homelab-nomad/ansible_playbooks/setup-cluster.yml

---
- name: Update DNS for bootstrapping with non-Nomad host
  hosts: nomad_instances
  become: true
  gather_facts: false
  vars:
    non_nomad_dns: 192.168.2.170

  tasks:
    - name: Add non-nomad bootstrap DNS
      lineinfile:
        dest: /etc/resolv.conf
        create: true
        line: "nameserver {{ non_nomad_dns }}"

- name: Install Docker
  hosts: nomad_clients
  become: true
  vars:
    docker_architecture_map:
      x86_64: amd64
      armv7l: armhf
      aarch64: arm64
    docker_apt_arch: "{{ docker_architecture_map[ansible_architecture] }}"
    docker_compose_arch: "{{ (ansible_architecture == 'armv7l') | ternary('armv7', ansible_architecture) }}"
  roles:
    - geerlingguy.docker

  tasks:
    - name: Remove snapd
      package:
        name: snapd
        state: absent

# Not on Ubuntu 20.04
# - name: Install Podman
#   hosts: nomad_instances
#   become: true
#
#   tasks:
#     - name: Install Podman
#       package:
#         name: podman
#         state: present

- name: Create NFS mounts
  hosts: nomad_clients
  become: true
  vars:
    shared_nfs_mounts:
      - src: 192.168.2.10:/Media
        path: /srv/volumes/media-read
        opts: proto=tcp,port=2049,ro

      - src: 192.168.2.10:/Media
        path: /srv/volumes/media-write
        opts: proto=tcp,port=2049,rw

      - src: 192.168.2.10:/Overflow
        path: /srv/volumes/nas-overflow
        opts: proto=tcp,port=2049,rw

      - src: 192.168.2.10:/Photos
        path: /srv/volumes/photos
        opts: proto=tcp,port=2049,rw

      - src: 192.168.2.10:/Container
        path: /srv/volumes/nas-container
        opts: proto=tcp,port=2049,rw

  tasks:
    - name: Install nfs
      package:
        name: nfs-common
        state: present

    - name: Mount NFS volumes
      ansible.posix.mount:
        src: "{{ item.src }}"
        path: "{{ item.path }}"
        opts: "{{ item.opts }}"
        state: mounted
        fstype: nfs4
      loop: "{{ shared_nfs_mounts + (nfs_mounts | default([])) }}"

- import_playbook: wesher.yml

- name: Build Nomad cluster
  hosts: nomad_instances
  any_errors_fatal: true
  become: true

  vars:
    shared_host_volumes:
      - name: media-read
        path: /srv/volumes/media-write
        read_only: true
      - name: media-write
        path: /srv/volumes/media-write
        owner: "root"
        group: "root"
        mode: "0755"
        read_only: false
      - name: media-overflow-write
        path: /srv/volumes/nas-overflow/Media
        owner: "root"
        group: "root"
        mode: "0755"
        read_only: false
      - name: media-downloads
        path: /srv/volumes/media-write/Downloads
        read_only: false
      - name: sabnzbd-config
        path: /srv/volumes/media-write/Downloads/sabnzbd
        read_only: false
      - name: photoprism-media
        path: /srv/volumes/photos/Photoprism
        read_only: false
      - name: photoprism-storage
        path: /srv/volumes/nas-container/photoprism
        read_only: false
      - name: nzbget-config
        path: /srv/volumes/nas-container/nzbget
        read_only: false
      - name: sonarr-config
        path: /srv/volumes/nas-container/sonarr
        read_only: false
      - name: lidarr-config
        path: /srv/volumes/nas-container/lidarr
        read_only: false
      - name: radarr-config
        path: /srv/volumes/nas-container/radarr
        read_only: false
      - name: bazarr-config
        path: /srv/volumes/nas-container/bazarr
        read_only: false
      - name: gitea-data
        path: /srv/volumes/nas-container/gitea
        read_only: false
      - name: ytdl-web
        path: /srv/volumes/nas-container/ytdl-web
        read_only: false
      - name: christmas-community
        path: /srv/volumes/nas-container/christmas-community
        read_only: false
      - name: all-volumes
        path: /srv/volumes
        owner: "root"
        group: "root"
        mode: "0755"
        read_only: false

  roles:
    - name: ansible-nomad
      vars:
        nomad_version: "1.9.6-1"
        nomad_install_upgrade: true
        nomad_allow_purge_config: true
        nomad_node_role: "{% if 'nomad_clients' in group_names %}{% if 'nomad_servers' in group_names %}both{% else %}client{% endif %}{% else %}server{% endif %}"

