bastian/deploy_home
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

moved nginx, graylog to podman

Browse Source
This commit is contained in:
Bastian de Byl
2022-05-01 03:31:16 -04:00
parent 8e373896a6
commit c5bc5a91ac
49 changed files with 2556 additions and 580 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
ansible/deploy_home.yml
View File

@@ -6,8 +6,3 @@
- role: common
- role: git
- role: podman
- role: ssl
#- role: pihole
#- role: drone
- role: graylog
- role: http

7
ansible/roles/common/defaults/main.yml
View File

@@ -3,19 +3,20 @@ deps:
[
cockpit-podman,
cronie,
docker,
fail2ban,
fail2ban-selinux,
git,
logrotate,
podman,
podman-docker,
python-docker,
]
fail2ban_jails: [sshd.local, nginx.local]
fail2ban_jails: [sshd.local]
services:
- crond
- docker
- podman.socket
- podman
- fail2ban
- systemd-timesyncd

24
ansible/roles/common/files/fail2ban/jails/nginx.local
View File

@@ -1,24 +0,0 @@
[nginx-limit-req]
enabled = true
port = http,https
logpath = %(nginx_error_log)s
findtime = 600
bantime = 1w
maxretry = 8
ignoreip = 127.0.0.1/32 192.168.1.0/24
#[nginx-http-auth]
#enabled = true
#port = http,https
#logpath = %(nginx_error_log)s
#bantime = 2w
#maxretry = 5
#ignoreip = 127.0.0.1/32 192.168.1.0/24
[nginx-botsearch]
enabled = true
port = http,https
logpath = %(nginx_access_log)s
bantime = 1w
maxretry = 5
ignoreip = 127.0.0.1/32 192.168.1.0/24

2
ansible/roles/git/tasks/systemd.yml
View File

@@ -5,7 +5,7 @@
src: "templates/{{ item }}.j2"
dest: "/etc/systemd/system/{{ item }}"
mode: 0644
with_items:
loop:
- git-daemon.service
notify: start-gitdaemon
tags: git, git-systemd

3
ansible/roles/graylog/meta/main.yml
View File

@@ -1,3 +0,0 @@
---
dependencies:
- role: common

91
ansible/roles/graylog/tasks/graylog.yml
View File

@@ -1,91 +0,0 @@
---
- name: create graylog docker network
community.general.docker_network:
name: "graylog"
tags: graylog
- name: create graylog required volumes
community.general.docker_volume:
name: "{{ item }}"
with_items:
- graylog-db
- graylog-es
- graylog-conf
tags: graylog
- name: create graylog mongodb container
community.general.docker_container:
name: graylog-mongo
image: mongo:4.2
recreate: false
restart: false
restart_policy: on-failure
restart_retries: 3
networks:
- name: "graylog"
volumes:
- graylog-db:/data/db
tags: graylog
- name: create graylog elasticsearch container
community.general.docker_container:
name: graylog-elastic
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
recreate: false
restart: false
restart_policy: on-failure
restart_retries: 3
networks:
- name: "graylog"
volumes:
- graylog-es:/usr/share/elasticsearch/data
env:
http.host: "0.0.0.0"
transport.host: "localhost"
network.host: "0.0.0.0"
cluster.name: "graylog"
ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m"
ulimits:
- "memlock:-1:-1"
- "nofile:64000:64000"
memory: 1G
tags: graylog
- name: create graylog container
community.general.docker_container:
name: graylog
image: graylog/graylog:4.2
recreate: false
restart: true
restart_policy: on-failure
restart_retries: 3
sysctls:
net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.disable_ipv6: 1
networks:
- name: "graylog"
volumes:
- graylog-conf:/usr/share/graylog/data/config
- /var/lib/docker/shared/graylog:/usr/share/graylog/bin:z
env:
GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}"
GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}"
GRAYLOG_HTTP_EXTERNAL_URI: http://192.168.1.10:9000/
GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000
GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog
GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200
ports:
# Graylog web interface and REST API
- "{{ graylog_port }}:9000"
# Syslog TCP
# Syslog UDP
- "0.0.0.0:{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp"
# Syslog2 UDP
- "0.0.0.0:{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp"
# Syslog2 UDP
- "0.0.0.0:{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp"
# GELF TCP
# - 12201:12201
# GELF UDP
# - 12201:12201/udp
tags: graylog

