--- - name: Build Consul cluster hosts: consul_instances any_errors_fatal: true roles: - role: ansible-consul vars: consul_version: "1.11.3" consul_install_remotely: true consul_install_upgrade: true consul_node_role: server consul_bootstrap_expect: true consul_user: consul consul_manage_user: true consul_group: bin consul_manage_group: true consul_architecture_map: x86_64: amd64 armhfv6: arm armv7l: arm # consul_tls_enable: true consul_connect_enabled: true consul_ports_grpc: 8502 consul_client_address: "0.0.0.0" # Enable metrics consul_config_custom: telemetry: prometheus_retention_time: "2h" become: true tasks: - name: Start Consul systemd: state: started name: consul become: true - name: Add values block: - name: Install python-consul pip: name: python-consul extra_args: --index-url https://pypi.org/simple - name: Add a value to Consul consul_kv: host: "{{ inventory_hostname }}" key: ansible_test value: Hello from Ansible! - name: Set hostname consul_kv: host: "{{ inventory_hostname }}" key: global/base_hostname # TODO: propogate this through via Consul and Nomad templates rather than Terraform value: dev.homelab delegate_to: localhost run_once: true - name: Setup Vault cluster hosts: vault_instances roles: - name: ansible-vault vars: # Doesn't support multi-arch installs vault_install_hashi_repo: true vault_bin_path: /usr/bin vault_harden_file_perms: true vault_address: 0.0.0.0 vault_backend: consul become: true tasks: - name: Get Vault status uri: url: http://127.0.0.1:8200/v1/sys/health method: GET status_code: 200, 429, 472, 473, 501, 503 body_format: json return_content: true run_once: true register: vault_status - name: Initialize Vault when: not vault_status.json["initialized"] block: - name: Initialize Vault command: argv: - "vault" - "operator" - "init" - "-format=json" - "-address=http://127.0.0.1:8200/" - "-key-shares={{ vault_init_key_shares|default(3) }}" - "-key-threshold={{ vault_init_key_threshold|default(2) }}" run_once: true register: vault_init - name: Save initialize result copy: content: "{{ vault_init.stdout }}" dest: "./vault-keys.json" when: vault_init is succeeded delegate_to: localhost run_once: true - name: Unseal from init no_log: true command: argv: - "vault" - "operator" - "unseal" - "-address=http://127.0.0.1:8200/" - "{{ item }}" loop: "{{ (vault_init.stdout | from_json)['unseal_keys_hex'] }}" when: vault_init is succeeded - name: Unseal Vault no_log: true command: argv: - "vault" - "operator" - "unseal" - "-address=http://127.0.0.1:8200/" - "{{ item }}" loop: "{{ unseal_keys_hex }}" when: unseal_keys_hex is defined # Not on Ubuntu 20.04 # - name: Install Podman # hosts: nomad_instances # become: true # # tasks: # - name: Install Podman # package: # name: podman # state: present - name: Create NFS mounts hosts: nomad_instances become: true tasks: - name: Install nfs package: name: nfs-common state: present - name: Create Motioneye NFS mount ansible.posix.mount: src: 192.168.2.10:/Recordings/Motioneye path: /srv/volumes/motioneye-recordings opts: proto=tcp,port=2049,rw state: mounted fstype: nfs4 - name: Create Media Library RO NFS mount ansible.posix.mount: src: 192.168.2.10:/Multimedia path: /srv/volumes/media-read opts: proto=tcp,port=2049,ro state: mounted fstype: nfs4 - name: Install Docker hosts: nomad_instances become: true vars: deb_arch: "{% if ansible_architecture == 'x86_64' %}amd64{% elif ansible_architecture == 'armv7l' %}armhf{% endif %}" docker_apt_arch: "{{ deb_arch }}" docker_compose_arch: "{{ (ansible_architecture == 