Compare commits
2 Commits
Author | SHA1 | Date | |
---|---|---|---|
a8181a5f29 | |||
d38c6059f4 |
1
nomad/.gitignore
vendored
1
nomad/.gitignore
vendored
@ -1,3 +1,4 @@
|
|||||||
roles/
|
roles/
|
||||||
venv/
|
venv/
|
||||||
vault-keys.json
|
vault-keys.json
|
||||||
|
nomad_bootstrap.json
|
||||||
|
@ -36,3 +36,21 @@ provider "registry.terraform.io/hashicorp/nomad" {
|
|||||||
"zh:d87c12a6a7768f2b6c2a59495c7dc00f9ecc52b1b868331d4c284f791e278a1e",
|
"zh:d87c12a6a7768f2b6c2a59495c7dc00f9ecc52b1b868331d4c284f791e278a1e",
|
||||||
]
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
|
provider "registry.terraform.io/hashicorp/vault" {
|
||||||
|
version = "3.3.1"
|
||||||
|
hashes = [
|
||||||
|
"h1:SOTmxGynxFf1hECFq0/FGujGQZNktePze/4mfdR/iiU=",
|
||||||
|
"zh:3e1866037f43c1083ff825dce2a9e3853c757bb0121c5ae528ee3cf3f99b4113",
|
||||||
|
"zh:49636cc5c4939134e098c4ec0163c41fae103f24d7e1e8fc0432f8ad93d596a0",
|
||||||
|
"zh:5258a7001719c4aeb84f4c4da7115b795da4794754938a3c4176a4b578fe93a1",
|
||||||
|
"zh:7461738691e2e8ea91aba73d4351cfbc30fcaedcf0e332c9d35ef215f93aa282",
|
||||||
|
"zh:815529478e33a6727273b08340a4c62c9aeb3da02abf8f091bb4f545c8451fce",
|
||||||
|
"zh:8e6fede9f5e25b507faf6cacd61b997035b8b62859245861149ddb2990ada8eb",
|
||||||
|
"zh:9acc2387084b9c411e264c4351633bc82f9c4e420f8e6bbad9f87b145351f929",
|
||||||
|
"zh:b9e4af3b06386ceed720f0163a1496088c154aa1430ae072c525ffefa4b37891",
|
||||||
|
"zh:c7d5dfb8f8536694db6740e2a4afd2d681b60b396ded469282524c62ce154861",
|
||||||
|
"zh:d0850be710c6fd682634a2f823beed0164231cc873b1dc09038aa477c926f57c",
|
||||||
|
"zh:e90c2cba9d89db5eab295b2f046f24a53f23002bcfe008633d398fb3fa16d941",
|
||||||
|
]
|
||||||
|
}
|
||||||
|
5
nomad/acls.tf
Normal file
5
nomad/acls.tf
Normal file
@ -0,0 +1,5 @@
|
|||||||
|
# resource "nomad_acl_policy" "create_post_bootstrap_policy" {
|
||||||
|
# name = "anonymous"
|
||||||
|
# description = "Anon RW"
|
||||||
|
# rules_hcl = file("${path.module}/acls/nomad-anon-bootstrap.hcl")
|
||||||
|
# }
|
24
nomad/acls/nomad-anon-bootstrap.hcl
Normal file
24
nomad/acls/nomad-anon-bootstrap.hcl
Normal file
@ -0,0 +1,24 @@
|
|||||||
|
namespace "*" {
|
||||||
|
policy = "write"
|
||||||
|
capabilities = ["alloc-node-exec"]
|
||||||
|
}
|
||||||
|
|
||||||
|
agent {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
operator {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
quota {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
node {
|
||||||
|
policy = "write"
|
||||||
|
}
|
||||||
|
|
||||||
|
host_volume "*" {
|
||||||
|
policy = "write"
|
||||||
|
}
|
@ -13,6 +13,12 @@ all:
|
|||||||
group: "bin"
|
group: "bin"
|
||||||
mode: "0755"
|
mode: "0755"
|
||||||
read_only: false
|
read_only: false
|
||||||
|
- name: step-ca-data
|
||||||
|
path: /srv/volumes/step-ca-data
|
||||||
|
owner: "root"
|
||||||
|
group: "bin"
|
||||||
|
mode: "0700"
|
||||||
|
read_only: false
|
||||||
# consul_auto_encrypt:
|
# consul_auto_encrypt:
|
||||||
# enabled: true
|
# enabled: true
|
||||||
# dns_san: ["services.thefij"]
|
# dns_san: ["services.thefij"]
|
||||||
@ -31,3 +37,7 @@ all:
|
|||||||
vault_instances:
|
vault_instances:
|
||||||
children:
|
children:
|
||||||
servers: {}
|
servers: {}
|
||||||
|
ca_servers:
|
||||||
|
hosts:
|
||||||
|
nomad0.thefij:
|
||||||
|
step_path: /srv/volumes/step-ca-data
|
||||||
|
1
nomad/ca/.gitignore
vendored
Normal file
1
nomad/ca/.gitignore
vendored
Normal file
@ -0,0 +1 @@
|
|||||||
|
step_path
|
19
nomad/ca/Makefile
Normal file
19
nomad/ca/Makefile
Normal file
@ -0,0 +1,19 @@
|
|||||||
|
STEPPATH ?= ./step_path
|
||||||
|
|
||||||
|
.PHONY: bootstrap
|
||||||
|
bootstrap: $(STEPPATH)/config/ca.json
|
||||||
|
|
||||||
|