2
ansible/roles/graylog/tasks/main.yml
View File

@@ -1,2 +0,0 @@
---
- import_tasks: graylog.yml

138
ansible/roles/http/defaults/main.yml
View File

@@ -1,138 +0,0 @@
---
ci_server_name: ci.bdebyl.net
pi_server_name: pi.bdebyl.net
assistant_server_name: assistant.bdebyl.net
home_server_name: home.bdebyl.net
parts_server_name: parts.bdebyl.net
video_server_name: video.bdebyl.net
logs_server_name: logs.bdebyl.net
install_path: /usr/share
nginx_path: /etc/nginx
nginx_conf_path: "{{ nginx_path }}/conf"
modsec_log_path: /var/log/nginx/modsec_audit.log
modsec_rules_path: "{{ nginx_conf_path }}/rules"
modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
modsec_path: "{{ install_path }}/modsecurity"
crs_path: "{{ install_path }}/coreruleset"
crs_rules_path: "{{ crs_path }}/rules"
modsec_whitelist_local_re: >-
^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$
modsec_whitelist_local: >-
SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24"
"id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
modsec_git_urls:
- src: "https://github.com/coreruleset/coreruleset.git"
dest: "{{ crs_path }}"
ver: "v3.3.2"
- src: "https://github.com/SpiderLabs/ModSecurity.git"
dest: "{{ modsec_path }}"
ver: "v3.0.6"
modsec_conf_replaces:
- regex: "^SecRuleEngine"
line: "SecRuleEngine On"
- regex: "^SecAuditLog"
line: "SecAuditLog {{ modsec_log_path }}"
modsec_conf_links:
- src: "{{ modsec_path }}/modsecurity.conf-recommended"
dest: "{{ nginx_path }}/modsecurity.conf"
- src: "{{ modsec_path }}/unicode.mapping"
dest: "{{ nginx_path }}/unicode.mapping"
- src: "{{ crs_path }}/crs-setup.conf.example"
dest: "{{ nginx_conf_path }}/crs-setup.conf"
- src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
- src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
crs_rule_links:
- name: REQUEST-901-INITIALIZATION
enabled: true
- name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES
enabled: true
- name: REQUEST-905-COMMON-EXCEPTIONS
enabled: true
- name: REQUEST-910-IP-REPUTATION
enabled: true
- name: REQUEST-911-METHOD-ENFORCEMENT
enabled: true
- name: REQUEST-912-DOS-PROTECTION
enabled: true
- name: REQUEST-913-SCANNER-DETECTION
enabled: true
- name: REQUEST-920-PROTOCOL-ENFORCEMENT
enabled: true
- name: REQUEST-921-PROTOCOL-ATTACK
enabled: true
- name: REQUEST-930-APPLICATION-ATTACK-LFI
enabled: true
- name: REQUEST-931-APPLICATION-ATTACK-RFI
enabled: true
- name: REQUEST-932-APPLICATION-ATTACK-RCE
enabled: true
- name: REQUEST-933-APPLICATION-ATTACK-PHP
enabled: true
- name: REQUEST-934-APPLICATION-ATTACK-NODEJS
enabled: true
- name: REQUEST-941-APPLICATION-ATTACK-XSS
enabled: true
- name: REQUEST-942-APPLICATION-ATTACK-SQLI
enabled: true
- name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
enabled: true
- name: REQUEST-944-APPLICATION-ATTACK-JAVA
enabled: true
- name: REQUEST-949-BLOCKING-EVALUATION
enabled: true
- name: RESPONSE-950-DATA-LEAKAGES
enabled: true
- name: RESPONSE-951-DATA-LEAKAGES-SQL
enabled: true
- name: RESPONSE-952-DATA-LEAKAGES-JAVA
enabled: true
- name: RESPONSE-953-DATA-LEAKAGES-PHP
enabled: true
- name: RESPONSE-954-DATA-LEAKAGES-IIS
enabled: true
- name: RESPONSE-959-BLOCKING-EVALUATION
enabled: true
- name: RESPONSE-980-CORRELATION
enabled: true
crs_data_links:
- crawlers-user-agents
- iis-errors
- java-classes
- java-code-leakages
- java-errors
- lfi-os-files
- php-config-directives
- php-errors
- php-function-names-933150
- php-function-names-933151
- php-variables
- restricted-files
- restricted-upload
- scanners-headers
- scanners-urls
- scanners-user-agents
- scripting-user-agents
- sql-errors
- unix-shell
- windows-powershell-commands

