diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index d0d20f4..bc8e2bc 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -1,6 +1,5 @@ --- bookstack_path: "{{ podman_volumes }}/bookstack" -bitwarden_path: "{{ podman_volumes }}/bitwarden" cam2ip_path: "{{ podman_volumes }}/cam2ip" cloud_path: "{{ podman_volumes }}/cloud" cloud_skudak_path: "{{ podman_volumes }}/skudakcloud" @@ -8,7 +7,6 @@ debyltech_path: "{{ podman_volumes }}/debyltech" drone_path: "{{ podman_volumes }}/drone" factorio_path: "{{ podman_volumes }}/factorio" fulfillr_path: "{{ podman_volumes }}/fulfillr" -graylog_path: "{{ podman_volumes }}/graylog" hass_path: "{{ podman_volumes }}/hass" nginx_path: "{{ podman_volumes }}/nginx" nosql_path: "{{ podman_volumes }}/nosql" @@ -16,7 +14,6 @@ partkeepr_path: "{{ podman_volumes }}/partkeepr" photos_path: "{{ podman_volumes }}/photos" pihole_path: "{{ podman_volumes }}/pihole" sshpass_cron_path: "{{ podman_volumes }}/sshpass_cron" -palworld_path: "{{ podman_volumes }}/palworld" drone_server_proto: "https" drone_runner_proto: "http" @@ -26,7 +23,6 @@ drone_runner_capacity: "8" base_server_name: bdebyl.net assistant_server_name: assistant.bdebyl.net bookstack_server_name: wiki.skudakrennsport.com -bitwarden_server_name: bitwarden.skudakrennsport.com ci_server_name: ci.bdebyl.net cloud_server_name: cloud.bdebyl.net cloud_skudak_server_name: cloud.skudakrennsport.com diff --git a/ansible/roles/podman/files/graylog/graylog.conf b/ansible/roles/podman/files/graylog/graylog.conf deleted file mode 100644 index 2f10dc5..0000000 --- a/ansible/roles/podman/files/graylog/graylog.conf +++ /dev/null @@ -1,736 +0,0 @@ -############################ -# GRAYLOG CONFIGURATION FILE -############################ -# -# This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding. -# Characters that cannot be directly represented in this encoding can be written using Unicode escapes -# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix. -# For example, \u002c. -# -# * Entries are generally expected to be a single line of the form, one of the following: -# -# propertyName=propertyValue -# propertyName:propertyValue -# -# * White space that appears between the property name and property value is ignored, -# so the following are equivalent: -# -# name=Stephen -# name = Stephen -# -# * White space at the beginning of the line is also ignored. -# -# * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored. -# -# * The property value is generally terminated by the end of the line. White space following the -# property value is not ignored, and is treated as part of the property value. -# -# * A property value can span several lines if each line is terminated by a backslash (‘\’) character. -# For example: -# -# targetCities=\ -# Detroit,\ -# Chicago,\ -# Los Angeles -# -# This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored). -# -# * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively. -# -# * The backslash character must be escaped as a double backslash. For example: -# -# path=c:\\docs\\doc1 -# - -# If you are running more than one instances of Graylog server you have to select one of these -# instances as master. The master will perform some periodical tasks that non-masters won't perform. -is_master = true - -# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea -# to use an absolute file path here if you are starting Graylog server from init scripts or similar. -node_id_file = /usr/share/graylog/data/config/node-id - -# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters. -# Generate one by using for example: pwgen -N 1 -s 96 -# ATTENTION: This value must be the same on all Graylog nodes in the cluster. -# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens) -password_secret = - -# The default root user is named 'admin' -#root_username = admin - -# You MUST specify a hash password for the root user (which you only need to initially set up the -# system and in case you lose connectivity to your authentication backend) -# This password cannot be changed using the API or via the web interface. If you need to change it, -# modify it in this file. -# Create one by using for example: echo -n yourpassword | shasum -a 256 -# and put the resulting hash value into the following line -root_password_sha2 = - -# The email address of the root user. -# Default is empty -#root_email = "" - -# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones. -# Default is UTC -root_timezone = America/New_York - -# Set the bin directory here (relative or absolute) -# This directory contains binaries that are used by the Graylog server. -# Default: bin -bin_dir = /usr/share/graylog/bin - -# Set the data directory here (relative or absolute) -# This directory is used to store Graylog server state. -# Default: data -data_dir = /usr/share/graylog/data - -# Set plugin directory here (relative or absolute) -plugin_dir = /usr/share/graylog/plugin - -############### -# HTTP settings -############### - -#### HTTP bind address -# -# The network interface used by the Graylog HTTP interface. -# -# This network interface must be accessible by all Graylog nodes in the cluster and by all clients -# using the Graylog web interface. -# -# If the port is omitted, Graylog will use port 9000 by default. -# -# Default: 127.0.0.1:9000 -#http_bind_address = 127.0.0.1:9000 -#http_bind_address = [2001:db8::1]:9000 -http_bind_address = 0.0.0.0:9000 - - -#### HTTP publish URI -# -# The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all -# clients using the Graylog web interface. -# -# The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node. -# -# This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address, -# for example if the machine has multiple network interfaces or is behind a NAT gateway. -# -# If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used. -# This configuration setting *must not* contain a wildcard address! -# -# Default: http://$http_bind_address/ -#http_publish_uri = http://192.168.1.1:9000/ - -#### External Graylog URI -# -# The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API. -# -# The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer -# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address). -# -# When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors. -# -# This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header. -# -# Default: $http_publish_uri -#http_external_uri = - -#### Enable CORS headers for HTTP interface -# -# This allows browsers to make Cross-Origin requests from any origin. -# This is disabled for security reasons and typically only needed if running graylog -# with a separate server for frontend development. -# -# Default: false -#http_enable_cors = false - -#### Enable GZIP support for HTTP interface -# -# This compresses API responses and therefore helps to reduce -# overall round trip times. This is enabled by default. Uncomment the next line to disable it. -#http_enable_gzip = false - -# The maximum size of the HTTP request headers in bytes. -#http_max_header_size = 8192 - -# The size of the thread pool used exclusively for serving the HTTP interface. -#http_thread_pool_size = 16 - -################ -# HTTPS settings -################ - -#### Enable HTTPS support for the HTTP interface -# -# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping. -# -# Default: false -#http_enable_tls = true - -# The X.509 certificate chain file in PEM format to use for securing the HTTP interface. -#http_tls_cert_file = /path/to/graylog.crt - -# The PKCS#8 private key file in PEM format to use for securing the HTTP interface. -#http_tls_key_file = /path/to/graylog.key - -# The password to unlock the private key used for securing the HTTP interface. -#http_tls_key_password = secret - - -# Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For -# header. May be subnets, or hosts. -#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128 - -# List of Elasticsearch hosts Graylog should connect to. -# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes. -# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that -# requires authentication. -# -# Default: http://127.0.0.1:9200 -#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200 -elasticsearch_hosts = http://elasticsearch:9200 - -# Maximum number of retries to connect to elasticsearch on boot for the version probe. -# -# Default: 0, retry indefinitely with the given delay until a connection could be established -#elasticsearch_version_probe_attempts = 5 - -# Waiting time in between connection attempts for elasticsearch_version_probe_attempts -# -# Default: 5s -#elasticsearch_version_probe_delay = 5s - -# Maximum amount of time to wait for successful connection to Elasticsearch HTTP port. -# -# Default: 10 Seconds -#elasticsearch_connect_timeout = 10s - -# Maximum amount of time to wait for reading back a response from an Elasticsearch server. -# (e. g. during search, index creation, or index time-range calculations) -# -# Default: 60 seconds -#elasticsearch_socket_timeout = 60s - -# Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will -# be tore down. -# -# Default: inf -#elasticsearch_idle_timeout = -1s - -# Maximum number of total connections to Elasticsearch. -# -# Default: 200 -#elasticsearch_max_total_connections = 200 - -# Maximum number of total connections per Elasticsearch route (normally this means per -# elasticsearch server). -# -# Default: 20 -#elasticsearch_max_total_connections_per_route = 20 - -# Maximum number of times Graylog will retry failed requests to Elasticsearch. -# -# Default: 2 -#elasticsearch_max_retries = 2 - -# Enable automatic Elasticsearch node discovery through Nodes Info, -# see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster-nodes-info.html -# -# WARNING: Automatic node discovery does not work if Elasticsearch requires authentication, e. g. with Shield. -# -# Default: false -#elasticsearch_discovery_enabled = true - -# Filter for including/excluding Elasticsearch nodes in discovery according to their custom attributes, -# see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster.html#cluster-nodes -# -# Default: empty -#elasticsearch_discovery_filter = rack:42 - -# Frequency of the Elasticsearch node discovery. -# -# Default: 30s -# elasticsearch_discovery_frequency = 30s - -# Set the default scheme when connecting to Elasticsearch discovered nodes -# -# Default: http (available options: http, https) -#elasticsearch_discovery_default_scheme = http - -# Enable payload compression for Elasticsearch requests. -# -# Default: false -#elasticsearch_compression_enabled = true - -# Enable use of "Expect: 100-continue" Header for Elasticsearch index requests. -# If this is disabled, Graylog cannot properly handle HTTP 413 Request Entity Too Large errors. -# -# Default: true -#elasticsearch_use_expect_continue = true - -# Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine -# when to rotate the currently active write index. -# It supports multiple rotation strategies: -# - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure -# - "size" per index, use elasticsearch_max_size_per_index below to configure -# valid values are "count", "size" and "time", default is "count" -# -# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these -# to your previous 1.x settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -rotation_strategy = count - -# (Approximate) maximum number of documents in an Elasticsearch index before a new index -# is being created, also see no_retention and elasticsearch_max_number_of_indices. -# Configure this if you used 'rotation_strategy = count' above. -# -# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these -# to your previous 1.x settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -elasticsearch_max_docs_per_index = 20000000 - -# (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see -# no_retention and elasticsearch_max_number_of_indices. Default is 1GB. -# Configure this if you used 'rotation_strategy = size' above. -# -# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these -# to your previous 1.x settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -#elasticsearch_max_size_per_index = 1073741824 - -# (Approximate) maximum time before a new Elasticsearch index is being created, also see -# no_retention and