2022-02-16 17:56:18 +00:00
|
|
|
---
|
2023-01-13 23:17:23 +00:00
|
|
|
- name: Update DNS for bootstrapping with non-Nomad host
|
2023-09-18 04:43:04 +00:00
|
|
|
hosts: nomad_instances
|
2023-01-13 23:17:23 +00:00
|
|
|
become: true
|
|
|
|
gather_facts: false
|
|
|
|
vars:
|
|
|
|
non_nomad_dns: 192.168.2.170
|
|
|
|
|
|
|
|
tasks:
|
|
|
|
- name: Add non-nomad bootstrap DNS
|
|
|
|
lineinfile:
|
|
|
|
dest: /etc/resolv.conf
|
|
|
|
create: true
|
|
|
|
line: "nameserver {{ non_nomad_dns }}"
|
|
|
|
|
2022-10-27 21:28:34 +00:00
|
|
|
- name: Install Docker
|
|
|
|
hosts: nomad_instances
|
|
|
|
become: true
|
|
|
|
vars:
|
|
|
|
docker_architecture_map:
|
|
|
|
x86_64: amd64
|
|
|
|
armv7l: armhf
|
|
|
|
aarch64: arm64
|
|
|
|
docker_apt_arch: "{{ docker_architecture_map[ansible_architecture] }}"
|
|
|
|
docker_compose_arch: "{{ (ansible_architecture == 'armv7l') | ternary('armv7', ansible_architecture) }}"
|
|
|
|
roles:
|
|
|
|
- geerlingguy.docker
|
|
|
|
|
|
|
|
tasks:
|
|
|
|
- name: Remove snapd
|
|
|
|
package:
|
|
|
|
name: snapd
|
|
|
|
state: absent
|
|
|
|
|
2022-03-12 18:07:52 +00:00
|
|
|
# Not on Ubuntu 20.04
|
|
|
|
# - name: Install Podman
|
|
|
|
# hosts: nomad_instances
|
|
|
|
# become: true
|
|
|
|
#
|
|
|
|
# tasks:
|
|
|
|
# - name: Install Podman
|
|
|
|
# package:
|
|
|
|
# name: podman
|
|
|
|
# state: present
|
|
|
|
|
2022-04-05 05:20:19 +00:00
|
|
|
- name: Create NFS mounts
|
|
|
|
hosts: nomad_instances
|
|
|
|
become: true
|
2023-01-13 23:17:03 +00:00
|
|
|
vars:
|
2023-02-14 21:31:04 +00:00
|
|
|
shared_nfs_mounts:
|
|
|
|
- src: 192.168.2.10:/Media
|
|
|
|
path: /srv/volumes/media-read
|
|
|
|
opts: proto=tcp,port=2049,ro
|
|
|
|
|
|
|
|
- src: 192.168.2.10:/Media
|
|
|
|
path: /srv/volumes/media-write
|
|
|
|
opts: proto=tcp,port=2049,rw
|
|
|
|
|
|
|
|
- src: 192.168.2.10:/Photos
|
|
|
|
path: /srv/volumes/photos
|
|
|
|
opts: proto=tcp,port=2049,rw
|
2022-04-05 05:20:19 +00:00
|
|
|
|
2023-02-28 20:16:49 +00:00
|
|
|
- src: 192.168.2.10:/Container
|
|
|
|
path: /srv/volumes/nas-container
|
|
|
|
opts: proto=tcp,port=2049,rw
|
|
|
|
|
2022-04-05 05:20:19 +00:00
|
|
|
tasks:
|
|
|
|
- name: Install nfs
|
|
|
|
package:
|
|
|
|
name: nfs-common
|
|
|
|
state: present
|
|
|
|
|
2023-01-13 23:17:03 +00:00
|
|
|
- name: Mount NFS volumes
|
2022-08-30 22:14:55 +00:00
|
|
|
ansible.posix.mount:
|
2023-01-13 23:17:03 +00:00
|
|
|
src: "{{ item.src }}"
|
|
|
|
path: "{{ item.path }}"
|
|
|
|
opts: "{{ item.opts }}"
|
2022-08-30 22:14:55 +00:00
|
|
|
state: mounted
|
|
|
|
fstype: nfs4
|
2023-01-13 23:17:03 +00:00
|
|
|