17
ansible/roles/http/handlers/main.yml
View File

@@ -1,17 +0,0 @@
---
- name: restart_nginx
become: true
ansible.builtin.command: docker restart nginx
- name: restart firewalld
become: true
ansible.builtin.service:
name: firewalld
state: restarted
- name: restorecon nginx
become: true
ansible.builtin.command: restorecon -irv /etc/{{ item }}
with_items:
- nginx
- letsencrypt

3
ansible/roles/http/meta/main.yml
View File

@@ -1,3 +0,0 @@
---
dependencies:
- role: ssl

7
ansible/roles/http/tasks/deps.yml
View File

@@ -1,7 +0,0 @@
---
- name: install http dependencies
become: true
ansible.builtin.package:
name: "{{ deps }}"
state: present
tags: deps

12
ansible/roles/http/tasks/firewall.yml
View File

@@ -1,12 +0,0 @@
---
- name: set http/https firewall rules
become: true
ansible.posix.firewalld:
service: "{{ item }}"
permanent: true
state: enabled
with_items:
- http
- https
notify: restart firewalld
tags: firewall

86
ansible/roles/http/tasks/http.yml
View File

@@ -1,86 +0,0 @@
---
- name: setup nginx base configuration
become: true
ansible.builtin.template:
src: templates/nginx/nginx.conf.j2
dest: /etc/nginx/nginx.conf
owner: root
group: nginx
mode: 0644
notify: restart_nginx
tags: http
- name: setup nginx directories
become: true
ansible.builtin.file:
path: "/etc/nginx/{{ item }}"
state: directory
mode: 0755
loop:
- sites-enabled
- sites-available
tags: http
- name: ensure http and letsencrypt directories exist
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: nginx
group: nginx
mode: 0755
loop:
- /srv/http
- /srv/http/letsencrypt
tags: http
- name: chown http user home
become: true
ansible.builtin.file:
path: /srv/http
owner: nginx
group: nginx
mode: 0755
recurse: true
tags: http
- name: template nginx http sites-available
become: true
ansible.builtin.template:
src: "templates/nginx/sites/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
loop:
- "{{ ci_server_name }}.http.conf"
- "{{ pi_server_name }}.conf"
- "{{ home_server_name }}.conf"
- "{{ assistant_server_name }}.conf"
- "{{ video_server_name }}.conf"
- "{{ parts_server_name }}.conf"
- "{{ logs_server_name }}.conf"
notify: restart_nginx
tags: http
- name: remove pihole from sites-enabled if there
become: true
ansible.builtin.file:
path: "/etc/nginx/sites-enabled/pi.hole.conf"
state: absent
tags: http
- name: enable desired nginx http sites
become: true
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
loop:
- "{{ ci_server_name }}.http.conf"
- "{{ pi_server_name }}.conf"
- "{{ parts_server_name }}.conf"
- "{{ home_server_name }}.conf"
- "{{ assistant_server_name }}.conf"
- "{{ video_server_name }}.conf"
- "{{ logs_server_name }}.conf"
notify: restart_nginx
tags: http

24
ansible/roles/http/tasks/https.yml
View File

@@ -1,24 +0,0 @@
---
- name: template nginx https sites-available
become: true
ansible.builtin.template:
src: "templates/nginx/sites/{{ item }}.j2"
dest: "/etc/nginx/sites-available/{{ item }}"
mode: 0644
loop:
- "{{ ci_server_name }}.https.conf"
- "{{ parts_server_name }}.https.conf"
notify: restart_nginx
tags: https
- name: enable desired nginx https sites
become: true
ansible.builtin.file:
src: "/etc/nginx/sites-available/{{ item }}"
dest: "/etc/nginx/sites-enabled/{{ item }}"
state: link
loop:
- "{{ ci_server_name }}.https.conf"
- "{{ parts_server_name }}.https.conf"
notify: restart_nginx
tags: https

7
ansible/roles/http/tasks/main.yml
View File

@@ -1,7 +0,0 @@
---
- import_tasks: deps.yml
- import_tasks: firewall.yml
- import_tasks: modsec.yml
- import_tasks: http.yml
- import_tasks: https.yml
- import_tasks: nginx.yml