$(STEPPATH)/config/ca.json:
|
||||||
|
env STEPPATH=$(STEPPATH) \
|
||||||
|
step ca init \
|
||||||
|
--ssh \
|
||||||
|
--deployment-type standalone \
|
||||||
|
--name TheFij \
|
||||||
|
--dns ca.thefij.rocks \
|
||||||
|
--address 0.0.0.0:9443 \
|
||||||
|
--provisioner ian@iamthefij.com
|
||||||
|
|
||||||
|
.PHONY: run
|
||||||
|
run: $(STEPPATH)/config/ca.json
|
||||||
|
env STEPPATH=$(STEPPATH) \
|
||||||
|
step-ca $(STEPPATH)/config/ca.json
|
35
nomad/ca/setup-ca.yml
Normal file
35
nomad/ca/setup-ca.yml
Normal file
@ -0,0 +1,35 @@
|
|||||||
|
---
|
||||||
|
- name: Set up CA
|
||||||
|
hosts: ca_servers
|
||||||
|
become: true
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Create step_path
|
||||||
|
file:
|
||||||
|
path: "{{ step_path }}"
|
||||||
|
state: directory
|
||||||
|
owner: root
|
||||||
|
mode: "0700"
|
||||||
|
|
||||||
|
- name: Install step-ca
|
||||||
|
include_role:
|
||||||
|
name: maxhoesel.smallstep.step_ca
|
||||||
|
vars:
|
||||||
|
step_ca_name: TheFij CA
|
||||||
|
step_ca_root_password: ...
|
||||||
|
step_ca_intermediate_password: ...
|
||||||
|
step_cli_steppath: "{{ step_path }}"
|
||||||
|
|
||||||
|
- name: Read fingerprint
|
||||||
|
command: "step-cli certificate fingerprint {{ step_path }}/certs/root_ca.crt"
|
||||||
|
register: root_ca_fp
|
||||||
|
|
||||||
|
- name: Bootstrap other hosts
|
||||||
|
hosts: servers
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Boostrap hosts to trust CA
|
||||||
|
include_role:
|
||||||
|
name: maxhoesel.smallstep.step_bootstrap_host
|
||||||
|
vars:
|
||||||
|
step_bootstrap_ca_url: http
|
36
nomad/providers.tf
Normal file
36
nomad/providers.tf
Normal file
@ -0,0 +1,36 @@
|
|||||||
|
# Configure Consul provider
|
||||||
|
provider "consul" {
|
||||||
|
address = var.consul_address
|
||||||
|
}
|
||||||
|
|
||||||
|
# Get Nomad client from Consul
|
||||||
|
data "consul_service" "nomad" {
|
||||||
|
name = "nomad-client"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Get Vault client from Consul
|
||||||
|
data "consul_service" "vault" {
|
||||||
|
name = "vault"
|
||||||
|
tag = "active"
|
||||||
|
}
|
||||||
|
|
||||||
|
locals {
|
||||||
|
# Get Nomad address from Consul
|
||||||
|
nomad_node = data.consul_service.nomad.service[0]
|
||||||
|
nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
|
||||||
|
|
||||||
|
# Get Vault address from Consul
|
||||||
|
vault_node = data.consul_service.vault.service[0]
|
||||||
|
vault_node_address = "http://${local.vault_node.node_address}:${local.vault_node.port}"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configure the Nomad provider
|
||||||
|
provider "nomad" {
|
||||||
|
address = local.nomad_node_address
|
||||||
|
region = "global"
|
||||||
|
}
|
||||||
|
|
||||||
|
# Configure the Vault provider
|
||||||
|
provider "vault" {
|
||||||
|
address = local.vault_node_address
|
||||||
|
}
|
@ -1,37 +1,3 @@
|
|||||||
# Configure Consul provider
|
|
||||||
variable "consul_address" {
|
|
||||||
type = string
|
|
||||||
default = "http://nomad0.thefij:8500"
|
|
||||||
}
|
|
||||||
|
|
||||||
variable "base_hostname" {
|
|
||||||
type = string
|
|
||||||
description = "Base hostname to serve content from"
|
|
||||||
default = "dev.homelab"
|
|
||||||
}
|
|
||||||
|
|
||||||
provider "consul" {
|
|
||||||
address = var.consul_address
|
|
||||||
}
|
|
||||||
|
|
||||||
# Get Nomad client from Consul
|
|
||||||
data "consul_service" "read-nomad-cluster" {
|
|
||||||
name = "nomad-client"
|
|
||||||
}
|
|
||||||
|
|
||||||
locals {
|
|
||||||
nomad_node = data.consul_service.read-nomad-cluster.service[0]
|
|
||||||
nomad_node_address = "http://${local.nomad_node.node_address}:${local.nomad_node.port}"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Configure the Nomad provider