        # Where nomad gets installed to
        nomad_bin_dir: /usr/bin
        nomad_install_from_repo: true

        nomad_bootstrap_expect: "{{ [(play_hosts | length), 3] | min }}"
        nomad_raft_protocol: 3
        nomad_autopilot: true
        nomad_encrypt_enable: true
        # nomad_use_consul: true

        # Metrics
        nomad_telemetry: true
        nomad_telemetry_prometheus_metrics: true
        nomad_telemetry_publish_allocation_metrics: true
        nomad_telemetry_publish_node_metrics: true

        # Enable container plugins
        nomad_cni_enable: true
        nomad_cni_version: 1.0.1
        nomad_docker_enable: true
        nomad_docker_dmsetup: false
        # nomad_podman_enable: true

        # Merge shared host volumes with node volumes
        nomad_host_volumes: "{{ shared_host_volumes + (nomad_unique_host_volumes | default([])) }}"

        # Customize docker plugin
        nomad_plugins:
          docker:
            config:
              allow_privileged: true
              gc:
                image_delay: "24h"
              volumes:
                enabled: true
                selinuxlabel: "z"
              # Send logs to journald so we can scrape them for Loki
              # logging:
              #   type: journald
              extra_labels:
                - "job_name"
                - "job_id"
                - "task_group_name"
                - "task_name"
                - "namespace"
                - "node_name"
                - "node_id"

        # Bind nomad
        nomad_bind_address: 0.0.0.0

        # Default interface for binding tasks
        # This is now set at the inventory level
        # nomad_network_interface: eth0

        # Create networks for binding task ports
        nomad_host_networks:
          - name: loopback
            interface: lo
            reserved_ports: "22"
          - name: wesher
            interface: wgoverlay
            reserved_ports: "22"

        # Enable ACLs
        nomad_acl_enabled: true

        nomad_config_custom:
          ui:
            enabled: true

- name: Bootstrap Nomad ACLs and scheduler
  hosts: nomad_servers

  tasks:
    - name: Start Nomad
      systemd:
        state: started
        name: nomad

    - name: Nomad API reachable?
      uri:
        url: "http://127.0.0.1:4646/v1/status/leader"
        method: GET
        status_code: 200
      register: nomad_check_result
      retries: 8
      until: nomad_check_result is succeeded
      delay: 15
      changed_when: false
      run_once: true

    - name: Bootstrap ACLs
      command:
        argv:
          - "nomad"
          - "acl"
          - "bootstrap"
          - "-json"
      run_once: true
      ignore_errors: true
      register: bootstrap_result
      changed_when: bootstrap_result is succeeded

    - name: Save bootstrap result
      copy:
        content: "{{ bootstrap_result.stdout }}"
        dest: "../nomad_bootstrap.json"
      when: bootstrap_result is succeeded
      delegate_to: localhost
      run_once: true

    - name: Read secret
      command:
        argv:
          - jq
          - -r
          - .SecretID
          - ../nomad_bootstrap.json
      delegate_to: localhost
      run_once: true
      no_log: true
      changed_when: false
      register: read_secretid

    - name: Look for policy
      command:
        argv:
          - nomad
          - acl
          - policy
          - list
      environment:
        NOMAD_TOKEN: "{{ read_secretid.stdout }}"
      register: policies
      run_once: true
      changed_when: false

    - name: Copy policy
      copy:
        src: ../acls/nomad-anon-policy.hcl
        dest: /tmp/anonymous.policy.hcl
      delegate_to: "{{ play_hosts[0] }}"
      run_once: true
      register: anon_policy

    - name: Create anon-policy
      command:
        argv:
          - nomad
          - acl
          - policy
          - apply
          - -description=Anon read only
          - anonymous
          - /tmp/anonymous.policy.hcl
      environment:
        NOMAD_TOKEN: "{{ read_secretid.stdout }}"
      when: policies.stdout == "No policies found" or anon_policy.changed
      delegate_to: "{{ play_hosts[0] }}"
      run_once: true

