From 2360c82f98df50c4f9f243d04e9aac8ca95fc288 Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@bdebyl.net>
Date: Mon, 18 Apr 2022 03:15:52 -0400
Subject: [PATCH 1/2] CU-251akbj added graylog and additional fixes from
 discovered logs

---
 ansible/deploy_home.yml                       |   3 +-
 ansible/roles/common/defaults/main.yml        |  15 +--
 ansible/roles/drone/meta/main.yml             |   1 +
 ansible/roles/drone/tasks/drone.yml           |  10 ++
 ansible/roles/graylog/meta/main.yml           |   3 +
 ansible/roles/graylog/tasks/graylog.yml       |  87 ++++++++++++++++++
 ansible/roles/graylog/tasks/main.yml          |   2 +
 ansible/roles/hass/files/configuration.yaml   | Bin 430 -> 460 bytes
 ansible/roles/hass/meta/main.yml              |   1 +
 ansible/roles/hass/tasks/hass.yml             |   7 +-
 ansible/roles/http/defaults/main.yml          |  26 +++---
 ansible/roles/http/files/nginx/nginx.conf     |  48 ----------
 ansible/roles/http/tasks/http.yml             |  12 ++-
 ansible/roles/http/tasks/logrotate.yml        |  10 ++
 ansible/roles/http/tasks/main.yml             |   1 +
 ansible/roles/http/tasks/modsec.yml           |   5 +-
 .../roles/http/templates/logrotate/nginx.j2   |  10 ++
 .../roles/http/templates/nginx/nginx.conf.j2  |  71 ++++++++++++++
 .../nginx/sites/ci.bdebyl.net.https.conf.j2   |  10 ++
 .../nginx/sites/logs.bdebyl.net.conf.j2       |  32 +++++++
 .../sites/parts.bdebyl.net.https.conf.j2      |   2 +
 .../nginx/sites/pi.bdebyl.net.conf.j2         |   3 +-
 ansible/roles/motion/meta/main.yml            |   3 +
 ansible/roles/motion/tasks/motion.yml         |   7 +-
 ansible/roles/partkeepr/meta/main.yml         |   1 +
 ansible/roles/partkeepr/tasks/main.yml        |  73 ++++++++-------
 ansible/vars/vault.yml                        | Bin 3228 -> 4394 bytes
 27 files changed, 324 insertions(+), 119 deletions(-)
 create mode 100644 ansible/roles/graylog/meta/main.yml
 create mode 100644 ansible/roles/graylog/tasks/graylog.yml
 create mode 100644 ansible/roles/graylog/tasks/main.yml
 delete mode 100644 ansible/roles/http/files/nginx/nginx.conf
 create mode 100644 ansible/roles/http/tasks/logrotate.yml
 create mode 100644 ansible/roles/http/templates/logrotate/nginx.j2
 create mode 100644 ansible/roles/http/templates/nginx/nginx.conf.j2
 create mode 100644 ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2

diff --git a/ansible/deploy_home.yml b/ansible/deploy_home.yml
index a61a681..13739ac 100644
--- a/ansible/deploy_home.yml
+++ b/ansible/deploy_home.yml
@@ -12,6 +12,5 @@
     - role: drone
     - role: hass
     - role: motion
-      tags: motion
     - role: partkeepr
-      tags: partkeepr
+    - role: graylog
diff --git a/ansible/roles/common/defaults/main.yml b/ansible/roles/common/defaults/main.yml
index 42e8843..b5057ad 100644
--- a/ansible/roles/common/defaults/main.yml
+++ b/ansible/roles/common/defaults/main.yml
@@ -1,18 +1,7 @@
 ---
-deps: [
-  cronie,
-  docker,
-  fail2ban,
-  git,
-  python-docker,
-  tmux,
-  weechat
-]
+deps: [cronie, docker, fail2ban, git, logrotate, python-docker, tmux, weechat]
 
-fail2ban_jails: [
-  sshd.local,
-  nginx.local
-]
+fail2ban_jails: [sshd.local, nginx.local]
 
 services:
   - cronie
diff --git a/ansible/roles/drone/meta/main.yml b/ansible/roles/drone/meta/main.yml
index 3f81c4b..258ca27 100644
--- a/ansible/roles/drone/meta/main.yml
+++ b/ansible/roles/drone/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: http
+  - role: graylog
diff --git a/ansible/roles/drone/tasks/drone.yml b/ansible/roles/drone/tasks/drone.yml
index 4f005f2..eaaf7c8 100644
--- a/ansible/roles/drone/tasks/drone.yml
+++ b/ansible/roles/drone/tasks/drone.yml
@@ -8,6 +8,11 @@
     restart: true
     restart_policy: on-failure
     restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}}.Name{{'}}'}}"
     env:
       DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}"
       DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}"
@@ -31,6 +36,11 @@
     restart: true
     restart_policy: on-failure
     restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}} .Name {{'}}'}}"
     env:
       DRONE_RPC_SECRET: "{{ drone_rpc_secret }}"
       DRONE_RPC_HOST: "{{ ci_server_name }}"
diff --git a/ansible/roles/graylog/meta/main.yml b/ansible/roles/graylog/meta/main.yml
new file mode 100644
index 0000000..fdda41b
--- /dev/null
+++ b/ansible/roles/graylog/meta/main.yml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: common
diff --git a/ansible/roles/graylog/tasks/graylog.yml b/ansible/roles/graylog/tasks/graylog.yml
new file mode 100644
index 0000000..c078b60
--- /dev/null
+++ b/ansible/roles/graylog/tasks/graylog.yml
@@ -0,0 +1,87 @@
+---
+- name: create graylog docker network
+  community.general.docker_network:
+    name: "graylog"
+  tags: graylog
+
+- name: create graylog required volumes
+  community.general.docker_volume:
+    name: "{{ item }}"
+  with_items:
+    - graylog-db
+    - graylog-es
+    - graylog-conf
+  tags: graylog
+
+- name: create graylog mongodb container
+  community.general.docker_container:
+    name: graylog-mongo
+    image: mongo:4.2
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    restart_retries: 3
+    networks:
+      - name: "graylog"
+    volumes:
+      - graylog-db:/data/db
+  tags: graylog
+
+- name: create graylog elasticsearch container
+  community.general.docker_container:
+    name: graylog-elastic
+    image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
+    recreate: false
+    restart: false
+    restart_policy: on-failure
+    restart_retries: 3
+    networks:
+      - name: "graylog"
+    volumes:
+      - graylog-es:/usr/share/elasticsearch/data
+    env:
+      http.host: "0.0.0.0"
+      transport.host: "localhost"
+      network.host: "0.0.0.0"
+      cluster.name: "graylog"
+      ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx512m"
+    ulimits:
+      - "memlock:-1:-1"
+    memory: 1G
+  tags: graylog
+
+- name: create graylog container
+  community.general.docker_container:
+    name: graylog
+    image: graylog/graylog:4.2
+    recreate: false
+    restart: true
+    restart_policy: on-failure
+    restart_retries: 3
+    networks:
+      - name: "graylog"
+    volumes:
+      - graylog-conf:/usr/share/graylog/data/config
+    env:
+      GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}"
+      GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}"
+      GRAYLOG_HTTP_EXTERNAL_URI: http://192.168.1.12:9000/
+      GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000
+      GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog
+      GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200
+    ports:
+      # Graylog web interface and REST API
+      - "{{ graylog_port }}:9000"
+      # Syslog TCP
+      #- 1514:1514
+      # Syslog UDP
+      - "0.0.0.0:{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp"
+      # Syslog2 UDP
+      - "0.0.0.0:{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp"
+      # Syslog2 UDP
+      - "0.0.0.0:{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp"
+      # GELF TCP
+      #- 12201:12201
+      # GELF UDP
+      #- 12201:12201/udp
+  tags: graylog
diff --git a/ansible/roles/graylog/tasks/main.yml b/ansible/roles/graylog/tasks/main.yml
new file mode 100644
index 0000000..283f872
--- /dev/null
+++ b/ansible/roles/graylog/tasks/main.yml
@@ -0,0 +1,2 @@
+---
+- import_tasks: graylog.yml
diff --git a/ansible/roles/hass/files/configuration.yaml b/ansible/roles/hass/files/configuration.yaml
index 5df25e17b3e049aaec583534efee648c1660af5a..f9be84f7a2c529b3329d94db1cbeb52a9ab6c588 100644
GIT binary patch
literal 460
zcmV;-0W<ypM@dveQdv+`0NQg|D2oT*>P1FuEr#aEN<Wi}$RrRm96z;^xIn^^63D(}
zY|xUrW%@3&Y(fq%Xc72c+#9m#CMMjiXtFayE-=KW!D&#LVs)(5<WvGRG4~TO38^G7
zP0`~dfHSB?j24iQt&7j&B|mL&Fd!6f0+K92iP<9Z2?Frt^9Wq6?v@Q8R!%!=>~btO
z?tfw5as<rz<pl8r)+14fbffVCCHLYDy}%JhrVN6OKeB|Yzrk8DeOANK7DdUDP1m?A
zB;4#q$hY@XOYOa6Z&emPFK}>YU4U3sqY2Z@u}neBF;!e-h@m(7UUsAM0Wkc>N;ZPJ
zj*I=x-#cjWaZGY(;&NG&H{zd!To~gD0n;@^G3)kd9y$X`$$yA0z@+wMat7c%fwcyV
zF3OK)!PKS$Gh4R5#qs^_Xu==<?H&^Gn!!20)9j?1oy|v$h;#-q8tdom^KE$FTjEzf
zgVx-W)woW9UbKR)`TeKeg4OGG90Im~epD1N6vRt?DEaT#mv4$gd(wF8UI`lUgU2D@
zl?pQ|D?<&4^&$1Yp;=v0oOn%W4IMT4h|&$i@_K^`Zi|Qf{bn{hCO>{hxB9Q<L7R<0
C_~9x5