33
ansible/roles/http/tasks/nginx.yml
View File

@@ -1,33 +0,0 @@
---
- name: selinux context for nginx directories
become: true
community.general.sefcontext:
target: "/etc/{{ item }}"
setype: container_file_t
state: present
with_items:
- "nginx(/.*)?"
- "letsencrypt(/.*)?"
notify: restorecon nginx
tags: selinux
- name: create nginx modsecurity container
community.general.docker_container:
name: nginx
image: owasp/modsecurity:nginx
entrypoint: ["nginx", "-g", "daemon off;"]
command_handling: correct
recreate: true
restart: true
restart_policy: on-failure
restart_retries: 3
network_mode: host
log_driver: syslog
log_options:
syslog-address: "udp://localhost:{{ syslog_udp_default }}"
syslog-facility: daemon
tag: "docker/{{'{{'}}.Name{{'}}'}}"
volumes:
- /etc/nginx:/etc/nginx:ro
- /etc/letsencrypt:/etc/letsencrypt:ro
tags: nginx

10
ansible/roles/http/templates/logrotate/nginx.j2
View File

@@ -1,10 +0,0 @@
/var/log/nginx/*log {
daily
rotate 4
missingok
notifempty
create 640 http log
compress
delaycompress
copytruncate
}

2
ansible/roles/pihole/tasks/php.yml
View File

@@ -5,7 +5,7 @@
path: "{{ item }}"
regexp: "pi\\.hole"
replace: "pi.bdebyl.net"
with_items:
loop:
- /srv/http/pihole/admin/scripts/pi-hole/php/auth.php
- /srv/http/pihole/pihole/index.php
tags:

