├── shared ├── config │ ├── consul-systemd-resolved.conf │ ├── nomad-acl-user.hcl │ ├── vault.hcl │ ├── consul-template.hcl │ ├── consul-acl-nomad-auto-join.hcl │ ├── consul-template.service │ ├── consul_client.hcl │ ├── nomad_client.hcl │ ├── consul.hcl │ └── nomad.hcl ├── data-scripts │ ├── user-data-client.sh │ └── user-data-server.sh └── scripts │ ├── setup.sh │ ├── client.sh │ └── server.sh ├── gcp ├── versions.tf ├── variables.hcl.example ├── outputs.tf ├── image.pkr.hcl ├── variables.tf ├── post-setup.sh └── main.tf ├── .gitignore ├── README.md ├── aws ├── versions.tf ├── variables.hcl.example ├── outputs.tf ├── variables.tf ├── post-setup.sh ├── image.pkr.hcl └── main.tf ├── azure ├── versions.tf ├── variables.hcl.example ├── outputs.tf ├── image.pkr.hcl ├── variables.tf ├── post-setup.sh └── main.tf └── LICENSE /shared/config/consul-systemd-resolved.conf: -------------------------------------------------------------------------------- 1 | [Resolve] 2 | DNS=127.0.0.1:8600 3 | DNSSEC=false 4 | Domains=~consul 5 | DNSStubListenerExtra=DOCKER_BRIDGE_IP_ADDRESS -------------------------------------------------------------------------------- /gcp/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.12" 3 | required_providers { 4 | random = { 5 | source = "hashicorp/random" 6 | version = ">= 2" 7 | } 8 | } 9 | } 10 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | .vagrant/ 2 | aws.env/us-east/.terraform/ 3 | .terraform 4 | examples/ 5 | *.tfstate 6 | *.tfstate.backup 7 | .terraform.lock.hcl 8 | terraform.tfvars 9 | variables.hcl 10 | Vagrantfile 11 | ignore* 12 | nomad.token 13 | *.pem -------------------------------------------------------------------------------- /shared/config/nomad-acl-user.hcl: -------------------------------------------------------------------------------- 1 | agent { 2 | policy = "read" 3 | } 4 | 5 | node { 6 | policy = "read" 7 | } 8 | 9 | namespace "*" { 10 | policy = "read" 11 | capabilities = ["submit-job", "dispatch-job", "read-logs", "read-fs", "alloc-exec"] 12 | } -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # Set up a Nomad cluster on the major cloud platforms 2 | 3 | This repo is a companion to the [Cluster Setup](https://developer.hashicorp.com/nomad/tutorials/cluster-setup) collection of tutorials, containing configuration files to create a Nomad cluster with ACLs enabled on AWS, GCP, and Azure. -------------------------------------------------------------------------------- /aws/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.12" 3 | required_providers { 4 | aws = { 5 | source = "hashicorp/aws" 6 | version = "~> 5.46.0" 7 | } 8 | random = { 9 | source = "hashicorp/random" 10 | version = ">= 2" 11 | } 12 | } 13 | } 14 | -------------------------------------------------------------------------------- /azure/versions.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | required_version = ">= 0.12" 3 | required_providers { 4 | azurerm = { 5 | source = "hashicorp/azurerm" 6 | version = "=3.0.0" 7 | } 8 | random = { 9 | source = "hashicorp/random" 10 | version = ">= 2" 11 | } 12 | } 13 | 14 | } 15 | 16 | provider "azurerm" { 17 | features {} 18 | } 19 | -------------------------------------------------------------------------------- /shared/config/vault.hcl: -------------------------------------------------------------------------------- 1 | ui = true 2 | 3 | backend "consul" { 4 | path = "vault/" 5 | address = "IP_ADDRESS:8500" 6 | cluster_addr = "https://IP_ADDRESS:8201" 7 | redirect_addr = "http://IP_ADDRESS:8200" 8 | } 9 | 10 | listener "tcp" { 11 | address = "0.0.0.0:8200" 12 | cluster_address = "IP_ADDRESS:8201" 13 | tls_disable = 1 14 | } 15 | -------------------------------------------------------------------------------- /shared/config/consul-template.hcl: -------------------------------------------------------------------------------- 1 | vault { 2 | address = "http://active.vault.service.consul:8200" 3 | token = "" 4 | grace = "1s" 5 | unwrap_token = false 6 | renew_token = true 7 | } 8 | 9 | syslog { 10 | enabled = true 11 | facility = "LOCAL5" 12 | } 13 | 14 | acl = { 15 | enabled = true 16 | default_policy = "deny" 17 | enable_token_persistence = true 18 | } -------------------------------------------------------------------------------- /shared/config/consul-acl-nomad-auto-join.hcl: -------------------------------------------------------------------------------- 1 | acl = "write" 2 | 3 | agent_prefix "" { 4 | policy = "write" 5 | } 6 | 7 | event_prefix "" { 8 | policy = "write" 9 | } 10 | 11 | key_prefix "" { 12 | policy = "write" 13 | } 14 | 15 | node_prefix "" { 16 | policy = "write" 17 | } 18 | 19 | query_prefix "" { 20 | policy = "write" 21 | } 22 | 23 | service_prefix "" { 24 | policy = "write" 25 | } -------------------------------------------------------------------------------- /shared/config/consul-template.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=Consul Template Agent 3 | Requires=network-online.target 4 | After=network-online.target 5 | 6 | [Service] 7 | Restart=on-failure 8 | ExecStart=/usr/local/bin/consul-template -config="/etc/consul-template.d/consul-template.hcl" 9 | ExecReload=/bin/kill -HUP $MAINPID 10 | KillSignal=SIGTERM 11 | User=root 12 | Group=root 13 | 14 | [Install] 15 | WantedBy=multi-user.target 16 | -------------------------------------------------------------------------------- /shared/config/consul_client.hcl: -------------------------------------------------------------------------------- 1 | ui = true 2 | log_level = "INFO" 3 | data_dir = "/opt/consul/data" 4 | bind_addr = "0.0.0.0" 5 | client_addr = "0.0.0.0" 6 | advertise_addr = "IP_ADDRESS" 7 | retry_join = ["RETRY_JOIN"] 8 | 9 | acl { 10 | enabled = true 11 | default_policy = "deny" 12 | down_policy = "extend-cache" 13 | tokens { 14 | default = "AGENT_TOKEN" 15 | } 16 | } 17 | 18 | connect { 19 | enabled = true 20 | } 21 | ports { 22 | grpc = 8502 23 | } -------------------------------------------------------------------------------- /shared/config/nomad_client.hcl: -------------------------------------------------------------------------------- 1 | data_dir = "/opt/nomad/data" 2 | bind_addr = "0.0.0.0" 3 | datacenter = "dc1" 4 | 5 | # Enable the client 6 | client { 7 | enabled = true 8 | options { 9 | "driver.raw_exec.enable" = "1" 10 | "docker.privileged.enabled" = "true" 11 | } 12 | } 13 | 14 | acl { 15 | enabled = true 16 | } 17 | 18 | consul { 19 | address = "127.0.0.1:8500" 20 | token = "CONSUL_TOKEN" 21 | } 22 | 23 | vault { 24 | enabled = true 25 | address = "http://active.vault.service.consul:8200" 26 | } -------------------------------------------------------------------------------- /shared/config/consul.hcl: -------------------------------------------------------------------------------- 1 | data_dir = "/opt/consul/data" 2 | bind_addr = "0.0.0.0" 3 | client_addr = "0.0.0.0" 4 | advertise_addr = "IP_ADDRESS" 5 | 6 | bootstrap_expect = SERVER_COUNT 7 | 8 | acl { 9 | enabled = true 10 | default_policy = "deny" 11 | down_policy = "extend-cache" 12 | } 13 | 14 | log_level = "INFO" 15 | 16 | server = true 17 | ui = true 18 | retry_join = ["RETRY_JOIN"] 19 | 20 | service { 21 | name = "consul" 22 | } 23 | 24 | connect { 25 | enabled = true 26 | } 27 | 28 | ports { 29 | grpc = 8502 30 | } -------------------------------------------------------------------------------- /shared/config/nomad.hcl: -------------------------------------------------------------------------------- 1 | data_dir = "/opt/nomad/data" 2 | bind_addr = "0.0.0.0" 3 | 4 | # Enable the server 5 | server { 6 | enabled = true 7 | bootstrap_expect = SERVER_COUNT 8 | } 9 | 10 | consul { 11 | address = "127.0.0.1:8500" 12 | token = "CONSUL_TOKEN" 13 | } 14 | 15 | acl { 16 | enabled = true 17 | } 18 | 19 | vault { 20 | enabled = false 21 | address = "http://active.vault.service.consul:8200" 22 | task_token_ttl = "1h" 23 | create_from_role = "nomad-cluster" 24 | token = "" 25 | } -------------------------------------------------------------------------------- /aws/variables.hcl.example: -------------------------------------------------------------------------------- 1 | # Packer variables (all are required) 2 | region = "AWS_REGION" 3 | 4 | # Terraform variables (all are required) 5 | ami = "AMI_ID_FROM_PACKER_BUILD" 6 | 7 | # These variables will default to the values shown 8 | # and do not need to be updated unless you want to 9 | # change them 10 | # allowlist_ip = "0.0.0.0/0" 11 | # name_prefix = "nomad" 12 | # server_instance_type = "t2.micro" 13 | # server_count = "3" 14 | # client_instance_type = "t2.micro" 15 | # client_count = "3" -------------------------------------------------------------------------------- /aws/outputs.tf: -------------------------------------------------------------------------------- 1 | output "lb_address_consul_nomad" { 2 | value = "http://${aws_instance.server[0].public_ip}" 3 | } 4 | 5 | output "consul_token_secret" { 6 | value = random_uuid.nomad_token.result 7 | } 8 | 9 | output "IP_Addresses" { 10 | value = < >(sudo tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 6 | sudo bash /ops/shared/scripts/client.sh "${cloud_env}" '${retry_join}' "${nomad_binary}" 7 | 8 | NOMAD_HCL_PATH="/etc/nomad.d/nomad.hcl" 9 | CLOUD_ENV="${cloud_env}" 10 | CONSULCONFIGDIR=/etc/consul.d 11 | 12 | sed -i "s/CONSUL_TOKEN/${nomad_consul_token_secret}/g" $NOMAD_HCL_PATH 13 | 14 | # Add auto-join token to consul agent for dns and start consul 15 | sed -i "s/AGENT_TOKEN/${nomad_consul_token_secret}/g" $CONSULCONFIGDIR/consul.hcl 16 | sudo systemctl start consul.service 17 | 18 | case $CLOUD_ENV in 19 | aws) 20 | # Place the AWS instance name as metadata on the 21 | # client for targetting workloads 22 | AWS_SERVER_TAG_NAME=$(curl http://169.254.169.254/latest/meta-data/tags/instance/Name) 23 | sed -i "s/SERVER_NAME/$AWS_SERVER_TAG_NAME/g" $NOMAD_HCL_PATH 24 | ;; 25 | gce) 26 | echo "CLOUD_ENV: gce" 27 | ;; 28 | azure) 29 | echo "CLOUD_ENV: azure" 30 | ;; 31 | *) 32 | echo "CLOUD_ENV: not set" 33 | ;; 34 | esac 35 | 36 | sudo systemctl restart nomad 37 | 38 | echo "Finished client setup" -------------------------------------------------------------------------------- /azure/image.pkr.hcl: -------------------------------------------------------------------------------- 1 | packer { 2 | required_plugins { 3 | azure = { 4 | source = "github.com/hashicorp/azure" 5 | version = "~> 2.0.5" 6 | } 7 | } 8 | } 9 | 10 | locals { 11 | timestamp = regex_replace(timestamp(), "[- TZ:]", "") 12 | } 13 | 14 | variable "location" { 15 | type = string 16 | } 17 | 18 | variable "resource_group_name" { 19 | type = string 20 | default = "hashistack" 21 | } 22 | 23 | source "azure-arm" "hashistack" { 24 | use_azure_cli_auth = true 25 | managed_image_resource_group_name = var.resource_group_name 26 | managed_image_name = "hashistack.