literal 430
zcmV;f0a5+{M@dveQdv+`03|IVThd$lb;@FilVe4N@Y9;WN+WI-{|_IB)R5ifybkV*
zYImc$N7u!K0r^el`R7k)tE0YRjR*AaZe*FZC7N)A4jpg@m?`IjY^Rn;w`ZQMlq(ia
zh31qO_f+v$-8Bsh$^nvnm;#D9coc68_)ydf854M<FA;7H+%c9w%+9UOFouQ5yNbRs
zA80us6=>fMed;MTkm##4j;1O4BgMRL1j5~I;lU{}-LSv3zAME>p2lhhKFR#cv6gFJ
zfhb4~yHtar@vQKX{vZ7*TDP+I<iEk=P{(zd2Mw`kR}2IM$-|iU#@psoCbk7GKzu&x
zHwEMsRY9xaelNuAgZ@?wAw(-M#LF?E3H2Z)gc{p`YzSP<28cx8xSJL44NU#<Ezq%_
z{`;i0;C6lCc$-?p<0Ib;RIp^-t%3K+i@i80oosf4OT~$_OvVPu0a%&xc>M_E*-805
z9ISCBC!k3g#~$Z2HCb{9FsPG-?N|+i>u=cL3EgdaC2_y#S^P2;>Jw!A(j%~{*eC1*
Y@-59q_3Mqi`gXxo+~P=l1K%(SeW$P1vj6}9

diff --git a/ansible/roles/hass/meta/main.yml b/ansible/roles/hass/meta/main.yml
index 3f81c4b..258ca27 100644
--- a/ansible/roles/hass/meta/main.yml
+++ b/ansible/roles/hass/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: http
+  - role: graylog
diff --git a/ansible/roles/hass/tasks/hass.yml b/ansible/roles/hass/tasks/hass.yml
index aed527b..eaf14d9 100644
--- a/ansible/roles/hass/tasks/hass.yml
+++ b/ansible/roles/hass/tasks/hass.yml
@@ -27,10 +27,15 @@
   community.general.docker_container:
     name: hass
     image: ghcr.io/home-assistant/home-assistant:stable
-    recreate: true
+    recreate: false
     restart: true
     restart_policy: on-failure
     restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}}.Name{{'}}'}}"
     volumes:
       - /var/lib/hass:/config
       - /usr/share/hass:/share
diff --git a/ansible/roles/http/defaults/main.yml b/ansible/roles/http/defaults/main.yml
index 0ec4ea7..44097f8 100644
--- a/ansible/roles/http/defaults/main.yml
+++ b/ansible/roles/http/defaults/main.yml
@@ -1,9 +1,5 @@
 ---
-deps: [
-  certbot,
-  nginx,
-  nginx-mod-modsecurity
-]
+deps: [certbot, nginx, nginx-mod-modsecurity]
 
 ci_server_name: ci.bdebyl.net
 pi_server_name: pi.bdebyl.net
@@ -11,15 +7,15 @@ assistant_server_name: assistant.bdebyl.net
 home_server_name: home.bdebyl.net
 parts_server_name: parts.bdebyl.net
 video_server_name: video.bdebyl.net
+logs_server_name: logs.bdebyl.net
 install_path: /usr/share
 
 nginx_path: /etc/nginx
 nginx_conf_path: "{{ nginx_path }}/conf"
+modsec_log_path: /var/log/nginx/modsec_audit.log
 modsec_rules_path: "{{ nginx_conf_path }}/rules"
-modsec_crs_before_rule_conf:
-  "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
-modsec_crs_after_rule_conf:
-  "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
+modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
+modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
 modsec_path: "{{ install_path }}/modsecurity"
 crs_path: "{{ install_path }}/coreruleset"
 crs_rules_path: "{{ crs_path }}/rules"
@@ -39,6 +35,12 @@ modsec_git_urls:
     dest: "{{ modsec_path }}"
     ver: "v3.0.6"
 