141
ansible/roles/podman/defaults/main.yml
View File

@@ -1,7 +1,148 @@
---
drone_path: "{{ podman_volumes }}/drone"
graylog_path: "{{ podman_volumes }}/graylog"
hass_path: "{{ podman_volumes }}/hass"
nginx_path: "{{ podman_volumes }}/nginx"
partkeepr_path: "{{ podman_volumes }}/partkeepr"
drone_server_proto: "https"
drone_runner_capacity: "4"
# nginx and modsec configuration
ci_server_name: ci.bdebyl.net
pi_server_name: pi.bdebyl.net
assistant_server_name: assistant.bdebyl.net
home_server_name: home.bdebyl.net
parts_server_name: parts.bdebyl.net
video_server_name: video.bdebyl.net
logs_server_name: logs.bdebyl.net
nginx_conf_path: "{{ nginx_path }}/etc/conf"
modsec_log_path: /var/log/nginx/modsec_audit.log
modsec_rules_path: "{{ nginx_conf_path }}/rules"
modsec_crs_before_rule_conf: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
modsec_crs_after_rule_conf: "{{ modsec_rules_path }}/REQUEST-999-EXCLUSION-RULES-AFTER-CRS.conf"
install_path: /usr/share
modsec_path: "{{ install_path }}/modsecurity"
crs_path: "{{ install_path }}/coreruleset"
crs_rules_path: "{{ crs_path }}/rules"
modsec_whitelist_local_re: >-
^SecRule.*REMOTE_ADDR.*192\.168\.1\.1/24.*$
modsec_whitelist_local: >-
SecRule REMOTE_ADDR "@ipMatch 192.168.1.1/24"
"id:1,phase:1,nolog,allow,ctl:ruleEngine=Off"
modsec_git_urls:
- src: "https://github.com/coreruleset/coreruleset.git"
dest: "{{ crs_path }}"
ver: "v3.3.2"
- src: "https://github.com/SpiderLabs/ModSecurity.git"
dest: "{{ modsec_path }}"
ver: "v3.0.6"
modsec_conf_replaces:
- regex: "^SecRuleEngine"
line: "SecRuleEngine On"
- regex: "^SecAuditLog"
line: "SecAuditLog {{ modsec_log_path }}"
modsec_conf_links:
- src: "{{ modsec_path }}/modsecurity.conf-recommended"
dest: "{{ nginx_path }}/etc/modsecurity.conf"
- src: "{{ modsec_path }}/unicode.mapping"
dest: "{{ nginx_path }}/etc/unicode.mapping"
- src: "{{ crs_path }}/crs-setup.conf.example"
dest: "{{ nginx_conf_path }}/crs-setup.conf"
- src: "{{ crs_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf.example"
dest: "{{ modsec_rules_path }}/REQUEST-900-EXCLUSION-RULES-BEFORE-CRS.conf"
- src: "{{ crs_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf.example"
dest: "{{ modsec_rules_path }}/RESPONSE-999-EXCLUSION-RULES-AFTER-CRS.conf"
crs_rule_links:
- name: REQUEST-901-INITIALIZATION
enabled: true
- name: REQUEST-903.9001-DRUPAL-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9002-WORDPRESS-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9003-NEXTCLOUD-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9004-DOKUWIKI-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9005-CPANEL-EXCLUSION-RULES
enabled: true
- name: REQUEST-903.9006-XENFORO-EXCLUSION-RULES
enabled: true
- name: REQUEST-905-COMMON-EXCEPTIONS
enabled: true
- name: REQUEST-910-IP-REPUTATION
enabled: true
- name: REQUEST-911-METHOD-ENFORCEMENT
enabled: true
- name: REQUEST-912-DOS-PROTECTION
enabled: true
- name: REQUEST-913-SCANNER-DETECTION
enabled: true
- name: REQUEST-920-PROTOCOL-ENFORCEMENT
enabled: true
- name: REQUEST-921-PROTOCOL-ATTACK
enabled: true
- name: REQUEST-930-APPLICATION-ATTACK-LFI
enabled: true
- name: REQUEST-931-APPLICATION-ATTACK-RFI
enabled: true
- name: REQUEST-932-APPLICATION-ATTACK-RCE
enabled: true
- name: REQUEST-933-APPLICATION-ATTACK-PHP
enabled: true
- name: REQUEST-934-APPLICATION-ATTACK-NODEJS
enabled: true
- name: REQUEST-941-APPLICATION-ATTACK-XSS
enabled: true
- name: REQUEST-942-APPLICATION-ATTACK-SQLI
enabled: true
- name: REQUEST-943-APPLICATION-ATTACK-SESSION-FIXATION
enabled: true
- name: REQUEST-944-APPLICATION-ATTACK-JAVA
enabled: true
- name: REQUEST-949-BLOCKING-EVALUATION
enabled: true
- name: RESPONSE-950-DATA-LEAKAGES
enabled: true
- name: RESPONSE-951-DATA-LEAKAGES-SQL
enabled: true
- name: RESPONSE-952-DATA-LEAKAGES-JAVA
enabled: true
- name: RESPONSE-953-DATA-LEAKAGES-PHP
enabled: true
- name: RESPONSE-954-DATA-LEAKAGES-IIS
enabled: true
- name: RESPONSE-959-BLOCKING-EVALUATION
enabled: true
- name: RESPONSE-980-CORRELATION
enabled: true
crs_data_links:
- crawlers-user-agents
- iis-errors
- java-classes
- java-code-leakages
- java-errors
- lfi-os-files
- php-config-directives
- php-errors
- php-function-names-933150
- php-function-names-933151
- php-variables
- restricted-files
- restricted-upload
- scanners-headers
- scanners-urls
- scanners-user-agents
- scripting-user-agents
- sql-errors
- unix-shell
- windows-powershell-commands