    - name: Read scheduler config
      command:
        argv:
          - nomad
          - operator
          - scheduler
          - get-config
          - -json
      run_once: true
      register: scheduler_config
      changed_when: false

    - name: Enable service scheduler preemption
      command:
        argv:
          - nomad
          - operator
          - scheduler
          - set-config
          - -preempt-service-scheduler=true
      environment:
        NOMAD_TOKEN: "{{ read_secretid.stdout }}"
      run_once: true
      when: (scheduler_config.stdout | from_json)["SchedulerConfig"]["PreemptionConfig"]["ServiceSchedulerEnabled"] is false

    - name: Enable system scheduler preemption
      command:
        argv:
          - nomad
          - operator
          - scheduler
          - set-config
          - -preempt-system-scheduler=true
      environment:
        NOMAD_TOKEN: "{{ read_secretid.stdout }}"
      run_once: true
      when: (scheduler_config.stdout | from_json)["SchedulerConfig"]["PreemptionConfig"]["SystemSchedulerEnabled"] is false

    # - name: Set up Nomad backend and roles in Vault
    #   community.general.terraform:
    #     project_path: ../acls
    #     force_init: true
    #     variables:
    #       consul_address: "{{ play_hosts[0] }}:8500"
    #       vault_token: "{{ root_token }}"
    #       nomad_secret_id: "{{ read_secretid.stdout }}"
    #   delegate_to: localhost
    #   run_once: true
    #   notify:
    #     - Restart Nomad

  handlers:
    - name: Restart Nomad
      systemd:
        state: restarted
        name: nomad
      retries: 6
      delay: 5
Add some basic Nomad and k8s tests 2022-02-16 09:56:18 -08:00			`---`
Make sure there's a working DNS server when bootstrapping 2023-01-13 15:17:23 -08:00			`- name: Update DNS for bootstrapping with non-Nomad host`
Remove old Consul and Vault references 2023-09-17 21:43:04 -07:00			`hosts: nomad_instances`
Make sure there's a working DNS server when bootstrapping 2023-01-13 15:17:23 -08:00			`become: true`
			`gather_facts: false`
			`vars:`
			`non_nomad_dns: 192.168.2.170`

			`tasks:`
			`- name: Add non-nomad bootstrap DNS`
			`lineinfile:`
			`dest: /etc/resolv.conf`
			`create: true`
			`line: "nameserver {{ non_nomad_dns }}"`

Big refactor to split core and services for better ordering 2022-10-27 14:28:34 -07:00			`- name: Install Docker`
Update Ansible inventory to split node roles Splits servers and clients to their own groups so that plays can target specific roles. Prior, everything was "both", but i want to and another server for recovery purposes but not host containers on it. 2024-04-27 20:10:23 -07:00			`hosts: nomad_clients`
Big refactor to split core and services for better ordering 2022-10-27 14:28:34 -07:00			`become: true`
			`vars:`
			`docker_architecture_map:`
			`x86_64: amd64`
			`armv7l: armhf`
			`aarch64: arm64`
			`docker_apt_arch: "{{ docker_architecture_map[ansible_architecture] }}"`
			`docker_compose_arch: "{{ (ansible_architecture == 'armv7l') \| ternary('armv7', ansible_architecture) }}"`
			`roles:`
			`- geerlingguy.docker`

			`tasks:`
			`- name: Remove snapd`
			`package:`
			`name: snapd`
			`state: absent`

Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`# Not on Ubuntu 20.04`
			`# - name: Install Podman`
			`# hosts: nomad_instances`
			`# become: true`
			`#`
			`# tasks:`
			`# - name: Install Podman`
			`# package:`
			`# name: podman`
			`# state: present`

Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00			`- name: Create NFS mounts`
Update Ansible inventory to split node roles Splits servers and clients to their own groups so that plays can target specific roles. Prior, everything was "both", but i want to and another server for recovery purposes but not host containers on it. 2024-04-27 20:10:23 -07:00			`hosts: nomad_clients`
Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00			`become: true`
Add more flexible nfs mount definitions Also commenting out NAS since it's down 2023-01-13 15:17:03 -08:00			`vars:`
Use new NAS paths 2023-02-14 13:31:04 -08:00			`shared_nfs_mounts:`
			`- src: 192.168.2.10:/Media`
			`path: /srv/volumes/media-read`
			`opts: proto=tcp,port=2049,ro`