+modsec_conf_replaces:
+  - regex: "^SecRuleEngine"
+    line: "SecRuleEngine On"
+  - regex: "^SecAuditLog"
+    line: "SecAuditLog {{ modsec_log_path }}"
+
 modsec_conf_links:
   - src: "{{ modsec_path }}/modsecurity.conf-recommended"
     dest: "{{ nginx_path }}/modsecurity.conf"
@@ -46,11 +48,9 @@ modsec_conf_links:
     dest: "{{ nginx_path }}/unicode.mapping"
   - src: "{{ crs_path }}/crs-setup.conf.example"
     dest: "{{ nginx_conf_path }}/crs-setup.conf"
-  - src:
-      "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
+  - src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
     dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
-  - src:
-      "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
+  - src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
     dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
 
 crs_rule_links:
diff --git a/ansible/roles/http/files/nginx/nginx.conf b/ansible/roles/http/files/nginx/nginx.conf
deleted file mode 100644
index 275787d..0000000
--- a/ansible/roles/http/files/nginx/nginx.conf
+++ /dev/null
@@ -1,48 +0,0 @@
-user http;
-worker_processes 1;
-
-load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
-
-error_log /var/log/nginx/error.log notice;
-
-events {
-  worker_connections 1024;
-}
-
-http {
-  map $http_upgrade $connection_upgrade {
-    default upgrade;
-    '' close;
-  }
-
-  include mime.types;
-
-  default_type application/octet-stream;
-
-  log_format main '$remote_addr - $remote_user [$time_local] "$request" '
-                  '$status $body_bytes_sent "$http_referer" '
-                  '"$http_user_agent" "$http_x_forwarded_for"';
-
-  access_log /var/log/nginx/access.log main;
-
-  sendfile        on;
-  server_tokens   off;
-  #tcp_nopush     on;
-
-  keepalive_timeout 65;
-
-  gzip on;
-  gzip_disable "mise6";
-  gzip_min_length 1000;
-  gzip_proxied    expired no-cache no-store private auth;
-  gzip_types      text/plain application/xml application/json application/javascript application/octet-stream text/css;
-
-  # client_body_buffer_size     1k;
-  # client_header_buffer_size   1k;
-  # client_max_body_size        2k;
-  # large_client_header_buffers 2 1k;
-
-  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
-
-  include /etc/nginx/sites-enabled/*.conf;
-}
diff --git a/ansible/roles/http/tasks/http.yml b/ansible/roles/http/tasks/http.yml
index e71e4c9..01ad1dc 100644
--- a/ansible/roles/http/tasks/http.yml
+++ b/ansible/roles/http/tasks/http.yml
@@ -1,9 +1,11 @@
 ---
 - name: setup nginx base configuration
   become: true
-  ansible.builtin.copy:
-    src: files/nginx/nginx.conf
+  ansible.builtin.template:
+    src: templates/nginx/nginx.conf.j2
     dest: /etc/nginx/nginx.conf
+    owner: root
+    group: http
     mode: 0644
   notify: restart_nginx
   tags: http
@@ -26,7 +28,7 @@
     state: directory
     owner: http
     group: http
-    mode: 0644
+    mode: 0755
   loop:
     - /srv/http
     - /srv/http/letsencrypt
@@ -38,7 +40,7 @@
     path: /srv/http
     owner: http
     group: http
-    mode: 0644
+    mode: 0755
     recurse: true
   tags: http
 
@@ -55,6 +57,7 @@
     - "{{ assistant_server_name }}.conf"
     - "{{ video_server_name }}.conf"
     - "{{ parts_server_name }}.conf"
+    - "{{ logs_server_name }}.conf"
   notify: restart_nginx
   tags: http
 
@@ -78,6 +81,7 @@
     - "{{ home_server_name }}.conf"
     - "{{ assistant_server_name }}.conf"
     - "{{ video_server_name }}.conf"
+    - "{{ logs_server_name }}.conf"
   notify: restart_nginx
   tags: http
 
diff --git a/ansible/roles/http/tasks/logrotate.yml b/ansible/roles/http/tasks/logrotate.yml
new file mode 100644
index 0000000..6a2b552
--- /dev/null
+++ b/ansible/roles/http/tasks/logrotate.yml
@@ -0,0 +1,10 @@
+---
+- name: template nginx log rotation
+  become: true
+  ansible.builtin.template:
+    src: logrotate/nginx.j2
+    dest: /etc/logrotate.d/nginx
+    mode: 0644
+  tags:
+    - http
+    - logrotate
diff --git a/ansible/roles/http/tasks/main.yml b/ansible/roles/http/tasks/main.yml
index 5e7613b..fd04727 100644
--- a/ansible/roles/http/tasks/main.yml
+++ b/ansible/roles/http/tasks/main.yml
@@ -4,3 +4,4 @@
 - import_tasks: modsec.yml
 - import_tasks: http.yml
 - import_tasks: https.yml
+- import_tasks: logrotate.yml
diff --git a/ansible/roles/http/tasks/modsec.yml b/ansible/roles/http/tasks/modsec.yml
index a3ac830..12e210f 100644
--- a/ansible/roles/http/tasks/modsec.yml
+++ b/ansible/roles/http/tasks/modsec.yml
@@ -84,7 +84,8 @@
   become: true
   ansible.builtin.lineinfile:
     path: /etc/nginx/modsecurity.conf
-    regexp: "^SecRuleEngine"
-    line: "SecRuleEngine On"
+    regexp: "{{ item.regex }}"
+    line: "{{ item.line }}"
+  loop: "{{ modsec_conf_replaces }} "
   notify: restart_nginx
   tags: modsec
diff --git a/ansible/roles/http/templates/logrotate/nginx.j2 b/ansible/roles/http/templates/logrotate/nginx.j2
new file mode 100644
index 0000000..a60686a
--- /dev/null
+++ b/ansible/roles/http/templates/logrotate/nginx.j2
@@ -0,0 +1,10 @@
+/var/log/nginx/*log {
+        daily
+        rotate 4
+        missingok
+        notifempty
+        create 640 http log
+        compress
+        delaycompress
+        copytruncate
+}
diff --git a/ansible/roles/http/templates/nginx/nginx.conf.j2 b/ansible/roles/http/templates/nginx/nginx.conf.j2
new file mode 100644
index 0000000..7964721
--- /dev/null
+++ b/ansible/roles/http/templates/nginx/nginx.conf.j2
@@ -0,0 +1,71 @@
+user http;
+worker_processes 1;
+
+load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
+
+error_log /var/log/nginx/error.log notice;
+error_log syslog:server=localhost:{{ syslog_udp_error }},tag=nginx,severity=info notice;
+
+events {
+  worker_connections 1024;
+}
+
+http {
+  map $http_upgrade $connection_upgrade {
+    default upgrade;
+    '' close;
+  }
+
+  include mime.types;
+
+  default_type application/octet-stream;
+
+  log_format main '$remote_addr - $connection : $connection_requests [$time_iso8601] "$request" '
+    '$status $body_bytes_sent "$http_referer" '
+    '"$http_user_agent" "$http_x_forwarded_for"';
+  log_format graylog_json escape=json '{ "nginx_timestamp": "[$time_iso8601]", '
+    '"remote_addr": "$remote_addr", '
+      '"connection": "$connection", '
+      '"connection_requests": $connection_requests, '
+      '"body_bytes_sent": $body_bytes_sent, '
+      '"request_length": $request_length, '
+      '"request_time": $request_time, '
+      '"response_status": $status, '
+      '"request": "$request", '
+      '"request_method": "$request_method", '
+      '"host": "$host", '
+      '"upstream_cache_status": "$upstream_cache_status", '
+      '"upstream_addr": "$upstream_addr", '
+      '"http_x_forwarded_for": "$http_x_forwarded_for", '
+      '"http_referrer": "$http_referer", '
+      '"http_user_agent": "$http_user_agent", '
+      '"http_version": "$server_protocol", '
+      '"remote_user": "$remote_user", '
+      '"http_x_forwarded_proto": "$http_x_forwarded_proto", '
+      '"upstream_response_time": "$upstream_response_time", '
+      '"nginx_access": true }';
+
+  access_log /var/log/nginx/access.log main;
+  access_log syslog:server=localhost:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json;
+
+  sendfile        on;
+  server_tokens   off;
+  #tcp_nopush     on;
+
+  keepalive_timeout 65;
+
+  gzip on;
+  gzip_disable "mise6";
+  gzip_min_length 1000;
+  gzip_proxied    expired no-cache no-store private auth;
+  gzip_types      text/plain application/xml application/json application/javascript application/octet-stream text/css;
+
+  # client_body_buffer_size     1k;
+  # client_header_buffer_size   1k;
+  # client_max_body_size        2k;
+  # large_client_header_buffers 2 1k;
+
+  limit_req_zone $binary_remote_addr zone=one:10m rate=10r/s;
+
+  include /etc/nginx/sites-enabled/*.conf;
+}
\ No newline at end of file
diff --git a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
index 857f2ec..74509c8 100644
--- a/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
@@ -2,6 +2,11 @@ upstream drone {
   server 127.0.0.1:8080;
 }
 