736
ansible/roles/podman/files/graylog/graylog.conf Normal file
View File

@@ -0,0 +1,736 @@
############################
# GRAYLOG CONFIGURATION FILE
############################
#
# This is the Graylog configuration file. The file has to use ISO 8859-1/Latin-1 character encoding.
# Characters that cannot be directly represented in this encoding can be written using Unicode escapes
# as defined in https://docs.oracle.com/javase/specs/jls/se8/html/jls-3.html#jls-3.3, using the \u prefix.
# For example, \u002c.
#
# * Entries are generally expected to be a single line of the form, one of the following:
#
# propertyName=propertyValue
# propertyName:propertyValue
#
# * White space that appears between the property name and property value is ignored,
# so the following are equivalent:
#
# name=Stephen
# name = Stephen
#
# * White space at the beginning of the line is also ignored.
#
# * Lines that start with the comment characters ! or # are ignored. Blank lines are also ignored.
#
# * The property value is generally terminated by the end of the line. White space following the
# property value is not ignored, and is treated as part of the property value.
#
# * A property value can span several lines if each line is terminated by a backslash (\) character.
# For example:
#
# targetCities=\
# Detroit,\
# Chicago,\
# Los Angeles
#
# This is equivalent to targetCities=Detroit,Chicago,Los Angeles (white space at the beginning of lines is ignored).
#
# * The characters newline, carriage return, and tab can be inserted with characters \n, \r, and \t, respectively.
#
# * The backslash character must be escaped as a double backslash. For example:
#
# path=c:\\docs\\doc1
#
# If you are running more than one instances of Graylog server you have to select one of these
# instances as master. The master will perform some periodical tasks that non-masters won't perform.
is_master = true
# The auto-generated node ID will be stored in this file and read after restarts. It is a good idea
# to use an absolute file path here if you are starting Graylog server from init scripts or similar.
node_id_file = /usr/share/graylog/data/config/node-id
# You MUST set a secret to secure/pepper the stored user passwords here. Use at least 64 characters.
# Generate one by using for example: pwgen -N 1 -s 96
# ATTENTION: This value must be the same on all Graylog nodes in the cluster.
# Changing this value after installation will render all user sessions and encrypted values in the database invalid. (e.g. encrypted access tokens)
password_secret =
# The default root user is named 'admin'
#root_username = admin
# You MUST specify a hash password for the root user (which you only need to initially set up the
# system and in case you lose connectivity to your authentication backend)
# This password cannot be changed using the API or via the web interface. If you need to change it,
# modify it in this file.
# Create one by using for example: echo -n yourpassword | shasum -a 256
# and put the resulting hash value into the following line
root_password_sha2 =
# The email address of the root user.
# Default is empty
#root_email = ""
# The time zone setting of the root user. See http://www.joda.org/joda-time/timezones.html for a list of valid time zones.
# Default is UTC
root_timezone = America/New_York
# Set the bin directory here (relative or absolute)
# This directory contains binaries that are used by the Graylog server.
# Default: bin
bin_dir = /usr/share/graylog/bin
# Set the data directory here (relative or absolute)
# This directory is used to store Graylog server state.
# Default: data
data_dir = /usr/share/graylog/data
# Set plugin directory here (relative or absolute)
plugin_dir = /usr/share/graylog/plugin
###############
# HTTP settings
###############
#### HTTP bind address
#
# The network interface used by the Graylog HTTP interface.
#
# This network interface must be accessible by all Graylog nodes in the cluster and by all clients
# using the Graylog web interface.
#
# If the port is omitted, Graylog will use port 9000 by default.
#
# Default: 127.0.0.1:9000
#http_bind_address = 127.0.0.1:9000
#http_bind_address = [2001:db8::1]:9000
http_bind_address = 0.0.0.0:9000
#### HTTP publish URI
#
# The HTTP URI of this Graylog node which is used to communicate with the other Graylog nodes in the cluster and by all
# clients using the Graylog web interface.
#
# The URI will be published in the cluster discovery APIs, so that other Graylog nodes will be able to find and connect to this Graylog node.
#
# This configuration setting has to be used if this Graylog node is available on another network interface than $http_bind_address,
# for example if the machine has multiple network interfaces or is behind a NAT gateway.
#
# If $http_bind_address contains a wildcard IPv4 address (0.0.0.0), the first non-loopback IPv4 address of this machine will be used.
# This configuration setting *must not* contain a wildcard address!
#
# Default: http://$http_bind_address/
#http_publish_uri = http://192.168.1.1:9000/