			`- src: 192.168.2.10:/Media`
			`path: /srv/volumes/media-write`
			`opts: proto=tcp,port=2049,rw`

Add overflow volume for some TV 2024-08-21 19:51:03 -07:00			`- src: 192.168.2.10:/Overflow`
			`path: /srv/volumes/nas-overflow`
			`opts: proto=tcp,port=2049,rw`

Use new NAS paths 2023-02-14 13:31:04 -08:00			`- src: 192.168.2.10:/Photos`
			`path: /srv/volumes/photos`
			`opts: proto=tcp,port=2049,rw`
Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00
Move nzbget and photoprism config to shared storage on NAS SSD 2023-02-28 12:16:49 -08:00			`- src: 192.168.2.10:/Container`
			`path: /srv/volumes/nas-container`
			`opts: proto=tcp,port=2049,rw`

Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00			`tasks:`
			`- name: Install nfs`
			`package:`
			`name: nfs-common`
			`state: present`

Add more flexible nfs mount definitions Also commenting out NAS since it's down 2023-01-13 15:17:03 -08:00			`- name: Mount NFS volumes`
Add new nfs volumes 2022-08-30 15:14:55 -07:00			`ansible.posix.mount:`
Add more flexible nfs mount definitions Also commenting out NAS since it's down 2023-01-13 15:17:03 -08:00			`src: "{{ item.src }}"`
			`path: "{{ item.path }}"`
			`opts: "{{ item.opts }}"`
Add new nfs volumes 2022-08-30 15:14:55 -07:00			`state: mounted`
			`fstype: nfs4`
Add more flexible nfs mount definitions Also commenting out NAS since it's down 2023-01-13 15:17:03 -08:00			`loop: "{{ shared_nfs_mounts + (nfs_mounts \| default([])) }}"`
Add new nfs volumes 2022-08-30 15:14:55 -07:00
Add Wesher and Wesher overlay 2023-03-23 22:08:20 -07:00			`- import_playbook: wesher.yml`

Update host networks and proxy mapping 2022-02-17 14:03:42 -08:00			`- name: Build Nomad cluster`
Add some basic Nomad and k8s tests 2022-02-16 09:56:18 -08:00			`hosts: nomad_instances`
			`any_errors_fatal: true`
			`become: true`

Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00			`vars:`
Use new NAS paths 2023-02-14 13:31:04 -08:00			`shared_host_volumes:`
			`- name: media-read`
			`path: /srv/volumes/media-write`
			`read_only: true`
			`- name: media-write`
			`path: /srv/volumes/media-write`
			`owner: "root"`
			`group: "root"`
			`mode: "0755"`
			`read_only: false`
Add overflow volume for some TV 2024-08-21 19:51:03 -07:00			`- name: media-overflow-write`
			`path: /srv/volumes/nas-overflow/Media`
			`owner: "root"`
			`group: "root"`
			`mode: "0755"`
			`read_only: false`
Use new NAS paths 2023-02-14 13:31:04 -08:00			`- name: media-downloads`
			`path: /srv/volumes/media-write/Downloads`
			`read_only: false`
Add sabnzbd 2023-02-27 11:43:07 -08:00			`- name: sabnzbd-config`
			`path: /srv/volumes/media-write/Downloads/sabnzbd`
			`read_only: false`
Use new NAS paths 2023-02-14 13:31:04 -08:00			`- name: photoprism-media`
			`path: /srv/volumes/photos/Photoprism`
			`read_only: false`
Move nzbget and photoprism config to shared storage on NAS SSD 2023-02-28 12:16:49 -08:00			`- name: photoprism-storage`
			`path: /srv/volumes/nas-container/photoprism`
			`read_only: false`
			`- name: nzbget-config`
			`path: /srv/volumes/nas-container/nzbget`
			`read_only: false`
Migrate sonarr to postgresql And increase postgresql memory to accomodate 2024-03-25 16:05:58 -07:00			`- name: sonarr-config`
			`path: /srv/volumes/nas-container/sonarr`
			`read_only: false`
Add lidarr 2023-07-25 11:05:23 -07:00			`- name: lidarr-config`
			`path: /srv/volumes/nas-container/lidarr`
			`read_only: false`
Add radarr 2024-02-20 10:09:48 -08:00			`- name: radarr-config`
			`path: /srv/volumes/nas-container/radarr`
			`read_only: false`
Add bazarr configs 2023-08-21 10:54:57 -07:00			`- name: bazarr-config`
			`path: /srv/volumes/nas-container/bazarr`
			`read_only: false`
Add Gitea Currently it won't auto bootstrap auth. A command has to be executed one time to get it to be added to the database. 2023-07-19 09:28:08 -07:00			`- name: gitea-data`
			`path: /srv/volumes/nas-container/gitea`
			`read_only: false`
Add ytdl-web 2024-06-13 16:23:55 -07:00			`- name: ytdl-web`
			`path: /srv/volumes/nas-container/ytdl-web`
			`read_only: false`
Add Christmas list service 2024-12-17 16:31:43 -08:00			`- name: christmas-community`
			`path: /srv/volumes/nas-container/christmas-community`
			`read_only: false`
Use new NAS paths 2023-02-14 13:31:04 -08:00			`- name: all-volumes`
			`path: /srv/volumes`
			`owner: "root"`
			`group: "root"`
			`mode: "0755"`
			`read_only: false`
Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00
Add some basic Nomad and k8s tests 2022-02-16 09:56:18 -08:00			`roles:`
			`- name: ansible-nomad`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`vars:`
Bump nomad version 2025-03-05 12:54:54 -08:00			`nomad_version: "1.9.6-1"`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`nomad_install_upgrade: true`
			`nomad_allow_purge_config: true`
Update Ansible inventory to split node roles Splits servers and clients to their own groups so that plays can target specific roles. Prior, everything was "both", but i want to and another server for recovery purposes but not host containers on it. 2024-04-27 20:10:23 -07:00			`nomad_node_role: "{% if 'nomad_clients' in group_names %}{% if 'nomad_servers' in group_names %}both{% else %}client{% endif %}{% else %}server{% endif %}"`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00
Deploy Nomad, Consul, and Vault using apt repo 2022-07-21 19:04:44 -07:00			`# Where nomad gets installed to`
			`nomad_bin_dir: /usr/bin`
			`nomad_install_from_repo: true`
Update Nomad 2022-06-23 09:51:21 -07:00
Big refactor to split core and services for better ordering 2022-10-27 14:28:34 -07:00			`nomad_bootstrap_expect: "{{ [(play_hosts \| length), 3] \| min }}"`
			`nomad_raft_protocol: 3`
Add autopilot 2022-05-24 20:11:18 -07:00			`nomad_autopilot: true`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`nomad_encrypt_enable: true`
			`# nomad_use_consul: true`

			`# Metrics`
			`nomad_telemetry: true`
			`nomad_telemetry_prometheus_metrics: true`
			`nomad_telemetry_publish_allocation_metrics: true`
			`nomad_telemetry_publish_node_metrics: true`

			`# Enable container plugins`
			`nomad_cni_enable: true`
Revert "Upgrade cni to 1.1.2" This reverts commit bbc8ba5c6b8f96b46e6e02fd4ad4b40f28119592. 2023-05-02 21:29:27 -07:00			`nomad_cni_version: 1.0.1`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`nomad_docker_enable: true`
			`nomad_docker_dmsetup: false`
			`# nomad_podman_enable: true`

Deploy Nomad, Consul, and Vault using apt repo 2022-07-21 19:04:44 -07:00			`# Merge shared host volumes with node volumes`
Create a lot more host volumes Some are NFS volumes and present on all devices 2022-04-04 22:20:19 -07:00			`nomad_host_volumes: "{{ shared_host_volumes + (nomad_unique_host_volumes \| default([])) }}"`

Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`# Customize docker plugin`
			`nomad_plugins:`
			`docker:`
			`config:`
WIP: Add democratic-csi storage plugin 2022-06-17 15:19:19 -07:00			`allow_privileged: true`
Fix GC cleanup image_delay 2023-02-28 12:17:28 -08:00			`gc:`
			`image_delay: "24h"`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`volumes:`
			`enabled: true`
			`selinuxlabel: "z"`
Use journald for Nomad Docker logging so they can be ingested into Loki 2022-11-10 10:19:51 -08:00			`# Send logs to journald so we can scrape them for Loki`
WIP: Moving vars and service discovery to Nomad Starting with core 2022-11-20 16:24:00 -08:00			`# logging:`
			`# type: journald`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`extra_labels:`
			`- "job_name"`
			`- "job_id"`
			`- "task_group_name"`
			`- "task_name"`
			`- "namespace"`
			`- "node_name"`
			`- "node_id"`

			`# Bind nomad`
			`nomad_bind_address: 0.0.0.0`

Change default bind address to loopback 2022-03-14 15:59:07 -07:00			`# Default interface for binding tasks`
Move nomad default interface to host vars 2024-04-22 09:06:11 -07:00			`# This is now set at the inventory level`
			`# nomad_network_interface: eth0`
Change default bind address to loopback 2022-03-14 15:59:07 -07:00
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`# Create networks for binding task ports`
			`nomad_host_networks:`
			`- name: loopback`
			`interface: lo`
			`reserved_ports: "22"`
Add Wesher and Wesher overlay 2023-03-23 22:08:20 -07:00			`- name: wesher`
Get nomad client scraping working 2023-03-24 22:22:11 -07:00			`interface: wgoverlay`
Add Wesher and Wesher overlay 2023-03-23 22:08:20 -07:00			`reserved_ports: "22"`
Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00
Update bootstrap for acls 2022-03-21 20:13:13 -07:00			`# Enable ACLs`
			`nomad_acl_enabled: true`

Update hosts improve bootstrap and move a few things around 2022-03-12 10:07:52 -08:00			`nomad_config_custom:`
			`ui:`
			`enabled: true`
Lots of Nomad updates to support metrics 2022-03-03 09:37:49 -08:00
Improve first run cluster setup 2022-09-27 21:28:02 -07:00			`- name: Bootstrap Nomad ACLs and scheduler`
Update Ansible inventory to split node roles Splits servers and clients to their own groups so that plays can target specific roles. Prior, everything was "both", but i want to and another server for recovery purposes but not host containers on it. 2024-04-27 20:10:23 -07:00			`hosts: nomad_servers`
Improve first run cluster setup 2022-09-27 21:28:02 -07:00
Update ansible to deploy nomad and consul to Pi host This is broken because the Pi doesn't have the right version of ip-tables 2022-02-27 14:49:00 -08:00			`tasks:`
			`- name: Start Nomad`
			`systemd:`
			`state: started`
			`name: nomad`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00
Wait until Nomad is running before bootstrapping ACLs 2022-09-07 11:11:10 -07:00			`- name: Nomad API reachable?`
			`uri:`
			`url: "http://127.0.0.1:4646/v1/status/leader"`
			`method: GET`
			`status_code: 200`
			`register: nomad_check_result`
Increase retry count for nomad starting when deploying cluster 2023-02-28 12:17:45 -08:00			`retries: 8`
Wait until Nomad is running before bootstrapping ACLs 2022-09-07 11:11:10 -07:00			`until: nomad_check_result is succeeded`
Increase retry count for nomad starting when deploying cluster 2023-02-28 12:17:45 -08:00			`delay: 15`
Wait until Nomad is running before bootstrapping ACLs 2022-09-07 11:11:10 -07:00			`changed_when: false`
			`run_once: true`

Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`- name: Bootstrap ACLs`
			`command:`
			`argv:`
			`- "nomad"`
			`- "acl"`
			`- "bootstrap"`
			`- "-json"`
			`run_once: true`
			`ignore_errors: true`
			`register: bootstrap_result`
Improve change detection for cluster bootstrap 2024-04-17 10:46:10 -07:00			`changed_when: bootstrap_result is succeeded`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00
			`- name: Save bootstrap result`
			`copy:`
			`content: "{{ bootstrap_result.stdout }}"`
Refactor ansible to clean root dir 2022-11-02 14:20:09 -07:00			`dest: "../nomad_bootstrap.json"`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`when: bootstrap_result is succeeded`
			`delegate_to: localhost`
			`run_once: true`

			`- name: Read secret`
			`command:`
			`argv:`
			`- jq`
			`- -r`
			`- .SecretID`
Refactor ansible to clean root dir 2022-11-02 14:20:09 -07:00			`- ../nomad_bootstrap.json`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`delegate_to: localhost`
			`run_once: true`
no log for some more sensitive info 2022-04-15 12:12:28 -07:00			`no_log: true`
Improve vault bootstrap and nomad connection 2022-06-28 12:10:18 -07:00			`changed_when: false`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`register: read_secretid`