loop: "{{ shared_nfs_mounts + (nfs_mounts | default([])) }}"
|
2022-08-30 22:14:55 +00:00
|
|
|
|
2023-03-24 05:08:20 +00:00
|
|
|
- import_playbook: wesher.yml
|
|
|
|
|
2022-02-17 22:03:42 +00:00
|
|
|
- name: Build Nomad cluster
|
2022-02-16 17:56:18 +00:00
|
|
|
hosts: nomad_instances
|
|
|
|
any_errors_fatal: true
|
|
|
|
become: true
|
|
|
|
|
2022-04-05 05:20:19 +00:00
|
|
|
vars:
|
2023-02-14 21:31:04 +00:00
|
|
|
shared_host_volumes:
|
|
|
|
- name: media-read
|
|
|
|
path: /srv/volumes/media-write
|
|
|
|
read_only: true
|
|
|
|
- name: media-write
|
|
|
|
path: /srv/volumes/media-write
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
mode: "0755"
|
|
|
|
read_only: false
|
|
|
|
- name: media-downloads
|
|
|
|
path: /srv/volumes/media-write/Downloads
|
|
|
|
read_only: false
|
2023-02-27 19:43:07 +00:00
|
|
|
- name: sabnzbd-config
|
|
|
|
path: /srv/volumes/media-write/Downloads/sabnzbd
|
|
|
|
read_only: false
|
2023-02-14 21:31:04 +00:00
|
|
|
- name: photoprism-media
|
|
|
|
path: /srv/volumes/photos/Photoprism
|
|
|
|
read_only: false
|
2023-02-28 20:16:49 +00:00
|
|
|
- name: photoprism-storage
|
|
|
|
path: /srv/volumes/nas-container/photoprism
|
|
|
|
read_only: false
|
|
|
|
- name: nzbget-config
|
|
|
|
path: /srv/volumes/nas-container/nzbget
|
|
|
|
read_only: false
|
2023-07-25 18:05:23 +00:00
|
|
|
- name: lidarr-config
|
|
|
|
path: /srv/volumes/nas-container/lidarr
|
|
|
|
read_only: false
|
2023-08-21 17:54:57 +00:00
|
|
|
- name: bazarr-config
|
|
|
|
path: /srv/volumes/nas-container/bazarr
|
|
|
|
read_only: false
|
2023-07-19 16:28:08 +00:00
|
|
|
- name: gitea-data
|
|
|
|
path: /srv/volumes/nas-container/gitea
|
|
|
|
read_only: false
|
2023-02-14 21:31:04 +00:00
|
|
|
- name: all-volumes
|
|
|
|
path: /srv/volumes
|
|
|
|
owner: "root"
|
|
|
|
group: "root"
|
|
|
|
mode: "0755"
|
|
|
|
read_only: false
|
2022-04-05 05:20:19 +00:00
|
|
|
|
2022-02-16 17:56:18 +00:00
|
|
|
roles:
|
|
|
|
- name: ansible-nomad
|
2022-03-12 18:07:52 +00:00
|
|
|
vars:
|
2023-10-19 19:05:52 +00:00
|
|
|
nomad_version: "1.6.2-1"
|
2022-03-12 18:07:52 +00:00
|
|
|
nomad_install_upgrade: true
|
|
|
|
nomad_allow_purge_config: true
|
|
|
|
|
2022-07-22 02:04:44 +00:00
|
|
|
# Where nomad gets installed to
|
|
|
|
nomad_bin_dir: /usr/bin
|
|
|
|
nomad_install_from_repo: true
|
2022-06-23 16:51:21 +00:00
|
|
|
|
2022-10-27 21:28:34 +00:00
|
|
|
nomad_bootstrap_expect: "{{ [(play_hosts | length), 3] | min }}"
|
|
|
|
nomad_raft_protocol: 3
|
2022-05-25 03:11:18 +00:00
|
|
|
nomad_autopilot: true
|
2022-03-12 18:07:52 +00:00
|
|
|
nomad_encrypt_enable: true
|
|
|
|
