From 61692b36a2570ac18fb5a9e1a48033e7b4606231 Mon Sep 17 00:00:00 2001
From: Bastian de Byl <bastian@debyl.io>
Date: Wed, 28 Jan 2026 12:34:43 -0500
Subject: [PATCH] refactor: reorganize fluent-bit and geoip out of containers

- Move fluent-bit to common role (systemd service, not a container)
- Move geoip to podman/tasks/data/ (data prep, not a container)
- Remove debyltech tag from geoip (not a debyltech service)
- Fix check_mode for fetch subuid task to enable dry-run mode

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 ansible/roles/common/handlers/main.yml        |  6 ++++++
 .../base => common/tasks}/fluent-bit.yml      | 19 -------------------
 ansible/roles/common/tasks/main.yml           |  3 +++
 .../templates/fluent-bit/fluent-bit.conf.j2   | 10 ++++++++--
 .../templates/fluent-bit/parsers.conf.j2      |  0
 ansible/roles/podman/handlers/main.yml        |  8 --------
 .../{containers/debyltech => data}/geoip.yml  |  0
 ansible/roles/podman/tasks/main.yml           | 13 +++++++------
 ansible/roles/podman/tasks/podman/podman.yml  |  1 +
 9 files changed, 25 insertions(+), 35 deletions(-)
 rename ansible/roles/{podman/tasks/containers/base => common/tasks}/fluent-bit.yml (69%)
 rename ansible/roles/{podman => common}/templates/fluent-bit/fluent-bit.conf.j2 (95%)
 rename ansible/roles/{podman => common}/templates/fluent-bit/parsers.conf.j2 (100%)
 rename ansible/roles/podman/tasks/{containers/debyltech => data}/geoip.yml (100%)

diff --git a/ansible/roles/common/handlers/main.yml b/ansible/roles/common/handlers/main.yml
index 542cef2..12eb5f6 100644
--- a/ansible/roles/common/handlers/main.yml
+++ b/ansible/roles/common/handlers/main.yml
@@ -10,3 +10,9 @@
   ansible.builtin.service:
     name: fail2ban
     state: restarted
+
+- name: restart fluent-bit
+  become: true
+  ansible.builtin.systemd:
+    name: fluent-bit
+    state: restarted
diff --git a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml b/ansible/roles/common/tasks/fluent-bit.yml
similarity index 69%
rename from ansible/roles/podman/tasks/containers/base/fluent-bit.yml
rename to ansible/roles/common/tasks/fluent-bit.yml
index bb81659..7144e81 100644
--- a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml
+++ b/ansible/roles/common/tasks/fluent-bit.yml
@@ -2,25 +2,6 @@
 # Fluent Bit - Log forwarder from journald to Graylog GELF
 # Deployed as systemd service (not container) for direct journal access
 
-# Clean up old container deployment if it exists
-- name: stop and remove fluent-bit container if exists
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: fluent-bit
-    state: absent
-  ignore_errors: true
-
-- name: disable old fluent-bit container systemd service
-  become: true
-  become_user: "{{ podman_user }}"
-  ansible.builtin.systemd:
-    name: fluent-bit
-    enabled: false
-    state: stopped
-    scope: user
-  ignore_errors: true
-
 - name: install fluent-bit package
   become: true
   ansible.builtin.dnf:
diff --git a/ansible/roles/common/tasks/main.yml b/ansible/roles/common/tasks/main.yml
index 8aca606..db08c36 100644
--- a/ansible/roles/common/tasks/main.yml
+++ b/ansible/roles/common/tasks/main.yml
@@ -3,6 +3,9 @@
 - import_tasks: security.yml
 - import_tasks: service.yml
 
+- import_tasks: fluent-bit.yml
+  tags: fluent-bit, graylog
+
 - name: create the docker group
   become: true
   ansible.builtin.group:
diff --git a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 b/ansible/roles/common/templates/fluent-bit/fluent-bit.conf.j2
similarity index 95%
rename from ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
rename to ansible/roles/common/templates/fluent-bit/fluent-bit.conf.j2
index 4232a86..6db2b29 100644
--- a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
+++ b/ansible/roles/common/templates/fluent-bit/fluent-bit.conf.j2
@@ -74,6 +74,12 @@
 # =============================================================================
 # FILTERS: Add metadata for Graylog categorization
 # =============================================================================
+# Exclude Graylog stack containers to prevent feedback loop
+[FILTER]
+    Name          grep
+    Match         podman.*
+    Exclude       CONTAINER_NAME ^graylog
+
 [FILTER]
     Name          record_modifier
     Match         podman.*
@@ -143,7 +149,7 @@
     Name          gelf
     Match         *
     Host          127.0.0.1
-    Port          12203
-    Mode          udp
+    Port          12202
+    Mode          tcp
     Gelf_Short_Message_Key MESSAGE
     Gelf_Host_Key host
diff --git a/ansible/roles/podman/templates/fluent-bit/parsers.conf.j2 b/ansible/roles/common/templates/fluent-bit/parsers.conf.j2
similarity index 100%
rename from ansible/roles/podman/templates/fluent-bit/parsers.conf.j2
rename to ansible/roles/common/templates/fluent-bit/parsers.conf.j2
diff --git a/ansible/roles/podman/handlers/main.yml b/ansible/roles/podman/handlers/main.yml
index 6d45864..fa095dd 100644
--- a/ansible/roles/podman/handlers/main.yml
+++ b/ansible/roles/podman/handlers/main.yml
@@ -42,11 +42,3 @@
     scope: user
   tags:
     - zomboid
-
-- name: restart fluent-bit
-  become: true
-  ansible.builtin.systemd:
-    name: fluent-bit
-    state: restarted
-  tags:
-    - fluent-bit
diff --git a/ansible/roles/podman/tasks/containers/debyltech/geoip.yml b/ansible/roles/podman/tasks/data/geoip.yml
similarity index 100%
rename from ansible/roles/podman/tasks/containers/debyltech/geoip.yml
rename to ansible/roles/podman/tasks/data/geoip.yml
diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml
index a7c3ba9..ad5dc2a 100644
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -31,7 +31,7 @@
 
 - import_tasks: containers/home/hass.yml
   vars:
-    image: ghcr.io/home-assistant/home-assistant:2025.9
+    image: ghcr.io/home-assistant/home-assistant:2026.1
   tags: hass
 
 - import_tasks: containers/home/partkeepr.yml
@@ -86,15 +86,16 @@
     image: docker.io/louislam/uptime-kuma:2.0.2
   tags: home, uptime
 
-- import_tasks: containers/debyltech/geoip.yml
-  tags: debyltech, graylog, geoip
+- import_tasks: data/geoip.yml
+  tags: graylog, geoip
 
 - import_tasks: containers/debyltech/graylog.yml
+  vars:
+    mongo_image: docker.io/mongo:7.0
+    opensearch_image: docker.io/opensearchproject/opensearch:2
+    image: docker.io/graylog/graylog:7.0.1
   tags: debyltech, graylog
 
-- import_tasks: containers/base/fluent-bit.yml
-  tags: fluent-bit, graylog
-
 - import_tasks: containers/home/gregtime.yml
   vars:
     image: localhost/greg-time-bot:3.0.2
diff --git a/ansible/roles/podman/tasks/podman/podman.yml b/ansible/roles/podman/tasks/podman/podman.yml
index 14e6e7e..2744f00 100644
--- a/ansible/roles/podman/tasks/podman/podman.yml
+++ b/ansible/roles/podman/tasks/podman/podman.yml
@@ -112,6 +112,7 @@
 - name: fetch subuid of {{ podman_user }}
   become: true
   changed_when: false
+  check_mode: false
   ansible.builtin.shell: |
     set -o pipefail && cat /etc/subuid | awk -F':' '/{{ podman_user }}/{ print $2 }' | head -n 1
   register: podman_subuid