#### External Graylog URI
#
# The public URI of Graylog which will be used by the Graylog web interface to communicate with the Graylog REST API.
#
# The external Graylog URI usually has to be specified, if Graylog is running behind a reverse proxy or load-balancer
# and it will be used to generate URLs addressing entities in the Graylog REST API (see $http_bind_address).
#
# When using Graylog Collector, this URI will be used to receive heartbeat messages and must be accessible for all collectors.
#
# This setting can be overriden on a per-request basis with the "X-Graylog-Server-URL" HTTP request header.
#
# Default: $http_publish_uri
#http_external_uri =
#### Enable CORS headers for HTTP interface
#
# This allows browsers to make Cross-Origin requests from any origin.
# This is disabled for security reasons and typically only needed if running graylog
# with a separate server for frontend development.
#
# Default: false
#http_enable_cors = false
#### Enable GZIP support for HTTP interface
#
# This compresses API responses and therefore helps to reduce
# overall round trip times. This is enabled by default. Uncomment the next line to disable it.
#http_enable_gzip = false
# The maximum size of the HTTP request headers in bytes.
#http_max_header_size = 8192
# The size of the thread pool used exclusively for serving the HTTP interface.
#http_thread_pool_size = 16
################
# HTTPS settings
################
#### Enable HTTPS support for the HTTP interface
#
# This secures the communication with the HTTP interface with TLS to prevent request forgery and eavesdropping.
#
# Default: false
#http_enable_tls = true
# The X.509 certificate chain file in PEM format to use for securing the HTTP interface.
#http_tls_cert_file = /path/to/graylog.crt
# The PKCS#8 private key file in PEM format to use for securing the HTTP interface.
#http_tls_key_file = /path/to/graylog.key
# The password to unlock the private key used for securing the HTTP interface.
#http_tls_key_password = secret
# Comma separated list of trusted proxies that are allowed to set the client address with X-Forwarded-For
# header. May be subnets, or hosts.
#trusted_proxies = 127.0.0.1/32, 0:0:0:0:0:0:0:1/128
# List of Elasticsearch hosts Graylog should connect to.
# Need to be specified as a comma-separated list of valid URIs for the http ports of your elasticsearch nodes.
# If one or more of your elasticsearch hosts require authentication, include the credentials in each node URI that
# requires authentication.
#
# Default: http://127.0.0.1:9200
#elasticsearch_hosts = http://node1:9200,http://user:password@node2:19200
elasticsearch_hosts = http://elasticsearch:9200
# Maximum number of retries to connect to elasticsearch on boot for the version probe.
#
# Default: 0, retry indefinitely with the given delay until a connection could be established
#elasticsearch_version_probe_attempts = 5
# Waiting time in between connection attempts for elasticsearch_version_probe_attempts
#
# Default: 5s
#elasticsearch_version_probe_delay = 5s
# Maximum amount of time to wait for successful connection to Elasticsearch HTTP port.
#
# Default: 10 Seconds
#elasticsearch_connect_timeout = 10s
# Maximum amount of time to wait for reading back a response from an Elasticsearch server.
# (e. g. during search, index creation, or index time-range calculations)
#
# Default: 60 seconds
#elasticsearch_socket_timeout = 60s
# Maximum idle time for an Elasticsearch connection. If this is exceeded, this connection will
# be tore down.
#
# Default: inf
#elasticsearch_idle_timeout = -1s
# Maximum number of total connections to Elasticsearch.
#
# Default: 200
#elasticsearch_max_total_connections = 200
# Maximum number of total connections per Elasticsearch route (normally this means per
# elasticsearch server).
#
# Default: 20
#elasticsearch_max_total_connections_per_route = 20
# Maximum number of times Graylog will retry failed requests to Elasticsearch.
#
# Default: 2
#elasticsearch_max_retries = 2
# Enable automatic Elasticsearch node discovery through Nodes Info,
# see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster-nodes-info.html
#
# WARNING: Automatic node discovery does not work if Elasticsearch requires authentication, e. g. with Shield.
#
# Default: false
#elasticsearch_discovery_enabled = true
# Filter for including/excluding Elasticsearch nodes in discovery according to their custom attributes,
# see https://www.elastic.co/guide/en/elasticsearch/reference/5.4/cluster.html#cluster-nodes
#
# Default: empty
#elasticsearch_discovery_filter = rack:42
# Frequency of the Elasticsearch node discovery.
#
# Default: 30s
# elasticsearch_discovery_frequency = 30s
# Set the default scheme when connecting to Elasticsearch discovered nodes
#
# Default: http (available options: http, https)
#elasticsearch_discovery_default_scheme = http
# Enable payload compression for Elasticsearch requests.
#
# Default: false
#elasticsearch_compression_enabled = true
# Enable use of "Expect: 100-continue" Header for Elasticsearch index requests.
# If this is disabled, Graylog cannot properly handle HTTP 413 Request Entity Too Large errors.
#
# Default: true
#elasticsearch_use_expect_continue = true
# Graylog will use multiple indices to store documents in. You can configured the strategy it uses to determine
# when to rotate the currently active write index.
# It supports multiple rotation strategies:
# - "count" of messages per index, use elasticsearch_max_docs_per_index below to configure
# - "size" per index, use elasticsearch_max_size_per_index below to configure
# valid values are "count", "size" and "time", default is "count"
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