+geo $local_access {
+  default 0;
+  192.168.1.1 1;
+}
+
 server {
   modsecurity on;
   modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
@@ -24,7 +29,12 @@ server {
   ssl_stapling              on;
   ssl_stapling_verify       on;
 
+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
   location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
     add_header Allow                     "GET, POST, HEAD"                                                                                                                                                                        always;
     add_header Content-Security-Policy   "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
     add_header Referrer-Policy           "same-origin"                                                                                                                                                                            always;
diff --git a/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
new file mode 100644
index 0000000..24e0726
--- /dev/null
+++ b/ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2
@@ -0,0 +1,32 @@
+upstream graylog {
+  server localhost:{{ graylog_port }};
+}
+
+geo $local_access {
+  default 0;
+  192.168.1.0/24 1;
+}
+
+server {
+  modsecurity on;
+  modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
+
+  listen 80;
+  server_name {{ logs_server_name }};
+
+  location / {
+    if ($local_access = 1) {
+      access_log off;
+    }
+    allow 192.168.1.0/24;
+    allow 127.0.0.1;
+    deny all;
+
+    proxy_set_header X-Forwarded-For $remote_addr;
+    proxy_set_header Upgrade         $http_upgrade;
+    proxy_set_header Connection      $connection_upgrade;
+
+    proxy_buffering off;
+    proxy_pass http://graylog;
+  }
+}
diff --git a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
index cd3c164..f6e80a3 100644
--- a/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
@@ -11,6 +11,8 @@ server {
   modsecurity on;
   modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
 
+  resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
+
   listen 443 ssl http2;
   listen [::]:443 ssl http2;
   server_name {{ parts_server_name }};
diff --git a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2 b/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
index 473c5bd..ca804b8 100644
--- a/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
+++ b/ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2
@@ -12,7 +12,7 @@ server {
 	listen [::]:80;
 
 	root /srv/http/pihole;
-	server_name pi.bdebyl.net;
+	server_name {{ pi_server_name }};
 	autoindex off;
 
 	proxy_intercept_errors on;
@@ -21,6 +21,7 @@ server {
 	index pihole/index.php index.php index.html index.htm;
 
 	allow 192.168.1.0/24;
+	allow 127.0.0.1;
 	deny all;
 
 	location / {
diff --git a/ansible/roles/motion/meta/main.yml b/ansible/roles/motion/meta/main.yml
index ed97d53..258ca27 100644
--- a/ansible/roles/motion/meta/main.yml
+++ b/ansible/roles/motion/meta/main.yml
@@ -1 +1,4 @@
 ---
+dependencies:
+  - role: http
+  - role: graylog
diff --git a/ansible/roles/motion/tasks/motion.yml b/ansible/roles/motion/tasks/motion.yml
index f8c7d8c..6967354 100644
--- a/ansible/roles/motion/tasks/motion.yml
+++ b/ansible/roles/motion/tasks/motion.yml
@@ -38,10 +38,15 @@
   community.general.docker_container:
     name: shinobi
     image: migoller/shinobidocker:latest
-    recreate: true
+    recreate: false
     restart: true
     restart_policy: on-failure
     restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}} .Name {{'}}'}}"
     volumes:
       - "shinobi_data:/var/lib/mysql"
       - "/mnt/shinobi:/opt/shinobi/videos"
diff --git a/ansible/roles/partkeepr/meta/main.yml b/ansible/roles/partkeepr/meta/main.yml
index 3f81c4b..258ca27 100644
--- a/ansible/roles/partkeepr/meta/main.yml
+++ b/ansible/roles/partkeepr/meta/main.yml
@@ -1,3 +1,4 @@
 ---
 dependencies:
   - role: http
+  - role: graylog
diff --git a/ansible/roles/partkeepr/tasks/main.yml b/ansible/roles/partkeepr/tasks/main.yml
index 359d2b1..0274d3d 100644
--- a/ansible/roles/partkeepr/tasks/main.yml
+++ b/ansible/roles/partkeepr/tasks/main.yml
@@ -7,10 +7,12 @@
     - partkeepr-conf-vol
     - partkeepr-data-vol
     - partkeepr-db-vol
+  tags: partkeepr
 
 - name: create partkeepr network
   community.general.docker_network:
     name: "partkeepr"
+  tags: partkeepr
 
 - name: create partkeepr-db container
   diff: false
@@ -19,8 +21,13 @@
     image: mariadb:10.0
     recreate: false
     restart: true
-    restart_policy: on-failure
+    restart_policy: unless-stopped
     restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}}.Name{{'}}'}}"
     networks:
       - name: "partkeepr"
     env:
@@ -30,6 +37,7 @@
       MYSQL_PASSWORD: partkeepr
     volumes:
       - partkeepr-db-vol:/var/lib/mysql
+  tags: partkeepr
 
 - name: create partkeepr container
   diff: false
@@ -38,40 +46,13 @@
     image: mhubig/partkeepr:latest
     recreate: false
     restart: true
-    restart_policy: on-failure
-    restart_retries: 3
-    networks:
-      - name: "partkeepr"
-    volumes:
-      - partkeepr-db-conf-vol:/var/www/html/app/config
-      - partkeepr-db-data-vol:/var/www/html/data
-      - partkeepr-db-web-vol:/var/www/html/web
-
-- name: create partkeepr-cron container
-  diff: false
-  community.general.docker_container:
-    name: partkeepr-cron
-    image: mhubig/partkeepr:latest
-    entrypoint: []
-    command: bash -c "crontab /etc/cron.d/partkeepr && cron -f"
-    recreate: false
-    restart: true
-    restart_policy: on-failure
-    restart_retries: 3
-    volumes:
-      - partkeepr-db-conf-vol:/var/www/html/app/config:ro
-      - partkeepr-db-data-vol:/var/www/html/data
-      - partkeepr-db-web-vol:/var/www/html/web
-
-- name: create partkeepr container
-  diff: false
-  community.general.docker_container:
-    name: partkeepr
-    image: mhubig/partkeepr:latest
-    recreate: false
-    restart: true
-    restart_policy: on-failure
+    restart_policy: unless-stopped
     restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}}.Name{{'}}'}}"
     networks:
       - name: "partkeepr"
     ports:
@@ -80,3 +61,27 @@
       - partkeepr-db-conf-vol:/var/www/html/app/config
       - partkeepr-db-data-vol:/var/www/html/data
       - partkeepr-db-web-vol:/var/www/html/web
+  tags: partkeepr
+
+- name: create partkeepr-cron container
+  diff: false
+  community.general.docker_container:
+    name: partkeepr-cron
+    image: mhubig/partkeepr:latest
+    command_handling: correct
+    entrypoint: []
+    command: bash -c "crontab /etc/cron.d/partkeepr && cron -f"
+    recreate: false
+    restart: true
+    restart_policy: unless-stopped
+    restart_retries: 3
+    log_driver: syslog
+    log_options:
+      syslog-address: "udp://localhost:{{ syslog_udp_default }}"
+      syslog-facility: daemon
+      tag: "docker/{{'{{'}}.Name{{'}}'}}"
+    volumes:
+      - partkeepr-db-conf-vol:/var/www/html/app/config:ro
+      - partkeepr-db-data-vol:/var/www/html/data
+      - partkeepr-db-web-vol:/var/www/html/web
+  tags: partkeepr
diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml
index d34358fd22b133a712a154392cfd3abdd68c077c..8398d63a8f08826f608670dc2efe6c0f73536c91 100644
GIT binary patch
literal 4394
zcmV+_5!LPhM@dveQdv+`0IW}V@fJ)u^}Wr{)a>ZE$bWuN?SBR)DL=pF6e`afP?l-a
z#W6HF2vpjDjiDz2=?f?L3)39a>`15xq7Z@ymH}t78&!#(p@IMN`rcha)NYv}n-=&9
z-+uKjk%;`0=Q9jPTIxiVt;CMvqXDo+b(#7Duc<b$k_ycFAxDNvC1=c;oNg92+bvHd
z<DIVdJL3M#xevxMm}ndMyW1Zl^8KC0>S6gMqA+h!dYv->xy?VB*vRMT0v*L{xTOU#
z7-FlS=V)wF|9Wy-s&MPm9ArSJsB8L0*4u)}Fxa>$W)#f2|3uCrxR?{lvj3@7yC!>y
zVxxx@e-(>y5uHqe=}fAfpxli?4z5gp!cYy;r2=>8d?qYy1l6GNll^o%LS5gahvRJZ
z08hw*Pf5eNXPP(8U(|F`fV}TX-cipqsYe<Z_@~-yh_{^*%iD5M2CAs>lX*r()dzYs
z_vt!;O;>a`S7m}WAB0fhhFk0?ZV0YrGYc{K^=cJNQI8#cboqD(OyDQuk_cn6PMiuP
zYw2iZX!6Cj+KIBEvIOQRI@a-gr=r5rQQ})UDQ8Q6pWQQ|+#<UN4&gjPQdWed?I9hq
zH+usa@xuti6(ABY$*Nuv_Wwg<5LuQN(b>VU)0@!q1wbuCwS8h(Pn;&GvVFGq4DcWT
zn3o7Cwy>Yk+&@ko`hL=3H&1Y(JcQ>j!!(J+D!eXRykdfyuSe5rD?&otM>L<nOq@Ax
zjAX+Xv0w)I*e_+J<yG7s@QkPkEnSdmiXves|Ck5aX_lu|hqP%cU$S69e&tT>x78bN
zPw1(FC(+tc#K{-&H&0#!5cXN&SCSP{+FcZxFhjAexFP&39++mFw1gS0j0t)r?wNfD
zS<r8}*XmUjzhr5~y@Q!-^B$Fb5<a)i@@x(%8Biqb>-kjHjH=5@Ws~7GFnsqp5YEq>
z9Sye1(>3t9zNGR%IWtEZ>GQa!`RJ{HOXgwJKds*y(MhgZ4Pcix8Dd?tI9!q=`@q%b
z#H$9fRYUmNe?R&<pBSHh2@RE_cWNDLDPL}+4}9+~Z;Dt!AR}pt%be;wE(m;XHdf*A
zJ8Z8uxm2lqQDp>*ncAkQI(m_EotwCd7@PsMErZ8+!AH%5lWs(a?xC5<*plOLXQA&}
z_ST1+7he0Xc?<C_u0dj|42k7B)s-Qp(OKzd4#IV*x?KHZ)Hj6I&kvM!H5&OhG3e~s
zO(DzafDsMm*%4g_U9A^rmoz<szfo|vo&EaFZ8pgwwZdV@2a`>6r=!}$i`Mq|xJRJF
zRg554z9DCOYWrhKIt~X+@+j(K^T#Xfp64SWR-oVH9D~kI3&A$50dV|H2*ffdh22yQ
z;^84Am$F=8i~^PJP2Yo26JEg{Qn!*%2SU^Ttf0_iuDV&2ZAauZ?p$q~2DwX?yPX~!
zYjwIOyV${l9JuWuh%T;)+bE&mSDlw%ZEqHr$%!`jb9Bdw-&zH{@r?*-5dG@CIm;ud
zI$OUuny{#Vq|ffV+(6djzxY*aSME<?j6snjzGvz)2N2j^K3}K-u$3<FAqu4`ESvEU
z-S`^A6_V_&E@RXPIk-@#7^>Hyrgn#$b#m6q>|F;v;3Qduo$Nx$e#+SiOxPD|jzs;o