${local.timestamp}" 27 | os_type = "Linux" 28 | image_publisher = "Canonical" 29 | image_offer = "0001-com-ubuntu-server-jammy" 30 | image_sku = "22_04-lts-gen2" 31 | 32 | azure_tags = { 33 | dept = "education" 34 | } 35 | 36 | location = var.location 37 | vm_size = "Standard_B2s" 38 | } 39 | 40 | build { 41 | sources = ["source.azure-arm.hashistack"] 42 | 43 | provisioner "shell" { 44 | inline = ["sudo mkdir -p /ops/shared", "sudo chmod 777 -R /ops"] 45 | } 46 | 47 | provisioner "file" { 48 | destination = "/ops" 49 | source = "../shared" 50 | } 51 | 52 | provisioner "shell" { 53 | # workaround to cloud-init deleting apt lists while apt-update runs from setup.sh 54 | inline = ["cloud-init status --wait"] 55 | } 56 | 57 | provisioner "shell" { 58 | environment_vars = ["INSTALL_NVIDIA_DOCKER=false", "CLOUD_ENV=aws"] 59 | script = "../shared/scripts/setup.sh" 60 | } 61 | } -------------------------------------------------------------------------------- /azure/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name_prefix" { 2 | description = "Prefix used to name various infrastructure components. Alphanumeric characters only." 3 | default = "nomad" 4 | } 5 | 6 | variable "location" { 7 | description = "The Azure region to deploy to." 8 | } 9 | 10 | variable "image_name" { 11 | description = "The Azure image to use for the server and client machines. Output from the Packer build process. This is the image NAME not the ID." 12 | } 13 | 14 | variable "resource_group_name" { 15 | description = "The Azure resource group name to use." 16 | default = "hashistack" 17 | } 18 | 19 | variable "allowlist_ip" { 20 | description = "IP to allow access for the security groups (set 0.0.0.0/0 for world)" 21 | default = "0.0.0.0/0" 22 | } 23 | 24 | variable "server_instance_type" { 25 | description = "The Azure VM instance type to use for servers." 26 | default = "Standard_B1s" 27 | } 28 | 29 | variable "client_instance_type" { 30 | description = "The Azure VM type to use for clients." 31 | default = "Standard_B1s" 32 | } 33 | 34 | variable "server_count" { 35 | description = "The number of servers to provision." 36 | default = "3" 37 | } 38 | 39 | variable "client_count" { 40 | description = "The number of clients to provision." 41 | default = "3" 42 | } 43 | 44 | variable "nomad_binary" { 45 | description = "URL of a zip file containing a nomad executable to replace the Nomad binaries in the AMI with. Example: https://releases.hashicorp.com/nomad/0.10.0/nomad_0.10.0_linux_amd64.zip" 46 | default = "" 47 | } -------------------------------------------------------------------------------- /gcp/variables.tf: -------------------------------------------------------------------------------- 1 | variable "project" { 2 | description = "The GCP project to use." 3 | } 4 | 5 | variable "region" { 6 | description = "The GCP region to deploy to." 7 | } 8 | 9 | variable "zone" { 10 | description = "The GCP zone to deploy to." 11 | } 12 | 13 | variable "machine_image" { 14 | description = "The compute image to use for the server and client machines. Output from the Packer build process." 15 | } 16 | 17 | variable "name_prefix" { 18 | description = "Prefix used to name various infrastructure components. Alphanumeric characters only." 19 | default = "nomad" 20 | } 21 | 22 | variable "allowlist_ip" { 23 | description = "IP to allow access for the security groups (set 0.0.0.0/0 for world)" 24 | default = "0.0.0.0/0" 25 | } 26 | 27 | variable "server_instance_type" { 28 | description = "The compute engine instance type to use for servers." 29 | default = "e2-micro" 30 | } 31 | 32 | variable "client_instance_type" { 33 | description = "The compute engine instance type to use for clients." 34 | default = "e2-micro" 35 | } 36 | 37 | variable "server_count" { 38 | description = "The number of servers to provision." 39 | default = "3" 40 | } 41 | 42 | variable "client_count" { 43 | description = "The number of clients to provision." 44 | default = "3" 45 | } 46 | 47 | variable "root_block_device_size" { 48 | description = "The volume size of the root block device." 49 | default = 20 50 | } 51 | 52 | variable "nomad_binary" { 53 | description = "URL of a zip file containing a nomad executable to replace the Nomad binaries in the AMI with. Example: https://releases.hashicorp.com/nomad/0.10.0/nomad_0.10.0_linux_amd64.zip" 54 | default = "" 55 | } -------------------------------------------------------------------------------- /aws/variables.tf: -------------------------------------------------------------------------------- 1 | variable "name_prefix" { 2 | description = "Prefix used to name various infrastructure components. Alphanumeric characters only." 3 | default = "nomad" 4 | } 5 | 6 | variable "region" { 7 | description = "The AWS region to deploy to." 8 | } 9 | 10 | variable "ami" { 11 | description = "The AMI to use for the server and client machines. Output from the Packer build process." 12 | } 13 | 14 | variable "retry_join" { 15 | description = "Used by Consul to automatically form a cluster." 16 | type = string 17 | default = "provider=aws tag_key=ConsulAutoJoin tag_value=auto-join" 18 | } 19 | 20 | variable "allowlist_ip" { 21 | description = "IP to allow access for the security groups (set 0.0.0.0/0 for world)" 22 | default = "0.0.0.0/0" 23 | } 24 | 25 | variable "server_instance_type" { 26 | description = "The AWS instance type to use for servers." 27 | default = "t2.micro" 28 | } 29 | 30 | variable "client_instance_type" { 31 | description = "The AWS instance type to use for clients." 32 | default = "t2.micro" 33 | } 34 | 35 | variable "server_count" { 36 | description = "The number of servers to provision." 37 | default = "3" 38 | } 39 | 40 | variable "client_count" { 41 | description = "The number of clients to provision." 42 | default = "3" 43 | } 44 | 45 | variable "root_block_device_size" { 46 | description = "The volume size of the root block device." 47 | default = 16 48 | } 49 | 50 | variable "nomad_binary" { 51 | description = "URL of a zip file containing a nomad executable to replace the Nomad binaries in the AMI with. Example: https://releases.hashicorp.com/nomad/0.10.0/nomad_0.10.0_linux_amd64.zip" 52 | default = "" 53 | } -------------------------------------------------------------------------------- /aws/post-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NOMAD_USER_TOKEN_FILENAME="nomad.token" 4 | LB_ADDRESS=$(terraform output -raw lb_address_consul_nomad) 5 | CONSUL_TOKEN=$(terraform output -raw consul_token_secret) 6 | 7 | # Get nomad user token from consul kv 8 | NOMAD_TOKEN=$(curl -s --header "Authorization: Bearer ${CONSUL_TOKEN}" "${LB_ADDRESS}:8500/v1/kv/nomad_user_token?raw") 9 | 10 | # Save token to file if file doesn't already exist 11 | if [ ! -f $NOMAD_USER_TOKEN_FILENAME ]; then 12 | echo $NOMAD_TOKEN > $NOMAD_USER_TOKEN_FILENAME 13 | 14 | # Check length of token to see if retrieval worked before deleting from KV 15 | if [ ${#NOMAD_TOKEN} -eq 36 ]; then 16 | # Delete nomad user token from consul kv 17 | DELETE_TOKEN=$(curl -s -X DELETE --header "Authorization: Bearer ${CONSUL_TOKEN}" "${LB_ADDRESS}:8500/v1/kv/nomad_user_token") 18 | 19 | echo -e "\nThe Nomad user token has been saved locally to $NOMAD_USER_TOKEN_FILENAME and deleted from the Consul KV store." 20 | 21 | echo -e "\nSet the following environment variables to access your Nomad cluster with the user token created during setup:\n\nexport NOMAD_ADDR=\$(terraform output -raw lb_address_consul_nomad):4646\nexport NOMAD_TOKEN=\$(cat $NOMAD_USER_TOKEN_FILENAME)\n" 22 | 23 | echo -e "\nThe Nomad UI can be accessed at ${LB_ADDRESS}:4646/ui\nwith the bootstrap token: $(cat $NOMAD_USER_TOKEN_FILENAME)" 24 | 25 | else 26 | echo -e "\nSomething went wrong when retrieving the token from the Consul KV store.\nCheck the nomad.token file or wait a bit and then try running the script again.\n\nNOT deleting token from KV." 27 | fi 28 | 29 | else 30 | echo -e "\n***\nThe $NOMAD_USER_TOKEN_FILENAME file already exists - not overwriting. If this is a new run, delete it first.\n***" 31 | fi -------------------------------------------------------------------------------- /gcp/post-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NOMAD_USER_TOKEN_FILENAME="nomad.token" 4 | LB_ADDRESS=$(terraform output -raw lb_address_consul_nomad) 5 | CONSUL_BOOTSTRAP_TOKEN=$(terraform output -raw consul_bootstrap_token_secret) 6 | 7 | # Get nomad user token from consul kv 8 | NOMAD_TOKEN=$(curl -s --header "Authorization: Bearer ${CONSUL_BOOTSTRAP_TOKEN}" "${LB_ADDRESS}:8500/v1/kv/nomad_user_token?raw") 9 | 10 | # Save token to file if file doesn't already exist 11 | if [ ! -f $NOMAD_USER_TOKEN_FILENAME ]; then 12 | echo $NOMAD_TOKEN > $NOMAD_USER_TOKEN_FILENAME 13 | 14 | # Check length of token to see if retrieval worked before deleting from KV 15 | if [ ${#NOMAD_TOKEN} -eq 36 ]; then 16 | # Delete nomad user token from consul kv 17 | DELETE_TOKEN=$(curl -s -X DELETE --header "Authorization: Bearer ${CONSUL_BOOTSTRAP_TOKEN}" "${LB_ADDRESS}:8500/v1/kv/nomad_user_token") 18 | 19 | echo -e "\nThe Nomad user token has been saved locally to $NOMAD_USER_TOKEN_FILENAME and deleted from the Consul KV store." 20 | 21 | echo -e "\nSet the following environment variables to access your Nomad cluster with the user token created during setup:\n\nexport NOMAD_ADDR=\$(terraform output -raw lb_address_consul_nomad):4646\nexport NOMAD_TOKEN=\$(cat $NOMAD_USER_TOKEN_FILENAME)\n" 22 | 23 | echo -e "\nThe Nomad UI can be accessed at ${LB_ADDRESS}:4646/ui\nwith the bootstrap token: $(cat $NOMAD_USER_TOKEN_FILENAME)" 24 | 25 | else 26 | echo -e "\nSomething went wrong when retrieving the token from the Consul KV store.\nCheck the nomad.token file or wait a bit and then try running the script again.\n\nNOT deleting token from KV." 27 | fi 28 | 29 | else 30 | echo -e "\n***\nThe $NOMAD_USER_TOKEN_FILENAME file already exists - not overwriting. If this is a new run, delete it first.\n***" 31 | fi -------------------------------------------------------------------------------- /azure/post-setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | NOMAD_USER_TOKEN_FILENAME="nomad.token" 4 | LB_ADDRESS=$(terraform output -raw lb_address_consul_nomad) 5 | CONSUL_BOOTSTRAP_TOKEN=$(terraform output -raw consul_bootstrap_token_secret) 6 | 7 | # Get nomad user token from consul kv 8 | NOMAD_TOKEN=$(curl -s --header "Authorization: Bearer ${CONSUL_BOOTSTRAP_TOKEN}" "${LB_ADDRESS}:8500/v1/kv/nomad_user_token?raw") 9 | 10 | # echo $NOMAD_TOKEN 11 | 12 | # Save token to file if file doesn't already exist 13 | if [ ! -f $NOMAD_USER_TOKEN_FILENAME ]; then 14 | echo $NOMAD_TOKEN > $NOMAD_USER_TOKEN_FILENAME 15 | 16 | # Check length of token to see if retrieval worked before deleting from KV 17 | if [ ${#NOMAD_TOKEN} -eq 36 ]; then 18 | # Delete nomad user token from consul kv 19 | DELETE_TOKEN=$(curl -s -X DELETE --header "Authorization: Bearer ${CONSUL_BOOTSTRAP_TOKEN}" "${LB_ADDRESS}:8500/v1/kv/nomad_user_token") 20 | 21 | echo -e "\nThe Nomad user token has been saved locally to $NOMAD_USER_TOKEN_FILENAME and deleted from the Consul KV store." 22 | 23 | echo -e "\nSet the following environment variables to access your Nomad cluster with the user token created during setup:\n\nexport NOMAD_ADDR=\$(terraform output -raw lb_address_consul_nomad):4646\nexport NOMAD_TOKEN=\$(cat $NOMAD_USER_TOKEN_FILENAME)\n" 24 | 25 | echo -e "\nThe Nomad UI can be accessed at ${LB_ADDRESS}:4646/ui\nwith the bootstrap token: $(cat $NOMAD_USER_TOKEN_FILENAME)" 26 | 27 | else 28 | echo -e "\nSomething went wrong when retrieving the token from the Consul KV store.\nCheck the nomad.token file or wait a bit and then try running the script again.\n\nNOT deleting token from KV." 29 | fi 30 | 31 | else 32 | echo -e "\n***\nThe $NOMAD_USER_TOKEN_FILENAME file already exists - not overwriting. If this is a new run, delete it first.\n***" 33 | fi -------------------------------------------------------------------------------- /aws/image.pkr.hcl: -------------------------------------------------------------------------------- 1 | packer { 2 | required_plugins { 3 | amazon = { 4 | source = "github.com/hashicorp/amazon" 5 | version = "~> 1.3.1" 6 | } 7 | } 8 | } 9 | 10 | locals { 11 | timestamp = regex_replace(timestamp(), "[- TZ:]", "") 12 | } 13 | 14 | variable "region" { 15 | type = string 16 | } 17 | 18 | data "amazon-ami" "hashistack" { 19 | filters = { 20 | architecture = "x86_64" 21 | "block-device-mapping.volume-type" = "gp2" 22 | name = "ubuntu/images/hvm-ssd/ubuntu-jammy-22.04-amd64-server-*" 23 | root-device-type = "ebs" 24 | virtualization-type = "hvm" 25 | } 26 | most_recent = true 27 | owners = ["099720109477"] 28 | region = var.region 29 | } 30 | 31 | 32 | source "amazon-ebs" "hashistack" { 33 | ami_name = "hashistack-${local.timestamp}" 34 | instance_type = "t2.medium" 35 | region = var.region 36 | source_ami = "${data.amazon-ami.hashistack.id}" 37 | ssh_username = "ubuntu" 38 | force_deregister = true 39 | force_delete_snapshot = true 40 | 41 | tags = { 42 | Name = "nomad-alb" 43 | source = "hashicorp/learn" 44 | purpose = "demo" 45 | OS_Version = "Ubuntu" 46 | Release = "Latest" 47 | Base_AMI_ID = "{{ .SourceAMI }}" 48 | Base_AMI_Name = "{{ .SourceAMIName }}" 49 | } 50 | 51 | snapshot_tags = { 52 | Name = "nomad-alb" 53 | source = "hashicorp/learn" 54 | purpose = "demo" 55 | } 56 | } 57 | 58 | build { 59 | sources = ["source.amazon-ebs.hashistack"] 60 | 61 | provisioner "shell" { 62 | inline = ["sudo mkdir -p /ops/shared", "sudo chmod 777 -R /ops"] 63 | } 64 | 65 | provisioner "file" { 66 | destination = "/ops" 67 | source = "../shared" 68 | } 69 | 70 | provisioner "shell" { 71 | environment_vars = ["INSTALL_NVIDIA_DOCKER=false", "CLOUD_ENV=aws"] 72 | script = "../shared/scripts/setup.sh" 73 | } 74 | 75 | } 76 | -------------------------------------------------------------------------------- /shared/scripts/setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | # Disable interactive apt prompts 6 | export DEBIAN_FRONTEND=noninteractive 7 | 8 | cd /ops 9 | 10 | CONFIGDIR=/ops/shared/config 11 | 12 | CONSULVERSION=1.18.2 13 | VAULTVERSION=1.17.0 14 | NOMADVERSION=1.8.1 15 | CONSULTEMPLATEVERSION=0.39.0 16 | 17 | CONSULTEMPLATECONFIGDIR=/etc/consul-template.d 18 | CONSULTEMPLATEDIR=/opt/consul-template 19 | 20 | # Dependencies 21 | case $CLOUD_ENV in 22 | aws) 23 | sudo apt-get install -y software-properties-common 24 | ;; 25 | 26 | gce) 27 | sudo apt-get update && sudo apt-get install -y software-properties-common 28 | ;; 29 | 30 | azure) 31 | sudo apt-get install -y software-properties-common 32 | ;; 33 | 34 | *) 35 | exit "CLOUD_ENV not set to one of aws, gce, or azure - exiting." 36 | ;; 37 | esac 38 | 39 | sudo add-apt-repository universe && sudo apt-get update 40 | sudo apt-get install -y unzip tree redis-tools jq curl tmux 41 | sudo apt-get clean 42 | 43 | 44 | # Disable the firewall 45 | 46 | sudo ufw disable || echo "ufw not installed" 47 | 48 | # Consul Template 49 | 50 | ## Configure 51 | sudo mkdir -p $CONSULTEMPLATECONFIGDIR 52 | sudo chmod 755 $CONSULTEMPLATECONFIGDIR 53 | sudo mkdir -p $CONSULTEMPLATEDIR 54 | sudo chmod 755 $CONSULTEMPLATEDIR 55 | 56 | 57 | # Docker 58 | distro=$(lsb_release -si | tr '[:upper:]' '[:lower:]') 59 | sudo apt-get install -y apt-transport-https ca-certificates gnupg2 60 | curl -fsSL https://download.docker.com/linux/debian/gpg | sudo apt-key add - 61 | sudo add-apt-repository "deb [arch=amd64] https://download.docker.com/linux/${distro} $(lsb_release -cs) stable" 62 | sudo apt-get update 63 | sudo apt-get install -y docker-ce 64 | 65 | # Java 66 | sudo add-apt-repository -y ppa:openjdk-r/ppa 67 | sudo apt-get update 68 | sudo apt-get install -y openjdk-8-jdk 69 | JAVA_HOME=$(readlink -f /usr/bin/java | sed "s:bin/java::") 70 | 71 | 72 | # Install HashiCorp Apt Repository 73 | wget -O- https://apt.releases.hashicorp.com/gpg | sudo gpg --dearmor -o /usr/share/keyrings/hashicorp-archive-keyring.gpg 74 | echo "deb [signed-by=/usr/share/keyrings/hashicorp-archive-keyring.gpg] https://apt.releases.hashicorp.com $(lsb_release -cs) main" | sudo tee /etc/apt/sources.list.d/hashicorp.list 75 | 76 | # Install HashiStack Packages 77 | sudo apt-get update && sudo apt-get -y install \ 78 | consul=$CONSULVERSION* \ 79 | nomad=$NOMADVERSION* \ 80 | vault=$VAULTVERSION* \ 81 | consul-template=$CONSULTEMPLATEVERSION* 82 | -------------------------------------------------------------------------------- /shared/data-scripts/user-data-server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | exec > >(sudo tee /var/log/user-data.log|logger -t user-data -s 2>/dev/console) 2>&1 6 | sudo bash /ops/shared/scripts/server.sh "${cloud_env}" "${server_count}" '${retry_join}' "${nomad_binary}" 7 | 8 | ACL_DIRECTORY="/ops/shared/config" 9 | CONSUL_BOOTSTRAP_TOKEN="/tmp/consul_bootstrap" 10 | NOMAD_BOOTSTRAP_TOKEN="/tmp/nomad_bootstrap" 11 | NOMAD_USER_TOKEN="/tmp/nomad_user_token" 12 | 13 | sed -i "s/CONSUL_TOKEN/${nomad_consul_token_secret}/g" /etc/nomad.d/nomad.hcl 14 | 15 | sudo systemctl restart nomad 16 | 17 | echo "Finished server setup" 18 | 19 | echo "ACL bootstrap begin" 20 | 21 | # Wait until leader has been elected and bootstrap consul ACLs 22 | for i in {1..9}; do 23 | # capture stdout and stderr 24 | set +e 25 | sleep 5 26 | OUTPUT=$(consul acl bootstrap 2>&1) 27 | if [ $? -ne 0 ]; then 28 | echo "consul acl bootstrap: $OUTPUT" 29 | if [[ "$OUTPUT" = *"No cluster leader"* ]]; then 30 | echo "consul no cluster leader" 31 | continue 32 | else 33 | echo "consul already bootstrapped" 34 | exit 0 35 | fi 36 | 37 | fi 38 | set -e 39 | 40 | echo "$OUTPUT" | grep -i secretid | awk '{print $2}' > $CONSUL_BOOTSTRAP_TOKEN 41 | if [ -s $CONSUL_BOOTSTRAP_TOKEN ]; then 42 | echo "consul bootstrapped" 43 | break 44 | fi 45 | done 46 | 47 | 48 | consul acl policy create -name 'nomad-auto-join' -rules="@$ACL_DIRECTORY/consul-acl-nomad-auto-join.hcl" -token-file=$CONSUL_BOOTSTRAP_TOKEN 49 | 50 | consul acl role create -name "nomad-auto-join" -description "Role with policies necessary for nomad servers and clients to auto-join via Consul." -policy-name "nomad-auto-join" -token-file=$CONSUL_BOOTSTRAP_TOKEN 51 | 52 | consul acl token create -accessor=${nomad_consul_token_id} -secret=${nomad_consul_token_secret} -description "Nomad server/client auto-join token" -role-name nomad-auto-join -token-file=$CONSUL_BOOTSTRAP_TOKEN 53 | 54 | # Wait for nomad servers to come up and bootstrap nomad ACL 55 | for i in {1..12}; do 56 | # capture stdout and stderr 57 | set +e 58 | sleep 5 59 | OUTPUT=$(nomad acl bootstrap 2>&1) 60 | if [ $? -ne 0 ]; then 61 | echo "nomad acl bootstrap: $OUTPUT" 62 | if [[ "$OUTPUT" = *"No cluster leader"* ]]; then 63 | echo "nomad no cluster leader" 64 | continue 65 | else 66 | echo "nomad already bootstrapped" 67 | exit 0 68 | fi 69 | fi 70 | set -e 71 | 72 | echo "$OUTPUT" | grep -i secret | awk -F '=' '{print $2}' | xargs | awk 'NF' > $NOMAD_BOOTSTRAP_TOKEN 73 | if [ -s $NOMAD_BOOTSTRAP_TOKEN ]; then 74 | echo "nomad bootstrapped" 75 | break 76 | fi 77 | done 78 | 79 | nomad acl policy apply -token "$(cat $NOMAD_BOOTSTRAP_TOKEN)" -description "Policy to allow reading of agents and nodes and listing and submitting jobs in all namespaces." node-read-job-submit $ACL_DIRECTORY/nomad-acl-user.hcl 80 | 81 | nomad acl token create -token "$(cat $NOMAD_BOOTSTRAP_TOKEN)" -name "read-token" -policy node-read-job-submit | grep -i secret | awk -F "=" '{print $2}' | xargs > $NOMAD_USER_TOKEN 82 | 83 | # Write user token to kv 84 | consul kv put -token-file=$CONSUL_BOOTSTRAP_TOKEN nomad_user_token "$(cat $NOMAD_USER_TOKEN)" 85 | 86 | echo "ACL bootstrap end" 87 | 88 | -------------------------------------------------------------------------------- /shared/scripts/client.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | CONFIGDIR=/ops/shared/config 6 | 7 | CONSULCONFIGDIR=/etc/consul.d 8 | NOMADCONFIGDIR=/etc/nomad.d 9 | CONSULTEMPLATECONFIGDIR=/etc/consul-template.d 10 | HOME_DIR=ubuntu 11 | 12 | # Wait for network 13 | sleep 15 14 | 15 | DOCKER_BRIDGE_IP_ADDRESS=(`ip -brief addr show docker0 | awk '{print $3}' | awk -F/ '{print $1}'`) 16 | CLOUD=$1 17 | RETRY_JOIN=$2 18 | NOMAD_BINARY=$3 19 | 20 | # Get IP from metadata service 21 | case $CLOUD in 22 | aws) 23 | echo "CLOUD_ENV: aws" 24 | TOKEN=$(curl -X PUT "http://instance-data/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") 25 | 26 | IP_ADDRESS=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://instance-data/latest/meta-data/local-ipv4) 27 | ;; 28 | gce) 29 | echo "CLOUD_ENV: gce" 30 | IP_ADDRESS=$(curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/network-interfaces/0/ip) 31 | ;; 32 | azure) 33 | echo "CLOUD_ENV: azure" 34 | IP_ADDRESS=$(curl -s -H Metadata:true --noproxy "*" http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0?api-version=2021-12-13 | jq -r '.["privateIpAddress"]') 35 | ;; 36 | *) 37 | echo "CLOUD_ENV: not set" 38 | ;; 39 | esac 40 | 41 | # Consul 42 | sed -i "s/IP_ADDRESS/$IP_ADDRESS/g" $CONFIGDIR/consul_client.hcl 43 | sed -i "s/RETRY_JOIN/$RETRY_JOIN/g" $CONFIGDIR/consul_client.hcl 44 | sudo cp $CONFIGDIR/consul_client.hcl $CONSULCONFIGDIR/consul.hcl 45 | 46 | sudo systemctl enable consul.service 47 | 48 | # Nomad 49 | 50 | ## Replace existing Nomad binary if remote file exists 51 | if [[ `wget -S --spider $NOMAD_BINARY 2>&1 | grep 'HTTP/1.1 200 OK'` ]]; then 52 | curl -L $NOMAD_BINARY > nomad.zip 53 | sudo unzip -o nomad.zip -d /usr/local/bin 54 | sudo chmod 0755 /usr/local/bin/nomad 55 | sudo chown root:root /usr/local/bin/nomad 56 | fi 57 | 58 | sudo cp $CONFIGDIR/nomad_client.hcl $NOMADCONFIGDIR/nomad.hcl 59 | 60 | # Install and link CNI Plugins to support Consul Connect-Enabled jobs 61 | sudo apt install -y containernetworking-plugins 62 | sudo mkdir /opt/cni && sudo ln -s /usr/lib/cni /opt/cni/bin 63 | 64 | sudo systemctl enable nomad.service 65 | sudo systemctl start nomad.service 66 | sleep 10 67 | export NOMAD_ADDR=http://$IP_ADDRESS:4646 68 | 69 | # Consul Template 70 | 71 | sudo cp $CONFIGDIR/consul-template.hcl $CONSULTEMPLATECONFIGDIR/consul-template.hcl 72 | sudo cp $CONFIGDIR/consul-template.service /etc/systemd/system/consul-template.service 73 | 74 | # Add hostname to /etc/hosts 75 | echo "127.0.0.1 $(hostname)" | sudo tee --append /etc/hosts 76 | 77 | # Add systemd-resolved configuration for Consul DNS 78 | # ref: https://developer.hashicorp.com/consul/tutorials/networking/dns-forwarding#systemd-resolved-setup 79 | sed -i "s/DOCKER_BRIDGE_IP_ADDRESS/$DOCKER_BRIDGE_IP_ADDRESS/g" $CONFIGDIR/consul-systemd-resolved.conf 80 | sudo mkdir -p /etc/systemd/resolved.conf.d/ 81 | sudo cp $CONFIGDIR/consul-systemd-resolved.conf /etc/systemd/resolved.conf.d/consul.conf 82 | sudo systemctl restart systemd-resolved 83 | 84 | # Set env vars for tool CLIs 85 | echo "export VAULT_ADDR=http://$IP_ADDRESS:8200" | sudo tee --append /home/$HOME_DIR/.bashrc 86 | echo "export NOMAD_ADDR=http://$IP_ADDRESS:4646" | sudo tee --append /home/$HOME_DIR/.bashrc 87 | echo "export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre" | sudo tee --append /home/$HOME_DIR/.bashrc 88 | -------------------------------------------------------------------------------- /shared/scripts/server.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | set -e 4 | 5 | CONFIGDIR=/ops/shared/config 6 | 7 | CONSULCONFIGDIR=/etc/consul.d 8 | VAULTCONFIGDIR=/etc/vault.d 9 | NOMADCONFIGDIR=/etc/nomad.d 10 | CONSULTEMPLATECONFIGDIR=/etc/consul-template.d 11 | HOME_DIR=ubuntu 12 | 13 | # Wait for network 14 | sleep 15 15 | 16 | DOCKER_BRIDGE_IP_ADDRESS=(`ip -brief addr show docker0 | awk '{print $3}' | awk -F/ '{print $1}'`) 17 | CLOUD=$1 18 | SERVER_COUNT=$2 19 | RETRY_JOIN=$3 20 | NOMAD_BINARY=$4 21 | 22 | # Get IP from metadata service 23 | case $CLOUD in 24 | aws) 25 | echo "CLOUD_ENV: aws" 26 | TOKEN=$(curl -X PUT "http://instance-data/latest/api/token" -H "X-aws-ec2-metadata-token-ttl-seconds: 21600") 27 | 28 | IP_ADDRESS=$(curl -H "X-aws-ec2-metadata-token: $TOKEN" http://instance-data/latest/meta-data/local-ipv4) 29 | ;; 30 | gce) 31 | echo "CLOUD_ENV: gce" 32 | IP_ADDRESS=$(curl -H "Metadata-Flavor: Google" http://metadata/computeMetadata/v1/instance/network-interfaces/0/ip) 33 | ;; 34 | azure) 35 | echo "CLOUD_ENV: azure" 36 | IP_ADDRESS=$(curl -s -H Metadata:true --noproxy "*" http://169.254.169.254/metadata/instance/network/interface/0/ipv4/ipAddress/0?api-version=2021-12-13 | jq -r '.["privateIpAddress"]') 37 | ;; 38 | *) 39 | echo "CLOUD_ENV: not set" 40 | ;; 41 | esac 42 | 43 | # Consul 44 | sed -i "s/IP_ADDRESS/$IP_ADDRESS/g" $CONFIGDIR/consul.hcl 45 | sed -i "s/SERVER_COUNT/$SERVER_COUNT/g" $CONFIGDIR/consul.hcl 46 | sed -i "s/RETRY_JOIN/$RETRY_JOIN/g" $CONFIGDIR/consul.hcl 47 | sudo cp $CONFIGDIR/consul.hcl $CONSULCONFIGDIR 48 | 49 | sudo systemctl enable consul.service 50 | sudo systemctl start consul.service 51 | sleep 10 52 | export CONSUL_HTTP_ADDR=$IP_ADDRESS:8500 53 | export CONSUL_RPC_ADDR=$IP_ADDRESS:8400 54 | 55 | # Vault 56 | sed -i "s/IP_ADDRESS/$IP_ADDRESS/g" $CONFIGDIR/vault.hcl 57 | sudo cp $CONFIGDIR/vault.hcl $VAULTCONFIGDIR 58 | 59 | #FIXME: Change the systemd unit file so that the startup don't block 60 | sudo sed -i 's/Type=notify/Type=simple/' /lib/systemd/system/vault.service 61 | sudo systemctl daemon-reload 62 | 63 | sudo systemctl enable vault.service 64 | sudo systemctl start vault.service 65 | 66 | # Nomad 67 | 68 | ## Replace existing Nomad binary if remote file exists 69 | if [[ `wget -S --spider $NOMAD_BINARY 2>&1 | grep 'HTTP/1.1 200 OK'` ]]; then 70 | curl -L $NOMAD_BINARY > nomad.zip 71 | sudo unzip -o nomad.zip -d /usr/local/bin 72 | sudo chmod 0755 /usr/local/bin/nomad 73 | sudo chown root:root /usr/local/bin/nomad 74 | fi 75 | 76 | sed -i "s/SERVER_COUNT/$SERVER_COUNT/g" $CONFIGDIR/nomad.hcl 77 | sudo cp $CONFIGDIR/nomad.hcl $NOMADCONFIGDIR 78 | 79 | sudo systemctl enable nomad.service 80 | sudo systemctl start nomad.service 81 | sleep 10 82 | export NOMAD_ADDR=http://$IP_ADDRESS:4646 83 | 84 | # Consul Template 85 | sudo cp $CONFIGDIR/consul-template.hcl $CONSULTEMPLATECONFIGDIR/consul-template.hcl 86 | sudo cp $CONFIGDIR/consul-template.service /etc/systemd/system/consul-template.service 87 | 88 | # Add hostname to /etc/hosts 89 | 90 | echo "127.0.0.1 $(hostname)" | sudo tee --append /etc/hosts 91 | 92 | 93 | # Add systemd-resolved configuration for Consul DNS 94 | # ref: https://developer.hashicorp.com/consul/tutorials/networking/dns-forwarding#systemd-resolved-setup 95 | sed -i "s/DOCKER_BRIDGE_IP_ADDRESS/$DOCKER_BRIDGE_IP_ADDRESS/g" $CONFIGDIR/consul-systemd-resolved.conf 96 | sudo mkdir -p /etc/systemd/resolved.conf.d/ 97 | sudo cp $CONFIGDIR/consul-systemd-resolved.conf /etc/systemd/resolved.conf.d/consul.conf 98 | sudo systemctl restart systemd-resolved 99 | 100 | # Set env vars for tool CLIs 101 | echo "export CONSUL_RPC_ADDR=$IP_ADDRESS:8400" | sudo tee --append /home/$HOME_DIR/.bashrc 102 | echo "export CONSUL_HTTP_ADDR=$IP_ADDRESS:8500" | sudo tee --append /home/$HOME_DIR/.bashrc 103 | echo "export VAULT_ADDR=http://$IP_ADDRESS:8200" | sudo tee --append /home/$HOME_DIR/.bashrc 104 | echo "export NOMAD_ADDR=http://$IP_ADDRESS:4646" | sudo tee --append /home/$HOME_DIR/.bashrc 105 | echo "export JAVA_HOME=/usr/lib/jvm/java-8-openjdk-amd64/jre" | sudo tee --append /home/$HOME_DIR/.bashrc -------------------------------------------------------------------------------- /gcp/main.tf: -------------------------------------------------------------------------------- 1 | provider "google" { 2 | project = var.project 3 | region = var.region 4 | zone = var.zone 5 | } 6 | 7 | resource "google_compute_network" "hashistack" { 8 | name = "hashistack-${var.name_prefix}" 9 | } 10 | 11 | resource "google_compute_firewall" "consul_nomad_ui_ingress" { 12 | name = "${var.name_prefix}-ui-ingress" 13 | network = google_compute_network.hashistack.name 14 | source_ranges = [var.allowlist_ip] 15 | 16 | # Nomad 17 | allow { 18 | protocol = "tcp" 19 | ports = [4646] 20 | } 21 | 22 | # Consul 23 | allow { 24 | protocol = "tcp" 25 | ports = [8500] 26 | } 27 | } 28 | 29 | resource "google_compute_firewall" "ssh_ingress" { 30 | name = "${var.name_prefix}-ssh-ingress" 31 | network = google_compute_network.hashistack.name 32 | source_ranges = [var.allowlist_ip] 33 | 34 | # SSH 35 | allow { 36 | protocol = "tcp" 37 | ports = [22] 38 | } 39 | } 40 | 41 | resource "google_compute_firewall" "allow_all_internal" { 42 | name = "${var.name_prefix}-allow-all-internal" 43 | network = google_compute_network.hashistack.name 44 | source_tags = ["auto-join"] 45 | 46 | allow { 47 | protocol = "icmp" 48 | } 49 | 50 | allow { 51 | protocol = "tcp" 52 | ports = ["0-65535"] 53 | } 54 | 55 | allow { 56 | protocol = "udp" 57 | ports = ["0-65535"] 58 | } 59 | } 60 | 61 | resource "google_compute_firewall" "clients_ingress" { 62 | name = "${var.name_prefix}-clients-ingress" 63 | network = google_compute_network.hashistack.name 64 | source_ranges = [var.allowlist_ip] 65 | target_tags = ["nomad-clients"] 66 | 67 | # Add application ingress rules here 68 | # These rules are applied only to the client nodes 69 | 70 | # nginx example; replace with your application port 71 | allow { 72 | protocol = "tcp" 73 | ports = [80] 74 | } 75 | } 76 | 77 | resource "random_uuid" "nomad_id" { 78 | } 79 | 80 | resource "random_uuid" "nomad_token" { 81 | } 82 | 83 | resource "google_compute_instance" "server" { 84 | count = var.server_count 85 | name = "${var.name_prefix}-server-${count.index}" 86 | machine_type = var.server_instance_type 87 | zone = var.zone 88 | tags = ["auto-join"] 89 | 90 | allow_stopping_for_update = true 91 | 92 | boot_disk { 93 | initialize_params { 94 | image = var.machine_image 95 | size = var.root_block_device_size 96 | } 97 | } 98 | 99 | network_interface { 100 | network = google_compute_network.hashistack.name 101 | access_config { 102 | // Leave empty to get an ephemeral public IP 103 | } 104 | } 105 | 106 | service_account { 107 | # https://developers.google.com/identity/protocols/googlescopes 108 | scopes = [ 109 | "https://www.googleapis.com/auth/compute.readonly", 110 | "https://www.googleapis.com/auth/logging.write", 111 | ] 112 | } 113 | 114 | metadata_startup_script = templatefile("${path.module}/../shared/data-scripts/user-data-server.sh", { 115 | server_count = var.server_count 116 | region = var.region 117 | cloud_env = "gce" 118 | retry_join = local.consul_retry_join 119 | nomad_binary = var.nomad_binary 120 | nomad_consul_token_id = random_uuid.nomad_id.result 121 | nomad_consul_token_secret = random_uuid.nomad_token.result 122 | }) 123 | } 124 | 125 | resource "google_compute_instance" "client" { 126 | count = var.client_count 127 | name = "${var.name_prefix}-client-${count.index}" 128 | machine_type = var.client_instance_type 129 | zone = var.zone 130 | tags = ["auto-join", "nomad-clients"] 131 | 132 | allow_stopping_for_update = true 133 | 134 | boot_disk { 135 | initialize_params { 136 | image = var.machine_image 137 | size = var.root_block_device_size 138 | } 139 | } 140 | 141 | network_interface { 142 | network = google_compute_network.hashistack.name 143 | access_config { 144 | // Leave empty to get an ephemeral public IP 145 | } 146 | } 147 | 148 | service_account { 149 | # https://developers.google.com/identity/protocols/googlescopes 150 | scopes = [ 151 | "https://www.googleapis.com/auth/compute.readonly", 152 | "https://www.googleapis.com/auth/logging.write", 153 | ] 154 | } 155 | 156 | metadata_startup_script = templatefile("${path.module}/../shared/data-scripts/user-data-client.sh", { 157 | region = var.region 158 | cloud_env = "gce" 159 | retry_join = local.consul_retry_join 160 | nomad_binary = var.nomad_binary 161 | nomad_consul_token_secret = random_uuid.nomad_token.result 162 | }) 163 | } 164 | 165 | locals { 166 | consul_retry_join = "project_name=${var.project} zone_pattern=${var.zone} provider=gce tag_value=auto-join" 167 | } -------------------------------------------------------------------------------- /aws/main.tf: -------------------------------------------------------------------------------- 1 | provider "aws" { 2 | region = var.region 3 | } 4 | 5 | data "aws_vpc" "default" { 6 | default = true 7 | } 8 | 9 | resource "aws_security_group" "consul_nomad_ui_ingress" { 10 | name = "${var.name_prefix}-ui-ingress" 11 | vpc_id = data.aws_vpc.default.id 12 | 13 | # Nomad 14 | ingress { 15 | from_port = 4646 16 | to_port = 4646 17 | protocol = "tcp" 18 | cidr_blocks = [var.allowlist_ip] 19 | } 20 | 21 | # Consul 22 | ingress { 23 | from_port = 8500 24 | to_port = 8500 25 | protocol = "tcp" 26 | cidr_blocks = [var.allowlist_ip] 27 | } 28 | 29 | ingress { 30 | from_port = 0 31 | to_port = 0 32 | protocol = "-1" 33 | self = true 34 | } 35 | 36 | egress { 37 | from_port = 0 38 | to_port = 0 39 | protocol = "-1" 40 | cidr_blocks = ["0.0.0.0/0"] 41 | } 42 | } 43 | 44 | resource "aws_security_group" "ssh_ingress" { 45 | name = "${var.name_prefix}-ssh-ingress" 46 | vpc_id = data.aws_vpc.default.id 47 | 48 | # SSH 49 | ingress { 50 | from_port = 22 51 | to_port = 22 52 | protocol = "tcp" 53 | cidr_blocks = [var.allowlist_ip] 54 | } 55 | 56 | ingress { 57 | from_port = 0 58 | to_port = 0 59 | protocol = "-1" 60 | self = true 61 | } 62 | 63 | egress { 64 | from_port = 0 65 | to_port = 0 66 | protocol = "-1" 67 | cidr_blocks = ["0.0.0.0/0"] 68 | } 69 | } 70 | 71 | resource "aws_security_group" "allow_all_internal" { 72 | name = "${var.name_prefix}-allow-all-internal" 73 | vpc_id = data.aws_vpc.default.id 74 | 75 | ingress { 76 | from_port = 0 77 | to_port = 0 78 | protocol = "-1" 79 | self = true 80 | } 81 | 82 | egress { 83 | from_port = 0 84 | to_port = 0 85 | protocol = "-1" 86 | cidr_blocks = ["0.0.0.0/0"] 87 | } 88 | } 89 | 90 | resource "aws_security_group" "clients_ingress" { 91 | name = "${var.name_prefix}-clients-ingress" 92 | vpc_id = data.aws_vpc.default.id 93 | 94 | ingress { 95 | from_port = 0 96 | to_port = 0 97 | protocol = "-1" 98 | self = true 99 | } 100 | 101 | egress { 102 | from_port = 0 103 | to_port = 0 104 | protocol = "-1" 105 | cidr_blocks = ["0.0.0.0/0"] 106 | } 107 | 108 | # Add application ingress rules here 109 | # These rules are applied only to the client nodes 110 | 111 | # nginx example 112 | # ingress { 113 | # from_port = 80 114 | # to_port = 80 115 | # protocol = "tcp" 116 | # cidr_blocks = ["0.0.0.0/0"] 117 | # } 118 | } 119 | 120 | resource "tls_private_key" "pk" { 121 | algorithm = "RSA" 122 | rsa_bits = 4096 123 | } 124 | 125 | resource "aws_key_pair" "nomad" { 126 | key_name = "nomad-aws-key-pair" 127 | public_key = tls_private_key.pk.public_key_openssh 128 | } 129 | 130 | resource "local_file" "nomad_key" { 131 | content = tls_private_key.pk.private_key_pem 132 | filename = "./nomad-aws-key-pair.pem" 133 | file_permission = "0400" 134 | } 135 | 136 | resource "random_uuid" "nomad_id" { 137 | } 138 | 139 | resource "random_uuid" "nomad_token" { 140 | } 141 | 142 | resource "aws_instance" "server" { 143 | ami = var.ami 144 | instance_type = var.server_instance_type 145 | key_name = aws_key_pair.nomad.key_name 146 | vpc_security_group_ids = [aws_security_group.consul_nomad_ui_ingress.id, aws_security_group.ssh_ingress.id, aws_security_group.allow_all_internal.id] 147 | count = var.server_count 148 | 149 | # instance tags 150 | # ConsulAutoJoin is necessary for nodes to automatically join the cluster 151 | tags = merge( 152 | { 153 | "Name" = "${var.name_prefix}-server-${count.index}" 154 | }, 155 | { 156 | "ConsulAutoJoin" = "auto-join" 157 | }, 158 | { 159 | "NomadType" = "server" 160 | } 161 | ) 162 | 163 | root_block_device { 164 | volume_type = "gp2" 165 | volume_size = var.root_block_device_size 166 | delete_on_termination = "true" 167 | } 168 | 169 | user_data = templatefile("${path.module}/../shared/data-scripts/user-data-server.sh", { 170 | server_count = var.server_count 171 | region = var.region 172 | cloud_env = "aws" 173 | retry_join = var.retry_join 174 | nomad_binary = var.nomad_binary 175 | nomad_consul_token_id = random_uuid.nomad_id.result 176 | nomad_consul_token_secret = random_uuid.nomad_token.result 177 | }) 178 | iam_instance_profile = aws_iam_instance_profile.instance_profile.name 179 | 180 | metadata_options { 181 | http_endpoint = "enabled" 182 | instance_metadata_tags = "enabled" 183 | } 184 | } 185 | 186 | resource "aws_instance" "client" { 187 | ami = var.ami 188 | instance_type = var.client_instance_type 189 | key_name = aws_key_pair.nomad.key_name 190 | vpc_security_group_ids = [aws_security_group.consul_nomad_ui_ingress.id, aws_security_group.ssh_ingress.id, aws_security_group.clients_ingress.id, aws_security_group.allow_all_internal.id] 191 | count = var.client_count 192 | depends_on = [aws_instance.server] 193 | 194 | # instance tags 195 | # ConsulAutoJoin is necessary for nodes to automatically join the cluster 196 | tags = merge( 197 | { 198 | "Name" = "${var.name_prefix}-client-${count.index}" 199 | }, 200 | { 201 | "ConsulAutoJoin" = "auto-join" 202 | }, 203 | { 204 | "NomadType" = "client" 205 | } 206 | ) 207 | 208 | root_block_device { 209 | volume_type = "gp2" 210 | volume_size = var.root_block_device_size 211 | delete_on_termination = "true" 212 | } 213 | 214 | ebs_block_device { 215 | device_name = "/dev/xvdd" 216 | volume_type = "gp2" 217 | volume_size = "50" 218 | delete_on_termination = "true" 219 | } 220 | 221 | user_data = templatefile("${path.module}/../shared/data-scripts/user-data-client.sh", { 222 | region = var.region 223 | cloud_env = "aws" 224 | retry_join = var.retry_join 225 | nomad_binary = var.nomad_binary 226 | nomad_consul_token_id = random_uuid.nomad_id.result 227 | nomad_consul_token_secret = random_uuid.nomad_token.result 228 | }) 229 | iam_instance_profile = aws_iam_instance_profile.instance_profile.name 230 | 231 | metadata_options { 232 | http_endpoint = "enabled" 233 | instance_metadata_tags = "enabled" 234 | } 235 | } 236 | 237 | resource "aws_iam_instance_profile" "instance_profile" { 238 | name_prefix = var.name_prefix 239 | role = aws_iam_role.instance_role.name 240 | } 241 | 242 | resource "aws_iam_role" "instance_role" { 243 | name_prefix = var.name_prefix 244 | assume_role_policy = data.aws_iam_policy_document.instance_role.json 245 | } 246 | 247 | data "aws_iam_policy_document" "instance_role" { 248 | statement { 249 | effect = "Allow" 250 | actions = ["sts:AssumeRole"] 251 | 252 | principals { 253 | type = "Service" 254 | identifiers = ["ec2.amazonaws.com"] 255 | } 256 | } 257 | } 258 | 259 | resource "aws_iam_role_policy" "auto_discover_cluster" { 260 | name = "${var.name_prefix}-auto-discover-cluster" 261 | role = aws_iam_role.instance_role.id 262 | policy = data.aws_iam_policy_document.auto_discover_cluster.json 263 | } 264 | 265 | data "aws_iam_policy_document" "auto_discover_cluster" { 266 | statement { 267 | effect = "Allow" 268 | 269 | actions = [ 270 | "ec2:DescribeInstances", 271 | "ec2:DescribeTags", 272 | "autoscaling:DescribeAutoScalingGroups", 273 | ] 274 | 275 | resources = ["*"] 276 | } 277 | } -------------------------------------------------------------------------------- /azure/main.tf: -------------------------------------------------------------------------------- 1 | data "azurerm_client_config" "current" {} 2 | data "azuread_client_config" "current" {} 3 | 4 | resource "azurerm_role_assignment" "role_consul_autojoin" { 5 | scope = "/subscriptions/${data.azurerm_client_config.current.subscription_id}" 6 | role_definition_name = "Contributor" 7 | principal_id = "${azuread_service_principal.sp_consul.id}" 8 | } 9 | 10 | resource "azuread_application_registration" "app_consulautojoin" { 11 | display_name = "consul-autojoin-authapp" 12 | } 13 | 14 | resource "azuread_application_password" "apppwd_consulautojoin" { 15 | application_id = azuread_application_registration.app_consulautojoin.id 16 | } 17 | 18 | resource "azuread_service_principal" "sp_consul" { 19 | client_id = azuread_application_registration.app_consulautojoin.client_id 20 | owners = [ data.azuread_client_config.current.object_id ] 21 | } 22 | 23 | resource "random_uuid" "nomad_id" { 24 | } 25 | 26 | resource "random_uuid" "nomad_token" { 27 | } 28 | 29 | resource "random_string" "vm_password" { 30 | length = 16 31 | special = true 32 | override_special = "/@£$" 33 | } 34 | 35 | resource "azurerm_resource_group" "hashistack" { 36 | name = "hashistack" 37 | location = var.location 38 | } 39 | 40 | resource "azurerm_virtual_network" "hashistack-vn" { 41 | name = "hashistack-vn" 42 | address_space = ["10.0.0.0/16"] 43 | location = "${var.location}" 44 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 45 | } 46 | 47 | resource "azurerm_subnet" "hashistack-sn" { 48 | name = "hashistack-sn" 49 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 50 | virtual_network_name = "${azurerm_virtual_network.hashistack-vn.name}" 51 | address_prefixes = ["10.0.2.0/24"] 52 | } 53 | 54 | resource "azurerm_network_security_group" "hashistack-sg" { 55 | name = "hashistack-sg" 56 | location = "${var.location}" 57 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 58 | } 59 | 60 | resource "azurerm_subnet_network_security_group_association" "hashistack-sg-association" { 61 | subnet_id = azurerm_subnet.hashistack-sn.id 62 | network_security_group_id = azurerm_network_security_group.hashistack-sg.id 63 | } 64 | 65 | resource "azurerm_network_security_rule" "nomad_ui_ingress" { 66 | name = "${var.name_prefix}-nomad-ui-ingress" 67 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 68 | network_security_group_name = "${azurerm_network_security_group.hashistack-sg.name}" 69 | 70 | priority = 101 71 | direction = "Inbound" 72 | access = "Allow" 73 | protocol = "Tcp" 74 | 75 | source_address_prefix = var.allowlist_ip 76 | source_port_range = "*" 77 | destination_port_range = "4646" 78 | destination_address_prefix = "*" 79 | } 80 | 81 | resource "azurerm_network_security_rule" "consul_ui_ingress" { 82 | name = "${var.name_prefix}-consul-ui-ingress" 83 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 84 | network_security_group_name = "${azurerm_network_security_group.hashistack-sg.name}" 85 | 86 | priority = 102 87 | direction = "Inbound" 88 | access = "Allow" 89 | protocol = "Tcp" 90 | 91 | source_address_prefix = var.allowlist_ip 92 | source_port_range = "*" 93 | destination_port_range = "8500" 94 | destination_address_prefix = "*" 95 | } 96 | 97 | resource "azurerm_network_security_rule" "ssh_ingress" { 98 | name = "${var.name_prefix}-ssh-ingress" 99 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 100 | network_security_group_name = "${azurerm_network_security_group.hashistack-sg.name}" 101 | 102 | priority = 100 103 | direction = "Inbound" 104 | access = "Allow" 105 | protocol = "Tcp" 106 | 107 | source_address_prefix = var.allowlist_ip 108 | source_port_range = "*" 109 | destination_port_range = "22" 110 | destination_address_prefix = "*" 111 | } 112 | 113 | resource "azurerm_network_security_rule" "allow_all_internal" { 114 | name = "${var.name_prefix}-allow-all-internal" 115 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 116 | network_security_group_name = "${azurerm_network_security_group.hashistack-sg.name}" 117 | 118 | priority = 103 119 | direction = "Inbound" 120 | access = "Allow" 121 | protocol = "Tcp" 122 | 123 | source_address_prefix = azurerm_subnet.hashistack-sn.address_prefixes[0] 124 | source_port_range = "*" 125 | destination_port_range = "*" 126 | destination_address_prefix = azurerm_subnet.hashistack-sn.address_prefixes[0] 127 | } 128 | 129 | resource "azurerm_network_security_rule" "clients_ingress" { 130 | name = "${var.name_prefix}-clients-ingress" 131 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 132 | network_security_group_name = "${azurerm_network_security_group.hashistack-sg.name}" 133 | 134 | priority = 110 135 | direction = "Inbound" 136 | access = "Allow" 137 | protocol = "Tcp" 138 | 139 | # Add application ingress rules here 140 | # These rules are applied only to the client nodes 141 | 142 | # nginx example; replace with your application port 143 | source_address_prefix = var.allowlist_ip 144 | source_port_range = "*" 145 | destination_port_range = "80" 146 | destination_address_prefixes = azurerm_linux_virtual_machine.client[*].public_ip_address 147 | } 148 | 149 | resource "azurerm_public_ip" "hashistack-server-public-ip" { 150 | count = "${var.server_count}" 151 | name = "hashistack-server-ip-${count.index}" 152 | location = "${var.location}" 153 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 154 | allocation_method = "Static" 155 | } 156 | 157 | resource "azurerm_network_interface" "hashistack-server-ni" { 158 | count = "${var.server_count}" 159 | name = "hashistack-server-ni-${count.index}" 160 | location = "${var.location}" 161 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 162 | 163 | ip_configuration { 164 | name = "hashistack-ipc" 165 | subnet_id = "${azurerm_subnet.hashistack-sn.id}" 166 | private_ip_address_allocation = "Dynamic" 167 | public_ip_address_id = "${element(azurerm_public_ip.hashistack-server-public-ip.*.id, count.index)}" 168 | } 169 | 170 | tags = {"ConsulAutoJoin" = "auto-join"} 171 | } 172 | 173 | resource "azurerm_linux_virtual_machine" "server" { 174 | name = "hashistack-server-${count.index}" 175 | location = "${var.location}" 176 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 177 | network_interface_ids = ["${element(azurerm_network_interface.hashistack-server-ni.*.id, count.index)}"] 178 | size = "${var.server_instance_type}" 179 | count = "${var.server_count}" 180 | 181 | source_image_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}/providers/Microsoft.Compute/images/${var.image_name}" 182 | 183 | os_disk { 184 | name = "hashistack-server-osdisk-${count.index}" 185 | caching = "ReadWrite" 186 | storage_account_type = "Standard_LRS" 187 | } 188 | 189 | computer_name = "hashistack-server-${count.index}" 190 | admin_username = "ubuntu" 191 | admin_password = random_string.vm_password.result 192 | custom_data = "${base64encode(templatefile("${path.module}/../shared/data-scripts/user-data-server.sh", { 193 | region = var.location 194 | cloud_env = "azure" 195 | server_count = "${var.server_count}" 196 | retry_join = local.retry_join 197 | nomad_binary = var.nomad_binary 198 | nomad_consul_token_id = random_uuid.nomad_id.result 199 | nomad_consul_token_secret = random_uuid.nomad_token.result 200 | }))}" 201 | 202 | disable_password_authentication = false 203 | } 204 | 205 | resource "azurerm_public_ip" "hashistack-client-public-ip" { 206 | count = "${var.client_count}" 207 | name = "hashistack-client-ip-${count.index}" 208 | location = "${var.location}" 209 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 210 | allocation_method = "Static" 211 | } 212 | 213 | resource "azurerm_network_interface" "hashistack-client-ni" { 214 | count = "${var.client_count}" 215 | name = "hashistack-client-ni-${count.index}" 216 | location = "${var.location}" 217 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 218 | 219 | ip_configuration { 220 | name = "hashistack-ipc" 221 | subnet_id = "${azurerm_subnet.hashistack-sn.id}" 222 | private_ip_address_allocation = "Dynamic" 223 | public_ip_address_id = "${element(azurerm_public_ip.hashistack-client-public-ip.*.id, count.index)}" 224 | } 225 | 226 | tags = {"ConsulAutoJoin" = "auto-join"} 227 | } 228 | 229 | resource "azurerm_linux_virtual_machine" "client" { 230 | name = "hashistack-client-${count.index}" 231 | location = "${var.location}" 232 | resource_group_name = "${azurerm_resource_group.hashistack.name}" 233 | network_interface_ids = ["${element(azurerm_network_interface.hashistack-client-ni.