentials

docs/tls_guide.md

@@ -0,0 +1 @@
+# TLS Guide

docs/vault_clusters.md

@@ -26,15 +26,7 @@ The vault version can either be `latest` or `X.Y.Z`.
 
 For production deployment, it is recommended to use the `X.Y.Z` syntax.
 
-The `deployment_method` variable will define how to install vault on the nodes.
+### General settings
-
-By default, it runs vault inside a docker container, but this can be changed to `host` to install vault from the package manager.
-
-```yaml
-deployment_method: "docker"
-```
-
-### General Settings
 
 First, you can change some general settings for vault.
 
@@ -46,7 +38,7 @@ vault_seal_configuration:
   key_threshold: 2
 ```
 
-### Storage Settings
+### Storage settings
 
 The storage configuration for vault can be edited as well. By default, vault will be configured to setup `raft` storage between all declared vault servers (in the `vault_servers` group).
 
@@ -79,9 +71,9 @@ vault_storage_configuration:
     database: "vault"
 ```
 
-### Listener Settings
+### Listener settings
 
-#### TCP Listeners
+#### TCP listeners
 
 By default, TLS is **disabled** for vault. This goes against the Hashicorp recommendations on the matter, but there is no simple way to force the use of TLS (yet), without adding a lot of complexity to the deployment.
 

playbooks/tasks/consul/consul_deploy.yml

@@ -6,16 +6,24 @@
         name: ednz_cloud.hashicorp_consul
 
     - name: "Wait for consul cluster to initialize" # noqa: run-once[task]
-      ansible.builtin.uri:
+      block:
-        url: "{{ consul_api_addr }}"
+        - name: "Wait for consul nodes to stabilize"
-        validate_certs: no
+          ansible.builtin.wait_for:
-        return_content: yes
+            host: "{{ api_interface_address }}"
-        status_code:
+            port: "{{ consul_api_port[consul_api_scheme] }}"
-          - 200
+            delay: 10
-      until: uri_output.status == 200
+
-      retries: 24
+        - name: "Waiting for consul api to respond"
-      delay: 5
+          ansible.builtin.uri:
-      register: uri_output
+            url: "{{ consul_api_addr }}"
+            validate_certs: no
+            return_content: yes
+            status_code:
+              - 200
+          until: uri_output.status == 200
+          retries: 24
+          delay: 5
+          register: uri_output
 
     - name: "Initialize consul cluster" # noqa: run-once[task]
       community.general.consul_acl_bootstrap: