puppet-prod/hieradata/roles/infra/nomad/agentv2.yaml

---
hiera_include:
  - docker
  - docker::networks
  - profiles::nomad::node

docker::version: latest
docker::curl_ensure: false
docker::root_dir: /data/docker
docker::ip_forward: true
#docker::ip_masq: false
#docker::iptables: false

systemd::manage_networkd: true
systemd::manage_all_network_files: true
networking::interfaces:
  eth0:
    type: physical
    forwarding: true
    dhcp: true

profiles::packages::include:
  nomad: {}
  cni-plugins: {}
  consul-cni: {}

profiles::nomad::node::client: true
profiles::nomad::node::node_pool: common
profiles::nomad::node::host_volumes:
  - name: puppetclient_crt
    path: /etc/puppetlabs/puppet/ssl/certs/%{facts.networking.fqdn}.pem
    read_only: true
  - name: puppetclient_key
    path: /etc/puppetlabs/puppet/ssl/private_keys/%{facts.networking.fqdn}.pem
    read_only: true
  - name: puppetclient_ca
    path: /etc/puppetlabs/puppet/ssl/certs/ca.pem
    read_only: true
  - name: tls-ca-bundle
    path: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
    read_only: true

# additional altnames
profiles::pki::vault::alt_names:
  - client.global.nomad
  - client.au-syd1.nomad
  - nomad-client.service.consul
  - nomad-client.query.consul
  - "nomad-client.service.%{facts.country}-%{facts.region}.consul"

# configure consul service
profiles::consul::client::ports:
  grpc: 8502
  dns: 8600
  http: 8500
profiles::consul::client::node_rules:
  - resource: service
    segment: nomad-client
    disposition: write
  - resource: agent_prefix
    segment: ''
    disposition: read
  - resource: node_prefix
    segment: ''
    disposition: write
  - resource: service_prefix
    segment: ''
    disposition: write
  - resource: key_prefix
    segment: "nomad"
    disposition: write
  - resource: session_prefix
    segment: ""
    disposition: write