elasticsearch_max_number_of_indices. Default is 1 day. -# Configure this if you used 'rotation_strategy = time' above. -# Please note that this rotation period does not look at the time specified in the received messages, but is -# using the real clock value to decide when to rotate the index! -# Specify the time using a duration and a suffix indicating which unit you want: -# 1w = 1 week -# 1d = 1 day -# 12h = 12 hours -# Permitted suffixes are: d for day, h for hour, m for minute, s for second. -# -# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these -# to your previous 1.x settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -#elasticsearch_max_time_per_index = 1d - -# Disable checking the version of Elasticsearch for being compatible with this Graylog release. -# WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss! -#elasticsearch_disable_version_check = true - -# Disable message retention on this node, i. e. disable Elasticsearch index rotation. -#no_retention = false - -# How many indices do you want to keep? -# -# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these -# to your previous 1.x settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -elasticsearch_max_number_of_indices = 20 - -# Decide what happens with the oldest indices when the maximum number of indices is reached. -# The following strategies are availble: -# - delete # Deletes the index completely (Default) -# - close # Closes the index and hides it from the system. Can be re-opened later. -# -# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these -# to your previous 1.x settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -retention_strategy = delete - -# How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices. -# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these -# to your previous settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -elasticsearch_shards = 4 -elasticsearch_replicas = 0 - -# Prefix for all Elasticsearch indices and index aliases managed by Graylog. -# -# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these -# to your previous settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -elasticsearch_index_prefix = graylog - -# Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping. -# Default: graylog-internal -# -# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these -# to your previous settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -#elasticsearch_template_name = graylog-internal - -# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only -# be enabled with care. See also: https://docs.graylog.org/docs/query-language -allow_leading_wildcard_searches = false - -# Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and -# should only be enabled after making sure your Elasticsearch cluster has enough memory. -allow_highlighting = false - -# Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea. -# All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom -# Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html -# Note that this setting only takes effect on newly created indices. -# -# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these -# to your previous settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -elasticsearch_analyzer = standard - -# Global timeout for index optimization (force merge) requests. -# Default: 1h -#elasticsearch_index_optimization_timeout = 1h - -# Maximum number of concurrently running index optimization (force merge) jobs. -# If you are using lots of different index sets, you might want to increase that number. -# Default: 20 -#elasticsearch_index_optimization_jobs = 20 - -# Mute the logging-output of ES deprecation warnings during REST calls in the ES RestClient -#elasticsearch_mute_deprecation_warnings = true - -# Time interval for index range information cleanups. This setting defines how often stale index range information -# is being purged from the database. -# Default: 1h -#index_ranges_cleanup_interval = 1h - -# Time interval for the job that runs index field type maintenance tasks like cleaning up stale entries. This doesn't -# need to run very often. -# Default: 1h -#index_field_type_periodical_interval = 1h - -# Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output -# module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been -# reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember -# that every outputbuffer processor manages its own batch and performs its own batch write calls. -# ("outputbuffer_processors" variable) -output_batch_size = 500 - -# Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two -# batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages -# for this time period is less than output_batch_size * outputbuffer_processors. -output_flush_interval = 1 - -# As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and -# over again. To prevent this, the following configuration options define after how many faults an output will -# not be tried again for an also configurable amount of seconds. -output_fault_count_threshold = 5 -output_fault_penalty_seconds = 30 - -# The number of parallel running processors. -# Raise this number if your buffers are filling up. -processbuffer_processors = 5 -outputbuffer_processors = 3 - -# The following settings (outputbuffer_processor_*) configure the thread pools backing each output buffer processor. -# See https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ThreadPoolExecutor.html for technical details - -# When the number of threads is greater than the core (see outputbuffer_processor_threads_core_pool_size), -# this is the maximum time in milliseconds that excess idle threads will wait for new tasks before terminating. -# Default: 5000 -#outputbuffer_processor_keep_alive_time = 5000 - -# The number of threads to keep in the pool, even if they are idle, unless allowCoreThreadTimeOut is set -# Default: 3 -#outputbuffer_processor_threads_core_pool_size = 3 - -# The maximum number of threads to allow in the pool -# Default: 30 -#outputbuffer_processor_threads_max_pool_size = 30 - -# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput). -#udp_recvbuffer_sizes = 1048576 - -# Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping) -# Possible types: -# - yielding -# Compromise between performance and CPU usage. -# - sleeping -# Compromise between performance and CPU usage. Latency spikes can occur after quiet periods. -# - blocking -# High throughput, low latency, higher CPU usage. -# - busy_spinning -# Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores. -processor_wait_strategy = blocking - -# Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore. -# For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache. -# Must be a power of 2. (512, 1024, 2048, ...) -ring_size = 65536 - -inputbuffer_ring_size = 65536 -inputbuffer_processors = 2 -inputbuffer_wait_strategy = blocking - -# Enable the message journal. -message_journal_enabled = true - -# The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and -# must not contain any other files than the ones created by Graylog itself. -# -# ATTENTION: -# If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found' -# in the root directory, you need to create a sub directory for your journal. -# Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start. -message_journal_dir = data/journal - -# Journal hold messages before they could be written to Elasticsearch. -# For a maximum of 12 hours or 5 GB whichever happens first. -# During normal operation the journal will be smaller. -#message_journal_max_age = 12h -#message_journal_max_size = 5gb - -#message_journal_flush_age = 1m -#message_journal_flush_interval = 1000000 -#message_journal_segment_age = 1h -#message_journal_segment_size = 100mb - -# Number of threads used exclusively for dispatching internal events. Default is 2. -#async_eventbus_processors = 2 - -# How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual -# shutdown process. Set to 0 if you have no status checking load balancers in front. -lb_recognition_period_seconds = 3 - -# Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is -# disabled if not set. -#lb_throttle_threshold_percentage = 95 - -# Every message is matched against the configured streams and it can happen that a stream contains rules which -# take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking. -# This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other -# streams, Graylog limits the execution time for each stream. -# The default values are noted below, the timeout is in milliseconds. -# If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times -# that stream is disabled and a notification is shown in the web interface. -#stream_processing_timeout = 2000 -#stream_processing_max_faults = 3 - -# Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple -# outputs. The next setting defines the timeout for a single output module, including the default output module where all -# messages end up. -# -# Time in milliseconds to wait for all message outputs to finish writing a single message. -#output_module_timeout = 10000 - -# Time in milliseconds after which a detected stale master node is being rechecked on startup. -#stale_master_timeout = 2000 - -# Time in milliseconds which Graylog is waiting for all threads to stop on shutdown. -#shutdown_timeout = 30000 - -# MongoDB connection string -# See https://docs.mongodb.com/manual/reference/connection-string/ for details -#mongodb_uri = mongodb://localhost/graylog -mongodb_uri = mongodb://mongo/graylog - - -# Authenticate against the MongoDB server -# '+'-signs in the username or password need to be replaced by '%2B' -#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog - -# Use a replica set instead of a single host -#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog?replicaSet=rs01 - -# DNS Seedlist https://docs.mongodb.com/manual/reference/connection-string/#dns-seedlist-connection-format -#mongodb_uri = mongodb+srv://server.example.org/graylog - -# Increase this value according to the maximum connections your MongoDB server can handle from a single client -# if you encounter MongoDB connection problems. -mongodb_max_connections = 1000 - -# Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5 -# If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5, -# then 500 threads can block. More than that and an exception will be thrown. -# http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier -mongodb_threads_allowed_to_block_multiplier = 5 - - -# Email transport -#transport_email_enabled = false -#transport_email_hostname = mail.example.com -#transport_email_port = 587 -#transport_email_use_auth = true -#transport_email_auth_username = you@example.com -#transport_email_auth_password = secret -#transport_email_subject_prefix = [graylog] -#transport_email_from_email = graylog@example.com - -# Encryption settings -# -# ATTENTION: -# Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible. - -# Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS -#transport_email_use_tls = true - -# Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS -# This is deprecated on most SMTP services! -#transport_email_use_ssl = false - - -# Specify and uncomment this if you want to include links to the stream in your stream alert mails. -# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users. -#transport_email_web_interface_url = https://graylog.example.com - -# The default connect timeout for outgoing HTTP connections. -# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). -# Default: 5s -#http_connect_timeout = 5s - -# The default read timeout for outgoing HTTP connections. -# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). -# Default: 10s -#http_read_timeout = 10s - -# The default write timeout for outgoing HTTP connections. -# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds). -# Default: 10s -#http_write_timeout = 10s - -# HTTP proxy for outgoing HTTP connections -# ATTENTION: If you configure a proxy, make sure to also configure the "http_non_proxy_hosts" option so internal -# HTTP connections with other nodes does not go through the proxy. -# Examples: -# - http://proxy.example.com:8123 -# - http://username:password@proxy.example.com:8123 -#http_proxy_uri = - -# A list of hosts that should be reached directly, bypassing the configured proxy server. -# This is a list of patterns separated by ",". The patterns may start or end with a "*" for wildcards. -# Any host matching one of these patterns will be reached through a direct connection instead of through a proxy. -# Examples: -# - localhost,127.0.0.1 -# - 10.0.