*.id, count.index)}"] 234 | size = "${var.client_instance_type}" 235 | count = "${var.client_count}" 236 | depends_on = [azurerm_linux_virtual_machine.server] 237 | 238 | source_image_id = "/subscriptions/${data.azurerm_client_config.current.subscription_id}/resourceGroups/${var.resource_group_name}/providers/Microsoft.Compute/images/${var.image_name}" 239 | 240 | os_disk { 241 | name = "hashistack-client-osdisk-${count.index}" 242 | caching = "ReadWrite" 243 | storage_account_type = "Standard_LRS" 244 | } 245 | 246 | computer_name = "hashistack-client-${count.index}" 247 | admin_username = "ubuntu" 248 | admin_password = random_string.vm_password.result 249 | custom_data = "${base64encode(templatefile("${path.module}/../shared/data-scripts/user-data-client.sh", { 250 | region = var.location 251 | cloud_env = "azure" 252 | retry_join = local.retry_join 253 | nomad_binary = var.nomad_binary 254 | nomad_consul_token_secret = random_uuid.nomad_token.result 255 | }))}" 256 | 257 | disable_password_authentication = false 258 | } 259 | 260 | locals { 261 | retry_join = "provider=azure tag_name=ConsulAutoJoin tag_value=auto-join subscription_id=${data.azurerm_client_config.current.subscription_id} tenant_id=${data.azurerm_client_config.current.tenant_id} client_id=${azuread_application_registration.app_consulautojoin.client_id} secret_access_key='${azuread_application_password.apppwd_consulautojoin.value}'" 262 | } 263 | -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- 1 | Copyright (c) 2022 HashiCorp, Inc. 2 | 3 | Mozilla Public License Version 2.0 4 | ================================== 5 | 6 | 1. Definitions 7 | -------------- 8 | 9 | 1.1. "Contributor" 10 | means each individual or legal entity that creates, contributes to 11 | the creation of, or owns Covered Software. 12 | 13 | 1.2. "Contributor Version" 14 | means the combination of the Contributions of others (if any) used 15 | by a Contributor and that particular Contributor's Contribution. 16 | 17 | 1.3. "Contribution" 18 | means Covered Software of a particular Contributor. 19 | 20 | 1.4. "Covered Software" 21 | means Source Code Form to which the initial Contributor has attached 22 | the notice in Exhibit A, the Executable Form of such Source Code 23 | Form, and Modifications of such Source Code Form, in each case 24 | including portions thereof. 25 | 26 | 1.5. "Incompatible With Secondary Licenses" 27 | means 28 | 29 | (a) that the initial Contributor has attached the notice described 30 | in Exhibit B to the Covered Software; or 31 | 32 | (b) that the Covered Software was made available under the terms of 33 | version 1.1 or earlier of the License, but not also under the 34 | terms of a Secondary License. 35 | 36 | 1.6. "Executable Form" 37 | means any form of the work other than Source Code Form. 38 | 39 | 1.7. "Larger Work" 40 | means a work that combines Covered Software with other material, in 41 | a separate file or files, that is not Covered Software. 42 | 43 | 1.8. "License" 44 | means this document. 45 | 46 | 1.9. "Licensable" 47 | means having the right to grant, to the maximum extent possible, 48 | whether at the time of the initial grant or subsequently, any and 49 | all of the rights conveyed by this License. 50 | 51 | 1.10. "Modifications" 52 | means any of the following: 53 | 54 | (a) any file in Source Code Form that results from an addition to, 55 | deletion from, or modification of the contents of Covered 56 | Software; or 57 | 58 | (b) any new file in Source Code Form that contains any Covered 59 | Software. 60 | 61 | 1.11. "Patent Claims" of a Contributor 62 | means any patent claim(s), including without limitation, method, 63 | process, and apparatus claims, in any patent Licensable by such 64 | Contributor that would be infringed, but for the grant of the 65 | License, by the making, using, selling, offering for sale, having 66 | made, import, or transfer of either its Contributions or its 67 | Contributor Version. 68 | 69 | 1.12. "Secondary License" 70 | means either the GNU General Public License, Version 2.0, the GNU 71 | Lesser General Public License, Version 2.1, the GNU Affero General 72 | Public License, Version 3.0, or any later versions of those 73 | licenses. 74 | 75 | 1.13. "Source Code Form" 76 | means the form of the work preferred for making modifications. 77 | 78 | 1.14. "You" (or "Your") 79 | means an individual or a legal entity exercising rights under this 80 | License. For legal entities, "You" includes any entity that 81 | controls, is controlled by, or is under common control with You. For 82 | purposes of this definition, "control" means (a) the power, direct 83 | or indirect, to cause the direction or management of such entity, 84 | whether by contract or otherwise, or (b) ownership of more than 85 | fifty percent (50%) of the outstanding shares or beneficial 86 | ownership of such entity. 87 | 88 | 2. License Grants and Conditions 89 | -------------------------------- 90 | 91 | 2.1. Grants 92 | 93 | Each Contributor hereby grants You a world-wide, royalty-free, 94 | non-exclusive license: 95 | 96 | (a) under intellectual property rights (other than patent or trademark) 97 | Licensable by such Contributor to use, reproduce, make available, 98 | modify, display, perform, distribute, and otherwise exploit its 99 | Contributions, either on an unmodified basis, with Modifications, or 100 | as part of a Larger Work; and 101 | 102 | (b) under Patent Claims of such Contributor to make, use, sell, offer 103 | for sale, have made, import, and otherwise transfer either its 104 | Contributions or its Contributor Version. 105 | 106 | 2.2. Effective Date 107 | 108 | The licenses granted in Section 2.1 with respect to any Contribution 109 | become effective for each Contribution on the date the Contributor first 110 | distributes such Contribution. 111 | 112 | 2.3. Limitations on Grant Scope 113 | 114 | The licenses granted in this Section 2 are the only rights granted under 115 | this License. No additional rights or licenses will be implied from the 116 | distribution or licensing of Covered Software under this License. 117 | Notwithstanding Section 2.1(b) above, no patent license is granted by a 118 | Contributor: 119 | 120 | (a) for any code that a Contributor has removed from Covered Software; 121 | or 122 | 123 | (b) for infringements caused by: (i) Your and any other third party's 124 | modifications of Covered Software, or (ii) the combination of its 125 | Contributions with other software (except as part of its Contributor 126 | Version); or 127 | 128 | (c) under Patent Claims infringed by Covered Software in the absence of 129 | its Contributions. 130 | 131 | This License does not grant any rights in the trademarks, service marks, 132 | or logos of any Contributor (except as may be necessary to comply with 133 | the notice requirements in Section 3.4). 134 | 135 | 2.4. Subsequent Licenses 136 | 137 | No Contributor makes additional grants as a result of Your choice to 138 | distribute the Covered Software under a subsequent version of this 139 | License (see Section 10.2) or under the terms of a Secondary License (if 140 | permitted under the terms of Section 3.3). 141 | 142 | 2.5. Representation 143 | 144 | Each Contributor represents that the Contributor believes its 145 | Contributions are its original creation(s) or it has sufficient rights 146 | to grant the rights to its Contributions conveyed by this License. 147 | 148 | 2.6. Fair Use 149 | 150 | This License is not intended to limit any rights You have under 151 | applicable copyright doctrines of fair use, fair dealing, or other 152 | equivalents. 153 | 154 | 2.7. Conditions 155 | 156 | Sections 3.1, 3.2, 3.3, and 3.4 are conditions of the licenses granted 157 | in Section 2.1. 158 | 159 | 3. Responsibilities 160 | ------------------- 161 | 162 | 3.1. Distribution of Source Form 163 | 164 | All distribution of Covered Software in Source Code Form, including any 165 | Modifications that You create or to which You contribute, must be under 166 | the terms of this License. You must inform recipients that the Source 167 | Code Form of the Covered Software is governed by the terms of this 168 | License, and how they can obtain a copy of this License. You may not 169 | attempt to alter or restrict the recipients' rights in the Source Code 170 | Form. 171 | 172 | 3.2. Distribution of Executable Form 173 | 174 | If You distribute Covered Software in Executable Form then: 175 | 176 | (a) such Covered Software must also be made available in Source Code 177 | Form, as described in Section 3.1, and You must inform recipients of 178 | the Executable Form how they can obtain a copy of such Source Code 179 | Form by reasonable means in a timely manner, at a charge no more 180 | than the cost of distribution to the recipient; and 181 | 182 | (b) You may distribute such Executable Form under the terms of this 183 | License, or sublicense it under different terms, provided that the 184 | license for the Executable Form does not attempt to limit or alter 185 | the recipients' rights in the Source Code Form under this License. 186 | 187 | 3.3. Distribution of a Larger Work 188 | 189 | You may create and distribute a Larger Work under terms of Your choice, 190 | provided that You also comply with the requirements of this License for 191 | the Covered Software. If the Larger Work is a combination of Covered 192 | Software with a work governed by one or more Secondary Licenses, and the 193 | Covered Software is not Incompatible With Secondary Licenses, this 194 | License permits You to additionally distribute such Covered Software 195 | under the terms of such Secondary License(s), so that the recipient of 196 | the Larger Work may, at their option, further distribute the Covered 197 | Software under the terms of either this License or such Secondary 198 | License(s). 