z@qh*qp0zqyiOO!NkaD9=Ph2N8OKgym^Y_aktk?xcV6CCEPJ&!MO*PHlwfvrq0`7(<
zd94t!@JI{W>oRnxI-r(0NFczwWfKAlCs8ciU=L=G$7Hr*ThiCBUXi9lKcP);{V`12
zhQt*<cY=V@8jEuO2fOW_K8U+hdsy1LIup$7KAjgPeDlNB?3$P^=8@3(H)9mUjJ4h*
z1NCX@Y@RhcsQAW*es$e#>X7~G+ADY>BL)6M?^DhjJ9;?;Y$8`w&a%I?uw=b)l`6kR
z1>i*WT^%}PG)$3Rv5KLHT^<=P(%*->t>T*}yeW%NzUgtVX@p4ej6i)eOSdvxv!vEP
zYE0~sKdNobJRFrwbSj6qRy~JLV-Scgdq6}SULZ?xEok`1r<*GwLsS)B|B=4-F{LDe
zbB=9HCW}jszG@i15x!xV0bqp9d6JQ$dzz_tsjhLLkh+KKD;;>tT^{iqiM=iAri054
zpu&Z6)Hh#Iy_<}LJQs2N7r^VUU<c!C&p1}+qz%Z<YCFn-UzW*Pbka^?0a01<?HrGD
zoq}xD?X!)yiVr=BEnG5oS-Szi!<c!=EU~cGeC%j9xZY_CZxkadt6M_ncS_!4{DvqI
z{|7d5gQWz%Khyr<(fr;A5F6Cn=E82)`Vnh~#Z0LWS?<0{2B!`&?}p76d}eAGs63a(
zi5xQ^Q7nMM<(O|eQb;)qeu;K(Js+8H6a{tQX5$9689&_{0b{P@Qsb*<sEW##>xXp~
znlenpiqt{mV}MY5;>2PyOinob;04_68!Fp%xi-_|L-IzX!Bai=LHxa-cKlDa2sBw0
z$K0#0Wd$xXpDhasX>6!J)H=)_@VJGaN<E>t-ypAnZzX|o2Jd|VAIGyhB+RQYhIxiK
z(mU#I$?LFGcNq5heav#Y7sV9g!p0vu`Q1BH2@+Ko7x)y1v>YjU4&Cicdb;5=S*5-O
zODAEM0x;#kgjPxZKL#^ltNV>1efr{5k|;q0b{3D1`T2TTx<~D-!cN#NZXGnZWmM6?
zK2P){CPi3~9ghz9FdZ9LJT3{@WVcCd5TEwgRzAE@peetu8IwJ|Y04@Py%4C4w@j+#
z`|lOx26J6GBMI{@Y#8NQ99x^N{}iGom8HbVDoRMX@YN26E9dxSw7MK*<-MB1Ox$x4
z+=KHbl5qc+qjaX)ikh;h8|XOReNQ7ItKalCK%PpZ_OFpyvTQU_O$l8U#;1RQ<y!6j
z8Ib^TyMW^AJrJF!ZF^gC{iTC_pQ!_T&zilg(W}D9jNV`Q<b@#ipIy@VEb0Dj`C&#u
zW=C@vH=fO;qhC;h<*!H?%BZbSkr901n#{?Ng=X*^(U|F~+osx{U$5TT6#6^vfL9*W
zVk+~HVf|x>?R)3}!*tt{a}#YQdCD1WlvF=vTH$R#g^{|07m8lx@dA)>e-f?Tt6##%
z%-5etB$G}?m6LhK@zffP)pKficV}!Wf-7EwSDdc-PPL*!FFMxY<0xq>=XNsmn;2uK
z(~^L~Oj`5$h(*GZWUEns>i}8xfa`v{dQMo1kJZ`5)jC^@6xf;giRLVTS*rkwQ`SSS
zjiw;1v~gihLB(&q43Rt>T>kUmLpx&T$8z0o^pbJVK2Sd0_D#RDlb{&P9U5kJOdyJ6
zJ-k*t;&czLL4g~IyAvSK=Svl)6lw@wzh~UaOR<W^&R3wr!TE4PMfWk7(7Mra=iI#T
zjd0LzyU&pwIDQdl6ZS>&S(D9Fv61=|ab=L~O)J*|PP-qD5(liORg`VpE&+&+AoDAv
zc54$VUe$`>6}t%t*8h;<WKrLopGGv(U06dV6940KN%|lY440%!hR~(0MsmDY_?p8L
zuiq)R5y^$5=5@u|85kblCD@n-6%d{zY9d3m8$~)uV2G~9-R|$zA!!W&KCVr{Rtg2z
zYc{ztYhY7g=IuY6um=J1e1V7>QGJ+@{mnxgQ_#ubW1Dbb830*{r7A6y{)%DC47DEW
zLO-is2P@0S!NtQd%$!0ExZjCTw;`yh4GE4Se)KrzcdSgl7B`l!#W5ObpYpZ-X>)|)
zl2bN`KK~F|{^?~6buwSf^R#sJRbUjgj56W9)*w4wN0=XpZg^$G_UXs+C<d**2()l+
zGAo^TH4L(g437hw5}M=+e#>kcpL{(St3SP671w0d3MlNLB`{zeQwk<mRlL32f@^mF
zBEQ5mBiJ)JOVqfdmaEC5>l7E=#N>H+Ppd!7x2cLns4eU^bOe2r>A0Z_reQ$O_x{8C
zd)?lvjbF>G;l&VLqmym@924A?p2P~oO=~}|iL}2@{tf&a(t0S;^UFJd*hL71o4EUJ
znpgQFj85j%e;<e~hunLuYeC64>$F-%)n}WE%}?$p%y9CkNJOY%cyuHR^OMs!JpIGA
z_FrAl1mI`u(Xy({k1$3v*cZ?02V{euwLQ*)5;l4g-%*Df)F?%Gt5LiMGZ*9;2q^`>
z`af!Kp($<+&WdV`kTCzTLzj+GcN8BtjeNF5Jp(&To8NjTft+{hbxNN^%|tkdMzVqG
zNW9@=fucZDs~O(}25PfA^e;*XT2l{OOt=m8<s?;0!f0IN_|k1H4v<>_H-bL%0o(J5
z>c%jjX70JaTf#30;5`LaE0QtQ<O6?9ZS(T|))it?{{y~(tz`i8)9V*7soj|3y2$le
z`ZgnT<1kte^k}q-wrP-7L}_%PGN4xs-PQIK>WWnwy7NdGe*$d$Ox|cm9#I1Lt+_{+
zMg-^H4VTv@C(r<V1OKyU3?nj))u?*Qp}IG)vcPNfUat>npP(;nkTLXul0Tsll&M$r
zUPkDOX=$UigLv~<E=>ds_$zXx?egJ`bXpS2cRibP6FZkEHL_~a$YWveI5c@*YM2}a
z!JW!}10?hVjq_`b9-TeE-R9LA62t<_ad&Dn_C~eXmuJ^yweRNokcMUq)(MIWy|RPK
zyEXutiR<xAWSuZTfCfKR3YydI*6|w`IpxS{XY<XEN)>a`F`%VhmP;<b?^aG$-X)<K
zNb~>MDD;=aQch`ztAy$|QFc5G9Z^GzWFHA=z-pqO5*>MjJjS`|$81w3#KF9!;Lp({
zDDa+P9Z!n-Ik6gU4M5sC+p(7Uw&yVs*N0%z6d3u@r^ZLc1^h)aJw*y^Tq{VpFM0Vg
zhVY_V-bH-@S@Z0oHe~9LovWXDf~|5M3o1IOqunt;?D!u3MC&O0sAjKS9hT)zM`|9S
zSD=kJ*03p4FA2~^oG_UlFJ42AVVBMep}J4q4>mD#ym&BivLRtE0xmWE8XP^>lrA9S
zeiByTUV4F%z<B=YP93$&uYw*4zGb?f@rb>{6X3yn+ZyH-CdQ=#V8H<NPNK^WItvB%
z85E^a-z^fXPR0atT#Cj?#9nPaAJor366ru0a!UQieWw_e3h#ym`PsL97MQ+>S1JWo
z9_$v<Xs2S-v0@ORnA?vN3h(=FZxK|-B*|Sm%3t-0G3a%kl(;NBJR7|U$_g6fy`PO7
zw-O#_3-{mfxJX2Xd`jolCnT4{6JjuP=bYKnx_wDkWB+6sssOJ-T>5e2Feh-S2N67v
zxZkUP?&N4%J&pnU!F+65!1M>mBinR<*)Y~KUE2)Ivh5meX1+$Ta;;+W<=3iZPfyqE
zKfVqQSsiBSu6bnG7UmbFB*?4aNeKzU&AWrL-R@SktacMkEmAc!Yq{3)u@qi5MtqLn
zDd;kH{+%n!bs$0Gtp(|*i|6qn-*8f*rSgMnf3+EtD`DEmmh?mhDa@T^iD7|iOGQlb
zE${of0dkCmGAA~*nl}~hd3Gk+gzBbql7g?3g{&xaB1#eCqyQks9x%$I^eF(f8uL#&
z^59wyRlu2>&KYUYQ^oVxIqZFOrY-A%@`ZFzxW#+LzI0V=+qF!iLBt%5?JDl>2+Jyp
zZJt4UYoej}cC_%kR+>bO6>>n?S=1pBhxenlxV`DEioIm$YGb{vZ0R&G_oFW}ZWtLC
zkJ|fNt{tLkOMKb4*ikeNxz3<ExoOWr%8?z__S`?&|C~1&7L{h>c$`EYGo#={W_K-U
zq2q^NxOZQuii_c_=GTIelpYeAt3wo$f%=xT2;}N`-V-Fr41Bt}ghzHo`9(s0=+dg1
kN;;Ok))q+c@aCOs{F`bCT-yJ;)a=C$D%DPQt`}oVOPVl`dH?_b

literal 3228
zcmV;N3}f>EM@dveQdv+`08ACns{3(vZm2rzqkadEk;m_5bor6^`C9JA0cql<vDq9n
zElYmWgR-0X?XM^0gEtTk6|ltSlSxHm-bIYD5?C7Fxuq~G@)wf0f(;kg#$MU!s&j@E
zs<w}X$Qb5m-!X?`Gs|RV*o5~fG>^kP<93+bs7Zchc}Aa*9M%!S)pphPk+j;My?W62
z8>1k%_%oW(o|pPGm)Yn97{U;IChIUO7RsJo>mNnU0<jZ3jt}HQ;d(Mxgk7r1faGX1
z`y&D%*DAczFixTqj@6LDVk2ODyD?LxMj@-h*MhCCl9f%CZV=HY0hA8US^nw%O2@*;
zW|R<M`&dlW#$La1rLS=hed~sm=D9W>@7p_H_cTkNnzjMGOMgxA&X#?NGR#?+aCEnb
z8`2osndD3wT;54(fwN7h8qO06Jm(D#-Z}AG$n&Qd8ynSWPR(YSu^9I3nf4Bz$AR+-
zjr$yB!keI2jc-`<dam65zWF1y(&0rJqtneWj%^-58aEOa^^rX_my`ENop&~HBVr9|
z(#XAfo+#W4@Z#f#4t&im-Z81T<7t1@%8aji`yqShR(#Or-ARIuDX%2AfK{cBDB?|A
zsBGMWcD7WRRQpB9O&n@iaPaA6e|B8xupiv2&={1f|9Blmfy58BSy)jRFgChJn-+V0
z9LM|+IH*oI^j<SKNi!0?uT`Jco-Qe6-&Ws`*@KxEU>7dxE*|nFg}GwS*F6la{0PaJ
zrmeloU=!crLg0bB$*f;K3EXGSef}ho6n%EAGbZ`z3bRRIy9k_X@1G07%;0VZaSG8r
zWDY5e7iOjvtU&v6&Wa=1haDgJnum!cfUSI)Cb6Dz^JBG7YW$JCXsH~$tSb_DYM&SR
zsHuIR2+8~`k`Ug<#6I00@224)h=+WDH7E{ax-QlXV~hpIyoTdo2F7m&2)-BwoHZ<_
z<I7BDl!%`X+wwUgO<qx8Af=~Vo<r!Qj5h~JZjwZ0dh{KtB0_Q{G{$3^?eb3ZP<=v#
zK-3AB+Up%F)1v@h3a~4fFo_#8c=M90_=1QQ(Rh!RW|cX}+RDogo&CG)@=tc?&?5}T
z#bcviJsf$!ziDw1p_+-^T(IppBAn$9+Rq7G$^preG>Q}sw?fLzgo9!u`gD32uOENb
z&)Av~h_MRt$gz6laO$K|g`@5C;Mj)wb0CEXzAE(JCmXIaJb?k=-%XviY2?=-SGDC$
z(A}cB+WHw$-(V{@t%63tPnURwUoX*`VM0@ILQ*o2Oyv_o2iH@Y?l`8(W6&gTBlW^0
z)RFegs#_!M;fiN0I_?tqjA<Xbw?cU;$*eM-GSmUM6VAkSXx|koo>q7M{We8$ern|U
z_MPSf*9~`KTjuP|;xuKV{Xs&w$5#ha6+a@R0b{JBp_v;cXf*Nt9X?|J0fO;uXHV2_
zL*$%g;6CV8i~MgWlG8)GRBnyLj(6!Kn~98qgWd>uGzTp>K9@TN{P$52yTXi=L%F8(
z0${u6B;s3=92BQh*`}Or&Id2hvdWlpzqhTT1RwJ26|I{!UXR)81<sfxxd(k7Q)Fl%
z;!%|L9oJejf!Ww85Bk7jW+Q2v!@VMr!cHxIOUdury*$eT#q^vE_q>**v+AAW&}?iC
zZMhsIrvJX9akMZ70?<Yv^7HU1cpQ?j*@DQpr%Pg|Hw~_MIiDedVwQd@k_~8gAu?2v
zfveS`yg89bODy5-`th{p5(iB%Au(t=+U2cGr3|Eo0~tGlR51si{3&FRb%NRr_B`B?
z5^(@y4dMmKew8%c&g@GMdtOMG<*aFI=2d4M>v-kDlW)>RI37koLS@oB3ydh^)fDQj
zT|U?olcDiAH9Je7QpO)3Wd&ODzCj$0+cIy#3^43Ugx}*GL119P9il&S?6bsbOghCB
zm|hG#{XH^a@v-al6!4baGqoqq+apjGVN}9SQc?%({X`h<`7Jm<Qs%t(NWgKi*0;e$
zioH`|-nArYIUZ`&R^t0x8b_V%V)TP}EWB`yUIc8Rh#Bt6);u!JZ!W*!siz=sEjD=s
z9=tl|<AXcl{JX?9-ISKi*X}aYdU|3!58neF#{RXfJt5c4NUjp2^?r<NrZ52-K<kCM
zG>#(^PuG<wK5Kdt;SWJ^3$I7Ci7Hj+evo1Et63nB*UFJ9Ymj^z)P@fzZ&d=VM7|0-
zpY{T|3f$f_S@hj6I_@(A8v$0Y9QpWE9<J+7YRDX_>QnB`ks5E^Y=cGTsWaq(_O<o^
z!q3@f=du}+=K77Oto;sC)gnB%)Nv61d1#YwEGo>!2QwIPnLBZ~#j7i9*NL{n$&q48
zfdgpEjv~z2{o*M2kjep8xWr9Tizec@K}G;Pb$#~)w@8b?<9u=9C|w<myjwzH)_r^w
zx#DeI5ZQvEn<iqhLruVtKjj;dhdX4_C_V6>wd~D=iV{%!Lx~9wG3oWSBS@*_U^4VD
zm!>7M5~#(oj`qHO2g43m1o^)9o@j<_9LmeOrU-#O7<?U5YT86*bXQ+Hss+Mqfcz(m
zcG!7j*ewi3Yayo=pYA$nc?pb)E%Mi{OXzTn`RqxQQ5W*l8mD8<%*6GWg6T&eUe$`P
z$#|TD?Z!{^50_0)4u8T2BG0Gjl|K0ju4^~MG!wAqy;OoTiSNL>?U5Ym(+6RQWhba=
