From 039eb6511c27b18830b397129f4b7c1fd1c4f2df Mon Sep 17 00:00:00 2001
From: Ben Vincent <ben@unkin.net>
Date: Sat, 14 Jun 2025 19:26:28 +1000
Subject: [PATCH] feat: add host_volumes to nomad

- add puppet client certs
- add tls-ca-bundle
---
 hieradata/roles/infra/nomad/agentv2.yaml     | 13 +++++++++++++
 site/profiles/manifests/nomad/node.pp        |  2 +-
 site/profiles/templates/nomad/config.hcl.erb |  7 +++++++
 3 files changed, 21 insertions(+), 1 deletion(-)

diff --git a/hieradata/roles/infra/nomad/agentv2.yaml b/hieradata/roles/infra/nomad/agentv2.yaml
index e478e40..0e08f94 100644
--- a/hieradata/roles/infra/nomad/agentv2.yaml
+++ b/hieradata/roles/infra/nomad/agentv2.yaml
@@ -25,6 +25,19 @@ profiles::packages::include:
   consul-cni: {}
 
 profiles::nomad::node::client: true
+profiles::nomad::node::host_volumes:
+  - name: puppetclient_crt
+    path: /etc/puppetlabs/puppet/ssl/certs/ausyd1nxvm2040.main.unkin.net.pem
+    read_only: true
+  - name: puppetclient_key
+    path: /etc/puppetlabs/puppet/ssl/private_keys/ausyd1nxvm2040.main.unkin.net.pem
+    read_only: true
+  - name: puppetclient_ca
+    path: /etc/puppetlabs/puppet/ssl/certs/ca.pem
+    read_only: true
+  - name: tls-ca-bundle
+    path: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
+    read_only: true
 
 # additional altnames
 profiles::pki::vault::alt_names:
diff --git a/site/profiles/manifests/nomad/node.pp b/site/profiles/manifests/nomad/node.pp
index dfc33ff..845c3d2 100644
--- a/site/profiles/manifests/nomad/node.pp
+++ b/site/profiles/manifests/nomad/node.pp
@@ -9,6 +9,7 @@ class profiles::nomad::node (
   Boolean $manage_user    = true,
   String  $user           = 'nomad',
   String  $group          = 'nomad',
+  Array   $host_volumes   = [],
 ){
 
   if $manage_user {
@@ -45,7 +46,6 @@ class profiles::nomad::node (
         require     => Profiles::Ceph::Keyring['nomad'],
       }
     }
-
   }
 
   file { $data_dir:
diff --git a/site/profiles/templates/nomad/config.hcl.erb b/site/profiles/templates/nomad/config.hcl.erb
index 2f6aead..2298732 100644
--- a/site/profiles/templates/nomad/config.hcl.erb
+++ b/site/profiles/templates/nomad/config.hcl.erb
@@ -21,6 +21,13 @@ server {
 # Manage clients/agents
 client {
   enabled = true
+
+<%- @host_volumes.each do |volume| %>
+  host_volume "<%= volume['name'] %>" {
+    path      = "<%= volume['path'] %>"
+    read_only = <%= volume['read_only'] %>
+  }
+  <% end %>
 }
 plugin "docker" {
   config {
-- 
2.47.3