199 | 200 | 3.4. Notices 201 | 202 | You may not remove or alter the substance of any license notices 203 | (including copyright notices, patent notices, disclaimers of warranty, 204 | or limitations of liability) contained within the Source Code Form of 205 | the Covered Software, except that You may alter any license notices to 206 | the extent required to remedy known factual inaccuracies. 207 | 208 | 3.5. Application of Additional Terms 209 | 210 | You may choose to offer, and to charge a fee for, warranty, support, 211 | indemnity or liability obligations to one or more recipients of Covered 212 | Software. However, You may do so only on Your own behalf, and not on 213 | behalf of any Contributor. You must make it absolutely clear that any 214 | such warranty, support, indemnity, or liability obligation is offered by 215 | You alone, and You hereby agree to indemnify every Contributor for any 216 | liability incurred by such Contributor as a result of warranty, support, 217 | indemnity or liability terms You offer. You may include additional 218 | disclaimers of warranty and limitations of liability specific to any 219 | jurisdiction. 220 | 221 | 4. Inability to Comply Due to Statute or Regulation 222 | --------------------------------------------------- 223 | 224 | If it is impossible for You to comply with any of the terms of this 225 | License with respect to some or all of the Covered Software due to 226 | statute, judicial order, or regulation then You must: (a) comply with 227 | the terms of this License to the maximum extent possible; and (b) 228 | describe the limitations and the code they affect. Such description must 229 | be placed in a text file included with all distributions of the Covered 230 | Software under this License. Except to the extent prohibited by statute 231 | or regulation, such description must be sufficiently detailed for a 232 | recipient of ordinary skill to be able to understand it. 233 | 234 | 5. Termination 235 | -------------- 236 | 237 | 5.1. The rights granted under this License will terminate automatically 238 | if You fail to comply with any of its terms. However, if You become 239 | compliant, then the rights granted under this License from a particular 240 | Contributor are reinstated (a) provisionally, unless and until such 241 | Contributor explicitly and finally terminates Your grants, and (b) on an 242 | ongoing basis, if such Contributor fails to notify You of the 243 | non-compliance by some reasonable means prior to 60 days after You have 244 | come back into compliance. Moreover, Your grants from a particular 245 | Contributor are reinstated on an ongoing basis if such Contributor 246 | notifies You of the non-compliance by some reasonable means, this is the 247 | first time You have received notice of non-compliance with this License 248 | from such Contributor, and You become compliant prior to 30 days after 249 | Your receipt of the notice. 250 | 251 | 5.2. If You initiate litigation against any entity by asserting a patent 252 | infringement claim (excluding declaratory judgment actions, 253 | counter-claims, and cross-claims) alleging that a Contributor Version 254 | directly or indirectly infringes any patent, then the rights granted to 255 | You by any and all Contributors for the Covered Software under Section 256 | 2.1 of this License shall terminate. 257 | 258 | 5.3. In the event of termination under Sections 5.1 or 5.2 above, all 259 | end user license agreements (excluding distributors and resellers) which 260 | have been validly granted by You or Your distributors under this License 261 | prior to termination shall survive termination. 262 | 263 | ************************************************************************ 264 | * * 265 | * 6. Disclaimer of Warranty * 266 | * ------------------------- * 267 | * * 268 | * Covered Software is provided under this License on an "as is" * 269 | * basis, without warranty of any kind, either expressed, implied, or * 270 | * statutory, including, without limitation, warranties that the * 271 | * Covered Software is free of defects, merchantable, fit for a * 272 | * particular purpose or non-infringing. The entire risk as to the * 273 | * quality and performance of the Covered Software is with You. * 274 | * Should any Covered Software prove defective in any respect, You * 275 | * (not any Contributor) assume the cost of any necessary servicing, * 276 | * repair, or correction. This disclaimer of warranty constitutes an * 277 | * essential part of this License. No use of any Covered Software is * 278 | * authorized under this License except under this disclaimer. * 279 | * * 280 | ************************************************************************ 281 | 282 | ************************************************************************ 283 | * * 284 | * 7. Limitation of Liability * 285 | * -------------------------- * 286 | * * 287 | * Under no circumstances and under no legal theory, whether tort * 288 | * (including negligence), contract, or otherwise, shall any * 289 | * Contributor, or anyone who distributes Covered Software as * 290 | * permitted above, be liable to You for any direct, indirect, * 291 | * special, incidental, or consequential damages of any character * 292 | * including, without limitation, damages for lost profits, loss of * 293 | * goodwill, work stoppage, computer failure or malfunction, or any * 294 | * and all other commercial damages or losses, even if such party * 295 | * shall have been informed of the possibility of such damages. This * 296 | * limitation of liability shall not apply to liability for death or * 297 | * personal injury resulting from such party's negligence to the * 298 | * extent applicable law prohibits such limitation. Some * 299 | * jurisdictions do not allow the exclusion or limitation of * 300 | * incidental or consequential damages, so this exclusion and * 301 | * limitation may not apply to You. * 302 | * * 303 | ************************************************************************ 304 | 305 | 8. Litigation 306 | ------------- 307 | 308 | Any litigation relating to this License may be brought only in the 309 | courts of a jurisdiction where the defendant maintains its principal 310 | place of business and such litigation shall be governed by laws of that 311 | jurisdiction, without reference to its conflict-of-law provisions. 312 | Nothing in this Section shall prevent a party's ability to bring 313 | cross-claims or counter-claims. 314 | 315 | 9. Miscellaneous 316 | ---------------- 317 | 318 | This License represents the complete agreement concerning the subject 319 | matter hereof. If any provision of this License is held to be 320 | unenforceable, such provision shall be reformed only to the extent 321 | necessary to make it enforceable. Any law or regulation which provides 322 | that the language of a contract shall be construed against the drafter 323 | shall not be used to construe this License against a Contributor. 324 | 325 | 10. Versions of the License 326 | --------------------------- 327 | 328 | 10.1. New Versions 329 | 330 | Mozilla Foundation is the license steward. Except as provided in Section 331 | 10.3, no one other than the license steward has the right to modify or 332 | publish new versions of this License. Each version will be given a 333 | distinguishing version number. 334 | 335 | 10.2. Effect of New Versions 336 | 337 | You may distribute the Covered Software under the terms of the version 338 | of the License under which You originally received the Covered Software, 339 | or under the terms of any subsequent version published by the license 340 | steward. 341 | 342 | 10.3. Modified Versions 343 | 344 | If you create software not governed by this License, and you want to 345 | create a new license for such software, you may create and use a 346 | modified version of this License if you rename the license and remove 347 | any references to the name of the license steward (except to note that 348 | such modified license differs from this License). 349 | 350 | 10.4. Distributing Source Code Form that is Incompatible With Secondary 351 | Licenses 352 | 353 | If You choose to distribute Source Code Form that is Incompatible With 354 | Secondary Licenses under the terms of this version of the License, the 355 | notice described in Exhibit B of this License must be attached. 356 | 357 | Exhibit A - Source Code Form License Notice 358 | ------------------------------------------- 359 | 360 | This Source Code Form is subject to the terms of the Mozilla Public 361 | License, v. 2.0. If a copy of the MPL was not distributed with this 362 | file, You can obtain one at http://mozilla.org/MPL/2.0/. 363 | 364 | If it is not possible or desirable to put the notice in a particular 365 | file, then You may include the notice in a location (such as a LICENSE 366 | file in a relevant directory) where a recipient would be likely to look 367 | for such a notice. 368 | 369 | You may add additional accurate notices of copyright ownership. 370 | 371 | Exhibit B - "Incompatible With Secondary Licenses" Notice 372 | --------------------------------------------------------- 373 | 374 | This Source Code Form is "Incompatible With Secondary Licenses", as 375 | defined by the Mozilla Public License, v. 2.0. --------------------------------------------------------------------------------