hieradata/roles/infra/nomad/server.yaml

@@ -0,0 +1,34 @@
+---
+
+hiera_include:
+  - profiles::nomad::node
+
+profiles::packages::include:
+  nomad: {}
+
+profiles::nomad::node::server: true
+
+# additional altnames
+profiles::pki::vault::alt_names:
+  - client.global.nomad
+  - client.au-syd1.nomad
+  - server.global.nomad
+  - server.au-syd1.nomad
+  - nomad.service.consul
+  - nomad.query.consul
+  - "nomad.service.%{facts.country}-%{facts.region}.consul"
+
+# configure consul service
+profiles::consul::client::node_rules:
+  - resource: service
+    segment: nomad
+    disposition: write
+  - resource: agent_prefix
+    segment: ''
+    disposition: read
+  - resource: node_prefix
+    segment: ''
+    disposition: write
+  - resource: service_prefix
+    segment: ''
+    disposition: write

site/profiles/manifests/nomad/node.pp

@@ -0,0 +1,69 @@
+# profiles::nomad::node
+class profiles::nomad::node (
+  Stdlib::Absolutepath $data_dir = '/data/nomad',
+  Integer $bootstrap_expect = 3,
+  Boolean $server = false,
+  Boolean $client = false,
+  Boolean $manage_service = true,
+  Boolean $manage_user    = true,
+  String  $user           = 'nomad',
+  String  $group          = 'nomad',
+){
+
+  if $manage_user {
+    # Define the group for Nomad
+    group { $group:
+      ensure => 'present',
+      system => true,
+    }
+
+    # Define the user for Nomad
+    user { $user:
+      ensure     => 'present',
+      comment    => 'Nomad System User',
+      home       => '/var/lib/nomad',
+      managehome => true,
+      shell      => '/sbin/nologin',
+      system     => true,
+      gid        => $group,
+      require    => Group[$group],
+    }
+  }
+
+  file { $data_dir:
+    ensure  => directory,
+    owner   => $user,
+    group   => $group,
+    mode    => '0755',
+    require => [
+      User[$user],
+      Group[$group],
+    ],
+  }
+
+  mkdir::p {'/etc/nomad.d/':}
+  -> file { '/etc/nomad.d/config.hcl':
+    ensure  => file,
+    owner   => 'root',
+    group   => 'root',
+    mode    => '0755',
+    content => template('profiles/nomad/config.hcl.erb'),
+    require => [
+      Package['nomad'],
+    ],
+  }
+
+  if $manage_service {
+    include ::systemd
+
+    systemd::unit_file { 'nomad.service':
+      content   => template('profiles/nomad/nomad.service.erb'),
+      enable    => true,
+      active    => true,
+      subscribe => [
+        File['/etc/pki/tls/vault/private.key'],
+        File['/etc/nomad.d/config.hcl']
+      ],
+    }
+  }
+}

site/profiles/templates/nomad/config.hcl.erb

@@ -0,0 +1,39 @@
+# data_dir tends to be environment specific.
+data_dir = "<%= @data_dir %>"
+bind_addr = "0.0.0.0"
+datacenter = "<%= scope['facts']['country'] %>-<%= scope['facts']['region'] %>"
+
+<% if @server -%>
+# Manage Servers
+advertise {
+  http = "<%= @facts['networking']['ip'] %>"
+  rpc = "<%= @facts['networking']['ip'] %>"
+  serf = "<%= @facts['networking']['ip'] %>"
+}
+
+server {
+  enabled          = true
+  bootstrap_expect = <%= @bootstrap_expect %>
+}
+<% end -%>
+
+<% if @client -%>
+# Manage clients/agents
+client {
+  enabled = true
+}
+<% end -%>
+
+# Require TLS
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "/etc/pki/ca-trust/source/anchors/vaultcaroot.pem"
+  cert_file = "/etc/pki/tls/vault/certificate.crt"
+  key_file  = "/etc/pki/tls/vault/private.key"
+
+  verify_server_hostname = true
+  verify_https_client    = false
+}
+

site/profiles/templates/nomad/nomad.service.erb

@@ -0,0 +1,67 @@
+[Unit]
+Description=Nomad
+Documentation=https://nomadproject.io/docs/
+Wants=network-online.target
+After=network-online.target
+
+# When using Nomad with Consul it is not necessary to start Consul first. These
+# lines start Consul before Nomad as an optimization to avoid Nomad logging
+# that Consul is unavailable at startup.
+Wants=consul.service
+After=consul.service
+
+## Configure unit start rate limiting. Units which are started more than
+## *burst* times within an *interval* time span are not permitted to start any
+## more. Use `StartLimitIntervalSec` or `StartLimitInterval` (depending on
+## systemd version) to configure the checking interval and `StartLimitBurst`
+## to configure how many starts per interval are allowed. The values in the
+## commented lines are defaults.
+
+# StartLimitBurst = 5
+
+## StartLimitIntervalSec is used for systemd versions >= 230
+# StartLimitIntervalSec = 10s
+
+## StartLimitInterval is used for systemd versions < 230
+# StartLimitInterval = 10s
+
+[Service]
+
+# Nomad clients need to be run as "root" whereas Nomad servers should be run as
+# the "nomad" user. Please change this if needed.
+<% if @server -%>
+User=<%= @user %>
+Group=<%= @group %>
+<% else -%>
+User=root
+Group=root
+<% end -%>
+
+Type=notify
+EnvironmentFile=-/etc/nomad.d/nomad.env
+ExecReload=/bin/kill -HUP $MAINPID
+ExecStart=/usr/bin/nomad agent -config /etc/nomad.d/config.hcl
+KillMode=process
+KillSignal=SIGINT
+LimitNOFILE=65536
+LimitNPROC=infinity
+Restart=on-failure
+RestartSec=2
+
+TasksMax=infinity
+
+# Nomad Server agents should never be force killed,
+# so here we disable OOM (out of memory) killing for this unit.
+# However, you may wish to change this for Client agents, since
+# the workloads that Nomad places may be more important
+# than the Nomad agent itself.
+OOMScoreAdjust=-1000
+
+# To facilitate debugging when a service fails to stop cleanly,
+# TimeoutStopFailureMode=abort is set to "crash" services that fail to stop in
+# the time allotted. This will cause the service to be terminated with SIGABRT
+# and a coredump to be generated.
+TimeoutStopFailureMode=abort
+
+[Install]
+WantedBy=multi-user.target

site/roles/manifests/infra/nomad/server.pp

@@ -0,0 +1,11 @@
+# a role to deploy a nomad server
+class roles::infra::nomad::server {
+  if $facts['firstrun'] {
+    include profiles::defaults
+    include profiles::firstrun::init
+  }else{
+    include profiles::defaults
+    include profiles::base
+    include profiles::base::datavol
+  }
+}