# nomad_use_consul: true
|
|
|
|
|
|
|
|
# Metrics
|
|
|
|
nomad_telemetry: true
|
|
|
|
nomad_telemetry_prometheus_metrics: true
|
|
|
|
nomad_telemetry_publish_allocation_metrics: true
|
|
|
|
nomad_telemetry_publish_node_metrics: true
|
|
|
|
|
|
|
|
# Enable container plugins
|
|
|
|
nomad_cni_enable: true
|
2023-05-03 04:29:27 +00:00
|
|
|
nomad_cni_version: 1.0.1
|
2022-03-12 18:07:52 +00:00
|
|
|
nomad_docker_enable: true
|
|
|
|
nomad_docker_dmsetup: false
|
|
|
|
# nomad_podman_enable: true
|
|
|
|
|
2022-07-22 02:04:44 +00:00
|
|
|
# Merge shared host volumes with node volumes
|
2022-04-05 05:20:19 +00:00
|
|
|
nomad_host_volumes: "{{ shared_host_volumes + (nomad_unique_host_volumes | default([])) }}"
|
|
|
|
|
2022-03-12 18:07:52 +00:00
|
|
|
# Customize docker plugin
|
|
|
|
nomad_plugins:
|
|
|
|
docker:
|
|
|
|
config:
|
2022-06-17 22:19:19 +00:00
|
|
|
allow_privileged: true
|
2023-02-28 20:17:28 +00:00
|
|
|
gc:
|
|
|
|
image_delay: "24h"
|
2022-03-12 18:07:52 +00:00
|
|
|
volumes:
|
|
|
|
enabled: true
|
|
|
|
selinuxlabel: "z"
|
2022-11-10 18:19:51 +00:00
|
|
|
# Send logs to journald so we can scrape them for Loki
|
2022-11-21 00:24:00 +00:00
|
|
|
# logging:
|
|
|
|
# type: journald
|
2022-03-12 18:07:52 +00:00
|
|
|
extra_labels:
|
|
|
|
- "job_name"
|
|
|
|
- "job_id"
|
|
|
|
- "task_group_name"
|
|
|
|
- "task_name"
|
|
|
|
- "namespace"
|
|
|
|
- "node_name"
|
|
|
|
- "node_id"
|
|
|
|
|
|
|
|
# Bind nomad
|
|
|
|
nomad_bind_address: 0.0.0.0
|
|
|
|
|
2022-03-14 22:59:07 +00:00
|
|
|
# Default interface for binding tasks
|
2023-01-13 23:17:38 +00:00
|
|
|
nomad_network_interface: eth0
|
2022-03-14 22:59:07 +00:00
|
|
|
|
2022-03-12 18:07:52 +00:00
|
|
|
# Create networks for binding task ports
|
|
|
|
nomad_host_networks:
|
|
|
|
- name: loopback
|
|
|
|
interface: lo
|
|
|
|
reserved_ports: "22"
|
2023-03-24 05:08:20 +00:00
|
|
|
- name: wesher
|
2023-03-25 05:22:11 +00:00
|
|
|
interface: wgoverlay
|
2023-03-24 05:08:20 +00:00
|
|
|
reserved_ports: "22"
|
2022-03-12 18:07:52 +00:00
|
|
|
|
2022-03-22 03:13:13 +00:00
|
|
|
# Enable ACLs
|
|
|
|
nomad_acl_enabled: true
|
|
|
|
|
2022-03-12 18:07:52 +00:00
|
|
|
nomad_config_custom:
|
|
|
|
ui:
|
|
|
|
enabled: true
|
2022-03-03 17:37:49 +00:00
|
|
|
|
2022-09-28 04:28:02 +00:00
|
|
|
- name: Bootstrap Nomad ACLs and scheduler
|
|
|
|
hosts: nomad_instances
|
|
|
|
|
2022-02-27 22:49:00 +00:00
|
|
|
tasks:
|
|
|
|
- name: Start Nomad
|
|
|
|
systemd:
|
|
|
|
state: started
|
|
|
|
name: nomad
|
2022-03-22 04:26:04 +00:00
|
|
|
|
2022-09-07 18:11:10 +00:00
|
|
|
- name: Nomad API reachable?
