commit f10e3a6ebd4f041a99bbfda0fc1f2e9f82ed5e8c
parent af96355a19c1562dd4d8515a244b3ec3ed57f07e
Author: Andreas Gruhler <andreas.gruhler@adfinis.com>
Date: Mon, 27 May 2024 19:43:22 +0200
feat(nomad): vault token in nomad.env & jenkins user
Diffstat:
1 file changed, 19 insertions(+), 4 deletions(-)
diff --git a/nomad.sh b/nomad.sh
@@ -88,9 +88,8 @@ server {
}
EOF
-# Add VAULT_TOKEN placeholder, replace w/ real token
# https://www.nomadproject.io/docs/integrations/vault-integration
-echo "VAULT_TOKEN=changeme" > /etc/nomad.d/nomad.env
+echo "VAULT_TOKEN=$NOMAD_VAULT_TOKEN" > /etc/nomad.d/nomad.env
fi # endif NOMAD_SERVER
systemctl enable nomad
@@ -118,9 +117,9 @@ client {
# https://developer.hashicorp.com/nomad/docs/job-specification/resources#memory-oversubscription
reserved {
# CPU to reserve, in MHz
- cpu = 500
+ cpu = 200
# memory to reserve, in MB
- memory = 256
+ memory = 128
}
}
@@ -161,4 +160,20 @@ EOF
curl -L -o cni-plugins.tgz "https://github.com/containernetworking/plugins/releases/download/v1.3.0/cni-plugins-linux-amd64-v1.3.0.tgz"
mkdir -p /opt/cni/bin
tar -C /opt/cni/bin -xzf cni-plugins.tgz
+
+# Prepare a Jenkins user for Jenkins agents and workload
+# https://code.in0rdr.ch/nomad/file/docker/docker-jenkins-inbound-agent/README.html
+groupadd -g $NOMAD_JENKINS_GID jenkins
+useradd -m -s /bin/bash -u $NOMAD_JENKINS_UID -g $NOMAD_JENKINS_GID jenkins
+
+# keep my podman.socket enabled even if no jenkins user is logged in
+loginctl enable-linger jenkins
+
+# https://www.freedesktop.org/software/systemd/man/latest/systemctl.html#-M
+systemctl --user -M jenkins@ start podman.socket
+systemctl --user -M jenkins@ enable podman.socket
+
+# create the mountpoint for the workspaces, podman does not create it for us
+sudo -u jenkins mkdir /home/jenkins/workspace
+
fi # endif NOMAD_CLIENT
