Configure an ansible playbook (#5)

* Configure an ansible playbook
to copy all required configurations to a Poseidon host.

* Copy also all TLS certificates if configured

* Exclude playbook in its own repository

* Adjust security.md to our current recommendations

* Add certificate generation and deployment

* Move access policy example file to the resources folder

docs/resources/client.example.hcl

@@ -0,0 +1,15 @@
+client {
+    enabled = true
+    servers = [
+        "server domain 1",
+        "server domain 2"
+    ]
+}
+
+# plugin "docker" {
+#   config {
+#     auth {
+#       config = "/root/.docker/config.json"
+#     }
+#   }
+# }

docs/resources/nomad.example.hcl

@@ -0,0 +1,28 @@
+# Full configuration options can be found at https://www.nomadproject.io/docs/configuration
+
+data_dir = "/opt/nomad/data"
+bind_addr = "0.0.0.0"
+
+limits {
+    http_max_conns_per_client = 0
+}
+
+# Require TLS
+tls {
+  http = true
+  rpc  = true
+
+  ca_file   = "/home/ubuntu/ca.crt"
+  cert_file = "/home/ubuntu/cert.crt"
+  key_file  = "/home/ubuntu/cert-key.pem"
+
+  verify_server_hostname = true
+  verify_https_client    = true
+}
+
+# telemetry {
+#     collection_interval = "10s"
+#     prometheus_metrics = true
+#     publish_allocation_metrics = true
+#     publish_node_metrics = true
+# }

docs/resources/poseidon_policy.hcl

@@ -0,0 +1,30 @@
+// Allow-all access policy
+
+namespace "*" {
+  policy       = "write"
+  capabilities = ["alloc-node-exec", "read-job"]
+}
+
+agent {
+  policy = "write"
+}
+
+operator {
+  policy = "write"
+}
+
+quota {
+  policy = "write"
+}
+
+node {
+  policy = "write"
+}
+
+host_volume "*" {
+  policy = "write"
+}
+
+plugin {
+  policy = "read"
+}

docs/resources/server.example.hcl

@@ -0,0 +1,14 @@
+server {
+    enabled = true
+    bootstrap_expect = 2
+    server_join {
+        retry_join = ["<<other servers domain>>"]
+        retry_max = 3
+        retry_interval = "15s"
+    }
+
+    # https://www.nomadproject.io/docs/configuration/server
+    default_scheduler_config {
+        scheduler_algorithm = "spread"
+    }
+}