z?Dv0A(u4cI$27#=vi>_lUVp#CU0;(NdJsOnWZCoP*505jSw4MD(TSjD$-#%lSgxOX
zI8v<T%eB14aa-Yw)2Ny$5M96ovfj|8?1aUnJ3V5_&j+RF^$e;gYCNDct%<kM|Am^F
z%8Hey$vZp_fxYv@>w;@1j6aLVk+T%<ROJIL<qe`k{V7)|Ge-;{PWs<Kcf8D;6svjU
zJSfwU*e5=gZHX>)$xrxGlHYm#$(K;cA_GscrHblEU?@>U-4@KOYm9>HKjtmwJ7-EX
zuN7mYlOx*Jla0FI8ypFQ|NP(`Q>uu;K+BCvm2God<Nhc6p$sW0X>r8zRrJ^93+~Q7
zHdePrS_iKY6>vVg;b_;8@qs|cLwgEVv6W>u9TOp2C_*bp8&Epz0(<YgqB&h6ObrY1
z-9}GPvtRF`H@mq^)=t%!u1?!EeA4%Sq-#buWICv48G_cRg^b+fOSO&KVgJh+1Ws6R
zO9Mv3fzG;YiN(%ZEdq}3k8nv4Mt!Sg)a>G&^kXwo8%RyQnMq=JVwpMruq1F{*ik5t
z8&4|no*4z7yfoX**x<rlyY4Q3TOSpag{I$6tHxz-SeV)kO||o!C9=eGWE63kgXrig
zcYh{1zFKobK$z7RyqQ5Dm>Hk>R2^5G3kCR!pKOE$<A8>k2nl_!d~(hxtD_N<?<N(#
z?JQ_9^~go5VhNj<G<%zWt`tV<WUF=~M1DX-^K*TqQ}=Gnp!-*3rV*H*IG#7LCt>?f
zj-_9P!7PlUwHTD1-Kjp5l|0Y+_Qx(_VK%2IFo8q3?20%za#YX3`{|~Do(Qv<T=^vh
zak2F(a909p<K1+?#5iG5*EHg6@tG~pX^~L2zx;PX?n@r$Y9rkLX5@v3@=l-?0`iKe
z{cpBK(g^}|)1$Zu8_qU?FoiVvUC7QXwWo+^|M?Nm(CtW?uJknL4G7?+a+>+?rl1){
z4k~)+rS2yRJmIF$)I?ntF#0hycPBftsD0h<m59J6Hde;(cEzyFx?*!H)4%@A4>4D#
zZ1TP!<}-{;CQquVdTzpI4|g)3)qDQP`ZP*!74_bU*uqhkD+y-o9O5lxNuwGkJLPmv
zv{McQkd+)Q`0MIw=xFu%Na?%j=ZHy{){0*Z@C_Ci@b9&B@N5^Z`T$NfTK$Li5e?ye
zkyfMfGMoDF9KgMSf?SkZ#J1wV5ZSJECsmama62~umb$h(NvkQ1Rn#kLU|@cEIiufO
z2jvO6n=;?QRY(QZ!Z4HL>&7y#yb&KKnfM^M(2(Qq`>_g;vEN%PDHf}JPl*Z&A@4rh
zwHK?Af%tw5v)%q6W8{;;ssV{2f#e*`>Gcw$aOy8cenr7Fbrnq!uLuiY{$3}n?BqzL
zmIWnQGaa=Cutag~bD1eQu;h)xI@`#1zJgqHK|TS6-Yc5q`SD0o*5!S@m4e>`bovnw
zcv&s;=?fgDtxG{2;x3m=%$BlYT<&Pbzn6M4c|Wi5Eb1V|@u`qg7vn=);n)_T*Mt1W
z1E>KV%TPD_%+1;cmsS$GwkmLfK&ECXPBF*kUOyZO@5#5~(eKij1clJsAorJrlnBvE
OE|H2rbM=jPgC-T<$z3G?


From 98772f739f6b66141f05808f1befb4bed8318800 Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@bdebyl.net>
Date: Mon, 18 Apr 2022 03:17:08 -0400
Subject: [PATCH 2/2] CU-251akbj lint fixes

---
 ansible/roles/graylog/tasks/graylog.yml | 5 ++---
 1 file changed, 2 insertions(+), 3 deletions(-)

diff --git a/ansible/roles/graylog/tasks/graylog.yml b/ansible/roles/graylog/tasks/graylog.yml
index c078b60..73eecae 100644
--- a/ansible/roles/graylog/tasks/graylog.yml
+++ b/ansible/roles/graylog/tasks/graylog.yml
@@ -73,7 +73,6 @@
       # Graylog web interface and REST API
       - "{{ graylog_port }}:9000"
       # Syslog TCP
-      #- 1514:1514
       # Syslog UDP
       - "0.0.0.0:{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp"
       # Syslog2 UDP
@@ -81,7 +80,7 @@
       # Syslog2 UDP
       - "0.0.0.0:{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp"
       # GELF TCP
-      #- 12201:12201
+      # - 12201:12201
       # GELF UDP
-      #- 12201:12201/udp
+      # - 12201:12201/udp
   tags: graylog