|
|
|
|
uri:
|
|
|
|
url: "http://127.0.0.1:4646/v1/status/leader"
|
|
|
|
method: GET
|
|
|
|
status_code: 200
|
|
|
|
register: nomad_check_result
|
2023-02-28 20:17:45 +00:00
|
|
|
retries: 8
|
2022-09-07 18:11:10 +00:00
|
|
|
until: nomad_check_result is succeeded
|
2023-02-28 20:17:45 +00:00
|
|
|
delay: 15
|
2022-09-07 18:11:10 +00:00
|
|
|
changed_when: false
|
|
|
|
run_once: true
|
|
|
|
|
2022-03-22 04:26:04 +00:00
|
|
|
- name: Bootstrap ACLs
|
|
|
|
command:
|
|
|
|
argv:
|
|
|
|
- "nomad"
|
|
|
|
- "acl"
|
|
|
|
- "bootstrap"
|
|
|
|
- "-json"
|
|
|
|
run_once: true
|
|
|
|
ignore_errors: true
|
|
|
|
register: bootstrap_result
|
|
|
|
|
|
|
|
- name: Save bootstrap result
|
|
|
|
copy:
|
|
|
|
content: "{{ bootstrap_result.stdout }}"
|
2022-11-02 21:20:09 +00:00
|
|
|
dest: "../nomad_bootstrap.json"
|
2022-03-22 04:26:04 +00:00
|
|
|
when: bootstrap_result is succeeded
|
|
|
|
delegate_to: localhost
|
|
|
|
run_once: true
|
|
|
|
|
|
|
|
- name: Read secret
|
|
|
|
command:
|
|
|
|
argv:
|
|
|
|
- jq
|
|
|
|
- -r
|
|
|
|
- .SecretID
|
2022-11-02 21:20:09 +00:00
|
|
|
- ../nomad_bootstrap.json
|
2022-03-22 04:26:04 +00:00
|
|
|
delegate_to: localhost
|
|
|
|
run_once: true
|
2022-04-15 19:12:28 +00:00
|
|
|
no_log: true
|
2022-06-28 19:10:18 +00:00
|
|
|
changed_when: false
|
2022-03-22 04:26:04 +00:00
|
|
|
register: read_secretid
|
|
|
|
|
2022-08-30 22:15:29 +00:00
|
|
|
- name: Look for policy
|
|
|
|
command:
|
|
|
|
argv:
|
|
|
|
- nomad
|
|
|
|
- acl
|
|
|
|
- policy
|
|
|
|
- list
|
|
|
|
environment:
|
|
|
|
NOMAD_TOKEN: "{{ read_secretid.stdout }}"
|
|
|
|
run_once: true
|
|
|
|
register: policies
|
|
|
|
|
2022-03-22 04:26:04 +00:00
|
|
|
- name: Copy policy
|
|
|
|
copy:
|
2022-11-02 21:20:09 +00:00
|
|
|
src: ../acls/nomad-anon-policy.hcl
|
2022-03-22 04:26:04 +00:00
|
|
|
dest: /tmp/anonymous.policy.hcl
|
|
|
|
run_once: true
|
2023-03-25 04:12:02 +00:00
|
|
|
register: anon_policy
|
2022-03-22 04:26:04 +00:00
|
|
|
|
|
|
|
- name: Create anon-policy
|
|
|
|
command:
|
|
|
|
argv:
|
|
|
|
- nomad
|
|
|
|
- acl
|
|
|
|
- policy
|
|
|
|
- apply
|
2022-08-23 17:31:03 +00:00
|
|
|
- -description="Anon read only"
|
2022-03-22 04:26:04 +00:00
|
|
|
- anonymous
|
|
|
|
- /tmp/anonymous.policy.hcl
|
|
|
|
environment:
|
|
|
|
NOMAD_TOKEN: "{{ read_secretid.stdout }}"
|
|
|
|
when: policies.stdout == "No policies found" or anon_policy.changed
|
|
|
|
delegate_to: "{{ play_hosts[0] }}"
|
|
|
|
run_once: true
|
2022-07-25 17:51:34 +00:00
|
|
|
|
2022-11-21 00:24:00 +00:00
|
|
|
- name: Enable service scheduler preemption
|
|
|
|
command:
|
|
|
|
argv:
|
|
|
|
- nomad
|
|
|
|
- operator
|
|
|
|
- scheduler
|
|
|
|
- set-config
|
|
|
|
- -preempt-system-scheduler=true
|
|
|
|
- -preempt-service-scheduler=true
|
|
|
|
environment:
|
|
|
|
NOMAD_TOKEN: "{{ read_secretid.stdout }}"
|
|
|
|
delegate_to: "{{ play_hosts[0] }}"
|
2022-07-25 17:51:34 +00:00
|
|
|
run_once: true
|
2022-11-21 00:24:00 +00:00
|
|
|
|
|
|
|
# - name: Set up Nomad backend and roles in Vault
|
|
|
|
# community.general.terraform:
|
|
|
|
# project_path: ../acls
|
|
|
|
# force_init: true
|
|
|
|
# variables:
|
|
|
|
# consul_address: "{{ play_hosts[0] }}:8500"
|
|
|
|
# vault_token: "{{ root_token }}"
|
|
|
|
# nomad_secret_id: "{{ read_secretid.stdout }}"
|
|
|
|
# delegate_to: localhost
|
|
|
|
# run_once: true
|
|
|
|
# notify:
|
|
|
|
# - Restart Nomad
|
2022-09-28 04:28:02 +00:00
|
|
|
|
|
|
|
handlers:
|
|
|
|
- name: Restart Nomad
|
|
|
|
systemd:
|
|
|
|
state: restarted
|
|
|
|
name: nomad
|
2022-10-27 21:28:34 +00:00
|
|
|
retries: 6
|
|
|
|
delay: 5
|