|
|
||||||
provider "nomad" {
|
|
||||||
address = local.nomad_node_address
|
|
||||||
region = "global"
|
|
||||||
}
|
|
||||||
|
|
||||||
# Define services as modules
|
|
||||||
|
|
||||||
module "mysql-server" {
|
module "mysql-server" {
|
||||||
source = "./mysql"
|
source = "./mysql"
|
||||||
}
|
}
|
||||||
@ -70,7 +36,7 @@ resource "nomad_job" "whoami" {
|
|||||||
hcl2 {
|
hcl2 {
|
||||||
enabled = true
|
enabled = true
|
||||||
vars = {
|
vars = {
|
||||||
"count" = "${2 * length(data.consul_service.read-nomad-cluster.service)}",
|
"count" = "${2 * length(data.consul_service.nomad.service)}",
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -98,4 +64,3 @@ resource "consul_config_entry" "global_access" {
|
|||||||
]
|
]
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -35,7 +35,6 @@
|
|||||||
|
|
||||||
become: true
|
become: true
|
||||||
|
|
||||||
|
|
||||||
tasks:
|
tasks:
|
||||||
- name: Start Consul
|
- name: Start Consul
|
||||||
systemd:
|
systemd:
|
||||||
@ -197,3 +196,71 @@
|
|||||||
systemd:
|
systemd:
|
||||||
state: started
|
state: started
|
||||||
name: nomad
|
name: nomad
|
||||||
|
|
||||||
|
- name: Bootstrap Nomad ACLs
|
||||||
|
hosts: nomad_instances
|
||||||
|
|
||||||
|
tasks:
|
||||||
|
- name: Bootstrap ACLs
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- "nomad"
|
||||||
|
- "acl"
|
||||||
|
- "bootstrap"
|
||||||
|
- "-json"
|
||||||
|
run_once: true
|
||||||
|
ignore_errors: true
|
||||||
|
register: bootstrap_result
|
||||||
|
|
||||||
|
- name: Save bootstrap result
|
||||||
|
copy:
|
||||||
|
content: "{{ bootstrap_result.stdout }}"
|
||||||
|
dest: "./nomad_bootstrap.json"
|
||||||
|
when: bootstrap_result is succeeded
|
||||||
|
delegate_to: localhost
|
||||||
|
run_once: true
|
||||||
|
|
||||||
|
- name: Look for policy
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- nomad
|
||||||
|
- acl
|
||||||
|
- policy
|
||||||
|
- list
|
||||||
|
run_once: true
|
||||||
|
register: policies
|
||||||
|
|
||||||
|
- name: Read secret
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- jq
|
||||||
|
- -r
|
||||||
|
- .SecretID
|
||||||
|
- nomad_bootstrap.json
|
||||||
|
delegate_to: localhost
|
||||||
|
run_once: true
|
||||||
|
register: read_secretid
|
||||||
|
|
||||||
|
- name: Copy policy
|
||||||
|
copy:
|
||||||
|
src: ./acls/nomad-anon-bootstrap.hcl
|
||||||
|
dest: /tmp/anonymous.policy.hcl
|
||||||
|
delegate_to: "{{ play_hosts[0] }}"
|
||||||
|
register: anon_policy
|
||||||
|
run_once: true
|
||||||
|
|
||||||
|
- name: Create anon-policy
|
||||||
|
command:
|
||||||
|
argv:
|
||||||
|
- nomad
|
||||||
|
- acl
|
||||||
|
- policy
|
||||||
|
- apply
|
||||||
|
- -description="Anon RW"
|
||||||
|
- anonymous
|
||||||
|
- /tmp/anonymous.policy.hcl
|
||||||
|
environment:
|
||||||
|
NOMAD_TOKEN: "{{ read_secretid.stdout }}"
|
||||||
|
when: policies.stdout == "No policies found" or anon_policy.changed
|
||||||
|
delegate_to: "{{ play_hosts[0] }}"
|
||||||
|
run_once: true
|
||||||
|
16
nomad/vars.tf
Normal file
16
nomad/vars.tf
Normal file
@ -0,0 +1,16 @@
|
|||||||
|
variable "consul_address" {
|
||||||
|
type = string
|
||||||
|
default = "http://nomad0.thefij:8500"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "base_hostname" {
|
||||||
|
type = string
|
||||||
|
description = "Base hostname to serve content from"
|
||||||
|
default = "dev.homelab"
|
||||||
|
}
|
||||||
|
|
||||||
|
variable "nomad_secret_id" {
|
||||||
|
type = string
|
||||||
|
description = "Secret ID for ACL bootstrapped Nomad"
|
||||||
|
sensitive = true
|
||||||
|
}
|
Loading…
Reference in New Issue
Block a user