'armv7l') | ternary('armv7', ansible_architecture) }}" roles: - geerlingguy.docker - name: Build Nomad cluster hosts: nomad_instances any_errors_fatal: true become: true vars: shared_host_volumes: - name: motioneye-recordings path: /srv/volumes/motioneye-recordings owner: "root" group: "bin" mode: "0755" read_only: false - name: media-read path: /srv/volumes/media-read owner: "root" group: "root" mode: "0777" read_only: true - name: all-volumes path: /srv/volumes owner: "root" group: "root" mode: "0777" read_only: false roles: - name: ansible-nomad vars: nomad_version: "1.2.6" nomad_install_remotely: true nomad_install_upgrade: true nomad_allow_purge_config: true nomad_user: root nomad_manage_user: true nomad_group: bin nomad_manage_group: true # Properly map install arch nomad_architecture_map: x86_64: amd64 armhfv6: arm armv7l: arm nomad_autopilot: true nomad_encrypt_enable: true # nomad_use_consul: true # Metrics nomad_telemetry: true nomad_telemetry_prometheus_metrics: true nomad_telemetry_publish_allocation_metrics: true nomad_telemetry_publish_node_metrics: true # Enable container plugins nomad_cni_enable: true nomad_cni_version: 1.0.1 nomad_docker_enable: true nomad_docker_dmsetup: false # nomad_podman_enable: true nomad_host_volumes: "{{ shared_host_volumes + (nomad_unique_host_volumes | default([])) }}" # Customize docker plugin nomad_plugins: docker: config: allow_privileged: true volumes: enabled: true selinuxlabel: "z" extra_labels: - "job_name" - "job_id" - "task_group_name" - "task_name" - "namespace" - "node_name" - "node_id" # Bind nomad nomad_bind_address: 0.0.0.0 # Default interface for binding tasks # nomad_network_interface: lo # Create networks for binding task ports nomad_host_networks: # - name: public # interface: eth0 # reserved_ports: "22" - name: nomad-bridge interface: nomad reserved_ports: "22" - name: loopback interface: lo reserved_ports: "22" # Enable ACLs nomad_acl_enabled: true # Enable vault integration nomad_vault_enabled: "{{ root_token is defined }}" nomad_vault_token: "{{ root_token | default('') }}" nomad_config_custom: ui: enabled: true consul: ui_url: "http://{{ ansible_hostname }}:8500/ui" vault: ui_url: "http://{{ ansible_hostname }}:8200/ui" consul: tags: - "traefik.enable=true" - "traefik.consulcatalog.connect=true" - "traefik.http.routers.nomadclient.entrypoints=websecure" tasks: - name: Start Nomad systemd: state: started name: nomad - name: Bootstrap Nomad ACLs hosts: nomad_instances tasks: - name: Bootstrap ACLs command: argv: - "nomad" - "acl" - "bootstrap" - "-json" run_once: true ignore_errors: true register: bootstrap_result - name: Save bootstrap result copy: content: "{{ bootstrap_result.stdout }}" dest: "./nomad_bootstrap.json" when: bootstrap_result is succeeded delegate_to: localhost run_once: true - name: Look for policy command: argv: - nomad - acl - policy - list run_once: true register: policies - name: Read secret command: argv: - jq - -r - .SecretID - nomad_bootstrap.json delegate_to: localhost run_once: true no_log: true register: read_secretid - name: Copy policy copy: src: ./acls/nomad-anon-bootstrap.hcl dest: /tmp/anonymous.policy.hcl delegate_to: "{{ play_hosts[0] }}" register: anon_policy run_once: true - name: Create anon-policy command: argv: - nomad - acl - policy - apply - -description="Anon RW" - anonymous - /tmp/anonymous.policy.hcl environment: NOMAD_TOKEN: "{{ read_secretid.stdout }}" when: policies.stdout == "No policies found" or anon_policy.changed delegate_to: "{{ play_hosts[0] }}" run_once: true