Use nomad token to look up policies 2022-08-30 15:15:29 -07:00			`- name: Look for policy`
			`command:`
			`argv:`
			`- nomad`
			`- acl`
			`- policy`
			`- list`
			`environment:`
			`NOMAD_TOKEN: "{{ read_secretid.stdout }}"`
			`register: policies`
Improve change detection for cluster bootstrap 2024-04-17 10:46:10 -07:00			`run_once: true`
			`changed_when: false`
Use nomad token to look up policies 2022-08-30 15:15:29 -07:00
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`- name: Copy policy`
			`copy:`
Refactor ansible to clean root dir 2022-11-02 14:20:09 -07:00			`src: ../acls/nomad-anon-policy.hcl`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`dest: /tmp/anonymous.policy.hcl`
Improve change detection for cluster bootstrap 2024-04-17 10:46:10 -07:00			`delegate_to: "{{ play_hosts[0] }}"`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`run_once: true`
Fix cluster setup 2023-03-24 21:12:02 -07:00			`register: anon_policy`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00
			`- name: Create anon-policy`
			`command:`
			`argv:`
			`- nomad`
			`- acl`
			`- policy`
			`- apply`
Make name of anon policy consistent between ansible and tf 2024-08-21 19:48:53 -07:00			`- -description=Anon read only`
Add Nomad ACL bootstrap 2022-03-21 21:26:04 -07:00			`- anonymous`
			`- /tmp/anonymous.policy.hcl`
			`environment:`
			`NOMAD_TOKEN: "{{ read_secretid.stdout }}"`
			`when: policies.stdout == "No policies found" or anon_policy.changed`
			`delegate_to: "{{ play_hosts[0] }}"`
			`run_once: true`
Update playbook, move acls and comment for fixes There are some items that I found are broken on first run and made some changes 2022-07-25 10:51:34 -07:00
Improve change detection for cluster bootstrap 2024-04-17 10:46:10 -07:00			`- name: Read scheduler config`
			`command:`
			`argv:`
			`- nomad`
			`- operator`
			`- scheduler`
			`- get-config`
			`- -json`
			`run_once: true`
			`register: scheduler_config`
			`changed_when: false`

WIP: Moving vars and service discovery to Nomad Starting with core 2022-11-20 16:24:00 -08:00			`- name: Enable service scheduler preemption`
			`command:`
			`argv:`
			`- nomad`
			`- operator`
			`- scheduler`
			`- set-config`
			`- -preempt-service-scheduler=true`
			`environment:`
			`NOMAD_TOKEN: "{{ read_secretid.stdout }}"`
Update playbook, move acls and comment for fixes There are some items that I found are broken on first run and made some changes 2022-07-25 10:51:34 -07:00			`run_once: true`
Improve change detection for cluster bootstrap 2024-04-17 10:46:10 -07:00			`when: (scheduler_config.stdout \| from_json)["SchedulerConfig"]["PreemptionConfig"]["ServiceSchedulerEnabled"] is false`

			`- name: Enable system scheduler preemption`
			`command:`
			`argv:`
			`- nomad`
			`- operator`
			`- scheduler`
			`- set-config`
			`- -preempt-system-scheduler=true`
			`environment:`
			`NOMAD_TOKEN: "{{ read_secretid.stdout }}"`
			`run_once: true`
			`when: (scheduler_config.stdout \| from_json)["SchedulerConfig"]["PreemptionConfig"]["SystemSchedulerEnabled"] is false`
WIP: Moving vars and service discovery to Nomad Starting with core 2022-11-20 16:24:00 -08:00
			`# - name: Set up Nomad backend and roles in Vault`
			`# community.general.terraform:`
			`# project_path: ../acls`
			`# force_init: true`
			`# variables:`
			`# consul_address: "{{ play_hosts[0] }}:8500"`
			`# vault_token: "{{ root_token }}"`
			`# nomad_secret_id: "{{ read_secretid.stdout }}"`
			`# delegate_to: localhost`
			`# run_once: true`
			`# notify:`
			`# - Restart Nomad`
Improve first run cluster setup 2022-09-27 21:28:02 -07:00
			`handlers:`
			`- name: Restart Nomad`
			`systemd:`
			`state: restarted`
			`name: nomad`
Big refactor to split core and services for better ordering 2022-10-27 14:28:34 -07:00			`retries: 6`
			`delay: 5`