*,*.example.com -#http_non_proxy_hosts = - -# Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch -# on heavily used systems with large indices, but it will decrease search performance. The default is to optimize -# cycled indices. -# -# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these -# to your previous settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -#disable_index_optimization = true - -# Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch -# on heavily used systems with large indices, but it will decrease search performance. The default is 1. -# -# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these -# to your previous settings so they will be migrated to the database! -# This configuration setting is only used on the first start of Graylog. After that, -# index related settings can be changed in the Graylog web interface on the 'System / Indices' page. -# Also see https://docs.graylog.org/docs/index-model#index-set-configuration -#index_optimization_max_num_segments = 1 - -# The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification -# will be generated to warn the administrator about possible problems with the system. Default is 1 second. -#gc_warning_threshold = 1s - -# Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds. -#ldap_connection_timeout = 2000 - -# Disable the use of a native system stats collector (currently OSHI) -#disable_native_system_stats_collector = false - -# The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second) -#dashboard_widget_default_cache_time = 10s - -# For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number -# of threads available for this. Increase it, if '/cluster/*' requests take long to complete. -# Should be http_thread_pool_size * average_cluster_size if you have a high number of concurrent users. -proxied_requests_thread_pool_size = 32 - -# The server is writing processing status information to the database on a regular basis. This setting controls how -# often the data is written to the database. -# Default: 1s (cannot be less than 1s) -#processing_status_persist_interval = 1s - -# Configures the threshold for detecting outdated processing status records. Any records that haven't been updated -# in the configured threshold will be ignored. -# Default: 1m (one minute) -#processing_status_update_threshold = 1m - -# Configures the journal write rate threshold for selecting processing status records. Any records that have a lower -# one minute rate than the configured value might be ignored. (dependent on number of messages in the journal) -# Default: 1 -#processing_status_journal_write_rate_threshold = 1 - -# Configures the prefix used for graylog event indices -# Default: gl-events -#default_events_index_prefix = gl-events - -# Configures the prefix used for graylog system event indices -# Default: gl-system-events -#default_system_events_index_prefix = gl-system-events - -# Automatically load content packs in "content_packs_dir" on the first start of Graylog. -#content_packs_loader_enabled = false - -# The directory which contains content packs which should be loaded on the first start of Graylog. -#content_packs_dir = /usr/share/graylog/data/contentpacks - -# A comma-separated list of content packs (files in "content_packs_dir") which should be applied on -# the first start of Graylog. -# Default: empty -#content_packs_auto_install = grok-patterns.json - -# The allowed TLS protocols for system wide TLS enabled servers. (e.g. message inputs, http interface) -# Setting this to an empty value, leaves it up to system libraries and the used JDK to chose a default. -# Default: TLSv1.2,TLSv1.3 (might be automatically adjusted to protocols supported by the JDK) -#enabled_tls_protocols= TLSv1.2,TLSv1.3 - -# Enable Prometheus exporter HTTP server. -# Default: false -#prometheus_exporter_enabled = false - -# IP address and port for the Prometheus exporter HTTP server. -# Default: 127.0.0.1:9833 -#prometheus_exporter_bind_address = 127.0.0.1:9833 - -# Path to the Prometheus exporter core mapping file. If this option is enabled, the full built-in core mapping is -# replaced with the mappings in this file. -# This file is monitored for changes and updates will be applied at runtime. -# Default: none -#prometheus_exporter_mapping_file_path_core = prometheus-exporter-mapping-core.yml - -# Path to the Prometheus exporter custom mapping file. If this option is enabled, the mappings in this file are -# configured in addition to the built-in core mappings. The mappings in this file cannot overwrite any core mappings. -# This file is monitored for changes and updates will be applied at runtime. -# Default: none -#prometheus_exporter_mapping_file_path_custom = prometheus-exporter-mapping-custom.yml - -# Configures the refresh interval for the monitored Prometheus exporter mapping files. -# Default: 60s -#prometheus_exporter_mapping_file_refresh_interval = 60s - -# Optional allowed paths for Graylog data files. If provided, certain operations in Graylog will only be permitted -# if the data file(s) are located in the specified paths (for example, with the CSV File lookup adapter). -# All subdirectories of indicated paths are allowed by default. This Provides an additional layer of security, -# and allows administrators to control where in the file system Graylog users can select files from. -#allowed_auxiliary_paths = /etc/graylog/data-files,/etc/custom-allowed-path diff --git a/ansible/roles/podman/files/graylog/graylogctl b/ansible/roles/podman/files/graylog/graylogctl deleted file mode 100644 index 101984d..0000000 --- a/ansible/roles/podman/files/graylog/graylogctl +++ /dev/null @@ -1,133 +0,0 @@ -#!/usr/bin/env bash - -CMD=$1 -NOHUP=${NOHUP:=$(which nohup)} -PS=${PS:=$(which ps)} - -# default java -JAVA_CMD=${JAVA_CMD:=$(which java)} - -get_pid() { - cat "${GRAYLOG_PID}" 2> /dev/null -} - -pid_running() { - kill -0 $1 2> /dev/null -} - -die() { - echo $* - exit 1 -} - -if [ -n "$JAVA_HOME" ] -then - # try to use $JAVA_HOME - if [ -x "$JAVA_HOME"/bin/java ] - then - JAVA_CMD="$JAVA_HOME"/bin/java - else - die "$JAVA_HOME"/bin/java is not executable - fi -fi - -# resolve links - $0 may be a softlink -GRAYLOGCTL="$0" - -while [ -h "$GRAYLOGCTL" ]; do - ls=$(ls -ld "$GRAYLOGCTL") - link=$(expr "$ls" : '.*-> \(.*\)$') - if expr "$link" : '/.*' > /dev/null; then - GRAYLOGCTL="$link" - else - GRAYLOGCTL=$(dirname "$GRAYLOGCTL")/"$link" - fi -done - -# take variables from environment if set -GRAYLOGCTL_DIR=${GRAYLOGCTL_DIR:=$(dirname "$GRAYLOGCTL")} -GRAYLOG_SERVER_JAR=${GRAYLOG_SERVER_JAR:=graylog.jar} -GRAYLOG_CONF=${GRAYLOG_CONF:=/etc/graylog/server/server.conf} -GRAYLOG_PID=${GRAYLOG_PID:=/tmp/graylog.pid} -LOG_FILE=${LOG_FILE:=log/graylog-server.log} -LOG4J=${LOG4J:=} -DEFAULT_JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow" -if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseParNewGC; then - DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseParNewGC" -fi -if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseConcMarkSweepGC; then - DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled" -fi - -JAVA_OPTS="${JAVA_OPTS:="$DEFAULT_JAVA_OPTS"}" - -start() { - echo "Starting graylog-server ..." - cd "$GRAYLOGCTL_DIR/.." - "${NOHUP}" "${JAVA_CMD}" ${JAVA_OPTS} ${LOG4J} -jar "${GRAYLOG_SERVER_JAR}" server -f "${GRAYLOG_CONF}" -p "${GRAYLOG_PID}" >> "${LOG_FILE}" 2>> "${LOG_FILE}" & -} - -run() { - echo "Running graylog-server ..." - cd "$GRAYLOGCTL_DIR/.." - exec "${JAVA_CMD}" ${JAVA_OPTS} ${LOG4J} -jar "${GRAYLOG_SERVER_JAR}" server -f "${GRAYLOG_CONF}" -p "${GRAYLOG_PID}" -} - -stop() { - if [ ! -f "${GRAYLOG_PID}" ]; then - die "Not stopping. PID file not found: ${GRAYLOG_PID}" - fi - - PID=$(get_pid) - - echo "Stopping graylog-server ($PID) ..." - echo "Waiting for graylog-server to halt." - - kill $PID - - while "$PS" -p $PID > /dev/null; do sleep 1; done; - rm -f "${GRAYLOG_PID}" - - echo "graylog-server stopped" -} - -restart() { - echo "Restarting graylog-server ..." - stop - start -} - -status() { - PID=$(get_pid) - if [ ! -z $PID ]; then - if pid_running $PID; then - echo "graylog-server running with PID ${PID}" - return 0 - else - rm "${GRAYLOG_PID}" - die "Removed stale PID file ${GRAYLOG_PID} with ${PID}." - fi - fi - - die "graylog-server not running" -} - -case "$CMD" in - start) - start - ;; - stop) - stop - ;; - restart) - restart - ;; - status) - status - ;; - run) - run - ;; - *) - echo "Usage $0 {start|stop|restart|status|run}" -esac diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml index 0f2bb6b..8ea51aa 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-http.yml @@ -64,7 +64,6 @@ - "{{ base_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" - - "{{ bitwarden_server_name }}.conf" - "{{ ci_server_name }}.http.conf" - "{{ cloud_server_name }}.conf" - "{{ cloud_skudak_server_name }}.conf" @@ -90,7 +89,6 @@ - "{{ base_server_name }}.conf" - "{{ assistant_server_name }}.conf" - "{{ bookstack_server_name }}.conf" - - "{{ bitwarden_server_name }}.conf" - "{{ ci_server_name }}.http.conf" - "{{ cloud_server_name }}.conf" - "{{ cloud_skudak_server_name }}.conf" diff --git a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml index 3db0341..acdc86c 100644 --- a/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml +++ b/ansible/roles/podman/tasks/containers/base/conf-nginx-https.yml @@ -37,7 +37,6 @@ - "{{ base_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" - - "{{ bitwarden_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" - "{{ cloud_skudak_server_name }}.https.conf" @@ -61,7 +60,6 @@ - "{{ base_server_name }}.https.conf" - "{{ assistant_server_name }}.https.conf" - "{{ bookstack_server_name }}.https.conf" - - "{{ bitwarden_server_name }}.https.conf" - "{{ ci_server_name }}.https.conf" - "{{ cloud_server_name }}.https.conf" - "{{ cloud_skudak_server_name }}.https.conf" diff --git a/ansible/roles/podman/tasks/containers/games/factorio.yml b/ansible/roles/podman/tasks/containers/games/factorio.yml deleted file mode 100644 index 68625b6..0000000 --- a/ansible/roles/podman/tasks/containers/games/factorio.yml +++ /dev/null @@ -1,46 +0,0 @@ ---- -- name: create factorio host directory volumes - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_user }}" - group: "{{ podman_user }}" - mode: 0755 - notify: restorecon podman - loop: - - "{{ factorio_path }}" - -- name: unshare chown the elastic volume - become: true - become_user: "{{ podman_user }}" - changed_when: false - ansible.builtin.command: | - podman unshare chown -R 845:845 {{ factorio_path }} - -- name: flush handlers - ansible.builtin.meta: flush_handlers - -- import_tasks: podman/podman-check.yml - vars: - container_name: factorio - container_image: "{{ image }}" - -- name: create factorio server container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: factorio - image: "{{ image }}" - restart_policy: on-failure:3 - log_driver: journald - volumes: - - "{{ factorio_path }}:/factorio" - ports: - - 34197:34197/udp - - 27015:27015/tcp - -- name: create systemd startup job for factorio - include_tasks: podman/systemd-generate.yml - vars: - container_name: factorio diff --git a/ansible/roles/podman/tasks/containers/games/palworld.yml b/ansible/roles/podman/tasks/containers/games/palworld.yml deleted file mode 100644 index 01796d9..0000000 --- a/ansible/roles/podman/tasks/containers/games/palworld.yml +++ /dev/null @@ -1,56 +0,0 @@ ---- -- name: create palworld host directory volumes - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_subuid.stdout }}" - group: "{{ podman_user }}" - mode: 0755 - notify: restorecon podman - loop: - - "{{ palworld_path }}" - -- name: unshare chown the palworld volumes - become: true - become_user: "{{ podman_user }}" - changed_when: false - ansible.builtin.command: | - podman unshare chown -R 1000:10000 {{ palworld_path }} - -- import_tasks: podman/podman-check.yml - vars: - container_name: palworld - container_image: "{{ image }}" - -- name: create palworld server container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: palworld - image: "{{ image }}" - image_strict: true - restart_policy: unless-stopped - log_driver: journald - volumes: - - "{{ palworld_path }}:/palworld" - env: - ALWAYS_UPDATE_ON_START: "true" - MAX_PLAYERS: 32 - MULTITHREAD_ENABLED: "true" - COMMUNITY_SERVER: "false" - RCON_ENABLED: "true" - RCON_PORT: 25575 - PUBLIC_PORT: 8211 - SERVER_NAME: Bearbehr and Friends - SERVER_DESCRIPTION: Bearbehr's Dedicated Server for Friends - SERVER_PASSWORD: "" - ADMIN_PASSWORD: "{{ palworld_admin_password }}" - ports: - - 8211:8211/udp - - 25575:25575/udp - -- name: create systemd startup job for palworld - include_tasks: podman/systemd-generate.yml - vars: - container_name: palworld diff --git a/ansible/roles/podman/tasks/containers/home/graylog.yml b/ansible/roles/podman/tasks/containers/home/graylog.yml deleted file mode 100644 index a48527a..0000000 --- a/ansible/roles/podman/tasks/containers/home/graylog.yml +++ /dev/null @@ -1,131 +0,0 @@ ---- -- name: create required graylog volumes - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_subuid.stdout }}" - group: "{{ podman_user }}" - mode: 0755 - notify: restorecon podman - loop: - - "{{ graylog_path }}/mongo" - - "{{ graylog_path }}/opensearch" - - "{{ graylog_path }}/conf" - - "{{ graylog_path }}/bin" - -- name: copy configuration files - become: true - ansible.builtin.copy: - src: "files/graylog/{{ item.src }}" - dest: "{{ graylog_path }}/{{ item.dest }}" - owner: "{{ podman_subuid.stdout }}" - group: "{{ podman_user }}" - mode: 0644 - loop: - - src: "graylogctl" - dest: "bin/graylogctl" - - src: "graylog.conf" - dest: "conf/graylog.conf" - notify: restorecon podman - -- name: unshare chown the opensearch volume - become: true - become_user: "{{ podman_user }}" - changed_when: false - ansible.builtin.command: | - podman unshare chown -R 1000:1000 {{ graylog_path }}/opensearch - -- name: flush handlers - ansible.builtin.meta: flush_handlers - -- import_tasks: podman/podman-check.yml - vars: - container_name: graylog-mongo - container_image: "{{ db_image }}" - -- name: create graylog mongodb container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: graylog-mongo - image: "{{ db_image }}" - restart_policy: on-failure:3 - network: - - shared - volumes: - - "{{ graylog_path }}/mongo:/data/db" - -- name: create systemd startup job for graylog-mongo - include_tasks: podman/systemd-generate.yml - vars: - container_name: graylog-mongo - -- import_tasks: podman/podman-check.yml - vars: - container_name: graylog-opensearch - container_image: "{{ os_image }}" - -- name: create graylog opensearch container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: graylog-opensearch - image: "{{ os_image }}" - restart_policy: on-failure:3 - network: - - shared - volumes: - - "{{ graylog_path }}/opensearch:/usr/share/opensearch/data" - env: - OPENSEARCH_JAVA_OPTS: "-Xms1g -Xmx1g" - bootstrap.memory_lock: "true" - discovery.type: "single-node" - action.auto_create_index: "false" - plugins.security.ssl.http.enabled: "false" - plugins.security.disabled: "true" - OPENSEARCH_INITIAL_ADMIN_PASSWORD: "{{ graylog_secret }}" - -- name: create systemd startup job for graylog-opensearch - include_tasks: podman/systemd-generate.yml - vars: - container_name: graylog-opensearch - -- import_tasks: podman/podman-check.yml - vars: - container_name: graylog - container_image: "{{ image }}" - -- name: create graylog container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: graylog - image: "{{ image }}" - restart_policy: on-failure:3 - sysctl: - net.ipv6.conf.all.disable_ipv6: 1 - net.ipv6.conf.default.disable_ipv6: 1 - network: - - shared - volumes: - - "{{ graylog_path }}/conf:/usr/share/graylog/data/config" - - "{{ graylog_path }}/bin:/usr/share/graylog/bin" - env: - GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}" - GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}" - GRAYLOG_HTTP_EXTERNAL_URI: http://{{ ansible_default_ipv4.address }}:9000/ - GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000 - GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog - GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-opensearch:9200 - GRAYLOG_REPORT_DISABLE_SANDBOX: "true" - ports: - - "{{ graylog_port }}:9000" - - "{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp" - - "{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp" - - "{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp" - -- name: create systemd startup job for graylog - include_tasks: podman/systemd-generate.yml - vars: - container_name: graylog diff --git a/ansible/roles/podman/tasks/containers/skudak/bitwarden.yml b/ansible/roles/podman/tasks/containers/skudak/bitwarden.yml deleted file mode 100644 index 0239ff7..0000000 --- a/ansible/roles/podman/tasks/containers/skudak/bitwarden.yml +++ /dev/null @@ -1,89 +0,0 @@ ---- -- name: create required bitwarden volumes - become: true - ansible.builtin.file: - path: "{{ item }}" - state: directory - owner: "{{ podman_subuid.stdout }}" - group: "{{ podman_subuid.stdout }}" - mode: 0755 - notify: restorecon podman - loop: - - "{{ bitwarden_path }}/mysql" - - "{{ bitwarden_path }}/bitwarden" - -- name: flush handlers - ansible.builtin.meta: flush_handlers - -- import_tasks: podman/podman-check.yml - vars: - container_name: bitwarden-db - container_image: "{{ db_image }}" - -- name: create bitwarden-db container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: bitwarden-db - image: "{{ db_image }}" - restart_policy: on-failure:3 - log_driver: journald - network: - - shared - env: - MARIADB_RANDOM_ROOT_PASSWORD: "true" - MARIADB_DATABASE: bitwarden_vault - MARIADB_PASSWORD: "{{ bitwarden_db_pass }}" - MARIADB_USER: bitwarden - volumes: - - "{{ bitwarden_path }}/mysql:/var/lib/mysql" - -- name: create systemd startup job for bitwarden-db - include_tasks: podman/systemd-generate.yml - vars: - container_name: bitwarden-db - -- import_tasks: podman/podman-check.yml - vars: - container_name: bitwarden - container_image: "{{ image }}" - -- name: create bitwarden container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: bitwarden - image: "{{ image }}" - restart_policy: on-failure:3 - log_driver: journald - network: - - shared - env: - BW_ENABLE_SSL: "false" - BW_ENABLE_SSL_CA: "false" - BW_PORT_HTTP: "8092" - BW_DOMAIN: "{{ bitwarden_server_name }}" - BW_DB_PROVIDER: mysql - BW_DB_SERVER: bitwarden-db - BW_DB_DATABASE: bitwarden_vault - BW_DB_USERNAME: bitwarden - BW_DB_PASSWORD: "{{ bitwarden_db_pass }}" - BW_INSTALLATION_ID: "{{ bitwarden_id }}" - BW_INSTALLATION_KEY: "{{ bitwarden_key }}" - globalSettings__mail__replyToEmail: "{{ skudaknoreply_mail_user }}" - globalSettings__mail__smtp__host: "{{ skudaknoreply_mail_host }}" - globalSettings__mail__smtp__port: 587 - globalSettings__mail__smtp__ssl: "true" - globalSettings__mail__smtp__username: "{{ skudaknoreply_mail_user }}" - globalSettings__mail__smtp__password: "{{ skudaknoreply_mail_pass }}" - globalSettings__disableUserRegistration: "true" - adminSettings__admins: "{{ bitwarden_admins }}" - volumes: - - "{{ bitwarden_path }}/bitwarden:/etc/bitwarden" - ports: - - "8092:8092" - -- name: create systemd startup job for bitwarden - include_tasks: podman/systemd-generate.yml - vars: - container_name: bitwarden diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 13736f8..39f9025 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -31,13 +31,6 @@ image: docker.io/bdebyl/partkeepr:0.1.10 tags: partkeepr -- import_tasks: containers/home/graylog.yml - vars: - db_image: docker.io/library/mongo:6.0.14 - os_image: docker.io/opensearchproject/opensearch:2.12.0 - image: docker.io/graylog/graylog:5.2 - tags: graylog - - import_tasks: containers/skudak/wiki.yml vars: db_image: docker.io/library/mysql:5.7.21 @@ -47,9 +40,9 @@ - import_tasks: containers/home/photos.yml vars: db_image: docker.io/tensorchord/pgvecto-rs:pg14-v0.2.0@sha256:90724186f0a3517cf6914295b5ab410db9ce23190a2d9d0b9dd6463e3fa298f0 - ml_image: ghcr.io/immich-app/immich-machine-learning:v1.126.1 + ml_image: ghcr.io/immich-app/immich-machine-learning:v1.128.0 redis_image: docker.io/redis:6.2-alpine@sha256:eaba718fecd1196d88533de7ba49bf903ad33664a92debb24660a922ecd9cac8 - image: ghcr.io/immich-app/immich-server:v1.126.1 + image: ghcr.io/immich-app/immich-server:v1.128.0 tags: photos - import_tasks: containers/home/cloud.yml @@ -64,12 +57,6 @@ image: docker.io/library/nextcloud:30.0-apache tags: skudak, skudak-cloud -- import_tasks: containers/skudak/bitwarden.yml - vars: - db_image: docker.io/library/mariadb:10.6 - image: docker.io/bitwarden/self-host:2025.1.3-beta - tags: skudak, bitwarden - - import_tasks: containers/debyltech/fulfillr.yml vars: image: "{{ aws_ecr_endpoint }}/fulfillr:20241028.1847" @@ -78,14 +65,4 @@ - import_tasks: containers/home/nosql.yml vars: image: docker.io/redis:7.2.1-alpine - tags: nosql - -- import_tasks: containers/games/factorio.yml - vars: - image: docker.io/factoriotools/factorio:1.1.80 - tags: factorio - -- import_tasks: containers/games/palworld.yml - vars: - image: docker.io/jammsen/palworld-dedicated-server:d2822bf - tags: palworld + tags: nosql \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.conf.j2 deleted file mode 100644 index 3ee9972..0000000 --- a/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.conf.j2 +++ /dev/null @@ -1,16 +0,0 @@ -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ bitwarden_server_name }}; - - location '/.well-known/acme-challenge' { - default_type "text/plain"; - root /srv/http/letsencrypt; - } - - location / { - return 302 https://$host$request_uri; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.https.conf.j2 b/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.https.conf.j2 deleted file mode 100644 index 75c39c7..0000000 --- a/ansible/roles/podman/templates/nginx/sites/bitwarden.skudakrennsport.com.https.conf.j2 +++ /dev/null @@ -1,44 +0,0 @@ -upstream bitwarden { - server 127.0.0.1:8092; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s; - - listen 443 ssl http2; - server_name {{ bitwarden_server_name }}; - client_max_body_size 500M; - - ssl_certificate /etc/letsencrypt/live/{{ bitwarden_server_name }}/fullchain.pem; - ssl_certificate_key /etc/letsencrypt/live/{{ bitwarden_server_name }}/privkey.pem; - ssl_trusted_certificate /etc/letsencrypt/live/{{ bitwarden_server_name }}/fullchain.pem; - ssl_dhparam /etc/nginx/ssl/dhparam.pem; - - ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384; - ssl_prefer_server_ciphers off; - ssl_protocols TLSv1.2 TLSv1.3; - ssl_session_cache shared:SSL:10m; - ssl_session_tickets off; - ssl_session_timeout 1d; - ssl_stapling on; - ssl_stapling_verify on; - - location / { - add_header Referrer-Policy "same-origin" always; - add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always; - add_header X-Content-Type-Options "nosniff" always; - - proxy_set_header Host $host; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Real-IP $remote_addr; - - proxy_buffering off; - proxy_http_version 1.1; - proxy_pass http://bitwarden; - } -} \ No newline at end of file diff --git a/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 b/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 deleted file mode 100644 index a65077e..0000000 --- a/ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2 +++ /dev/null @@ -1,32 +0,0 @@ -upstream graylog { - server 127.0.0.1:{{ graylog_port }}; -} - -geo $local_access { - default 0; - 192.168.0.0/16 1; -} - -server { - modsecurity on; - modsecurity_rules_file /etc/nginx/modsec_includes.conf; - - listen 80; - server_name {{ logs_server_name }}; - - location / { - if ($local_access = 1) { - access_log off; - } - allow 192.168.0.0/16; - allow 127.0.0.1; - deny all; - - proxy_set_header X-Forwarded-For $remote_addr; - proxy_set_header Upgrade $http_upgrade; - proxy_set_header Connection $connection_upgrade; - - proxy_buffering off; - proxy_pass http://graylog; - } -} diff --git a/ansible/roles/ssl/tasks/certbot.yml b/ansible/roles/ssl/tasks/certbot.yml index ba2486c..4d44d2a 100644 --- a/ansible/roles/ssl/tasks/certbot.yml +++ b/ansible/roles/ssl/tasks/certbot.yml @@ -10,7 +10,6 @@ loop: - "{{ base_server_name }}" - "{{ bookstack_server_name }}" - - "{{ bitwarden_server_name }}" - "{{ ci_server_name }}" - "{{ cloud_server_name }}" - "{{ cloud_skudak_server_name }}"