rotation_strategy = count
# (Approximate) maximum number of documents in an Elasticsearch index before a new index
# is being created, also see no_retention and elasticsearch_max_number_of_indices.
# Configure this if you used 'rotation_strategy = count' above.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
elasticsearch_max_docs_per_index = 20000000
# (Approximate) maximum size in bytes per Elasticsearch index on disk before a new index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1GB.
# Configure this if you used 'rotation_strategy = size' above.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
#elasticsearch_max_size_per_index = 1073741824
# (Approximate) maximum time before a new Elasticsearch index is being created, also see
# no_retention and elasticsearch_max_number_of_indices. Default is 1 day.
# Configure this if you used 'rotation_strategy = time' above.
# Please note that this rotation period does not look at the time specified in the received messages, but is
# using the real clock value to decide when to rotate the index!
# Specify the time using a duration and a suffix indicating which unit you want:
# 1w = 1 week
# 1d = 1 day
# 12h = 12 hours
# Permitted suffixes are: d for day, h for hour, m for minute, s for second.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
#elasticsearch_max_time_per_index = 1d
# Disable checking the version of Elasticsearch for being compatible with this Graylog release.
# WARNING: Using Graylog with unsupported and untested versions of Elasticsearch may lead to data loss!
#elasticsearch_disable_version_check = true
# Disable message retention on this node, i. e. disable Elasticsearch index rotation.
#no_retention = false
# How many indices do you want to keep?
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
elasticsearch_max_number_of_indices = 20
# Decide what happens with the oldest indices when the maximum number of indices is reached.
# The following strategies are availble:
# - delete # Deletes the index completely (Default)
# - close # Closes the index and hides it from the system. Can be re-opened later.
#
# ATTENTION: These settings have been moved to the database in 2.0. When you upgrade, make sure to set these
# to your previous 1.x settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
retention_strategy = delete
# How many Elasticsearch shards and replicas should be used per index? Note that this only applies to newly created indices.
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
elasticsearch_shards = 4
elasticsearch_replicas = 0
# Prefix for all Elasticsearch indices and index aliases managed by Graylog.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
elasticsearch_index_prefix = graylog
# Name of the Elasticsearch index template used by Graylog to apply the mandatory index mapping.
# Default: graylog-internal
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
#elasticsearch_template_name = graylog-internal
# Do you want to allow searches with leading wildcards? This can be extremely resource hungry and should only
# be enabled with care. See also: https://docs.graylog.org/docs/query-language
allow_leading_wildcard_searches = false
# Do you want to allow searches to be highlighted? Depending on the size of your messages this can be memory hungry and
# should only be enabled after making sure your Elasticsearch cluster has enough memory.
allow_highlighting = false
# Analyzer (tokenizer) to use for message and full_message field. The "standard" filter usually is a good idea.
# All supported analyzers are: standard, simple, whitespace, stop, keyword, pattern, language, snowball, custom
# Elasticsearch documentation: https://www.elastic.co/guide/en/elasticsearch/reference/2.3/analysis.html
# Note that this setting only takes effect on newly created indices.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
elasticsearch_analyzer = standard
# Global timeout for index optimization (force merge) requests.
# Default: 1h
#elasticsearch_index_optimization_timeout = 1h
# Maximum number of concurrently running index optimization (force merge) jobs.
# If you are using lots of different index sets, you might want to increase that number.
# Default: 20
#elasticsearch_index_optimization_jobs = 20
# Mute the logging-output of ES deprecation warnings during REST calls in the ES RestClient
#elasticsearch_mute_deprecation_warnings = true
# Time interval for index range information cleanups. This setting defines how often stale index range information
# is being purged from the database.
# Default: 1h
#index_ranges_cleanup_interval = 1h
# Time interval for the job that runs index field type maintenance tasks like cleaning up stale entries. This doesn't
# need to run very often.
# Default: 1h
#index_field_type_periodical_interval = 1h
# Batch size for the Elasticsearch output. This is the maximum (!) number of messages the Elasticsearch output
# module will get at once and write to Elasticsearch in a batch call. If the configured batch size has not been
# reached within output_flush_interval seconds, everything that is available will be flushed at once. Remember
# that every outputbuffer processor manages its own batch and performs its own batch write calls.
# ("outputbuffer_processors" variable)
output_batch_size = 500
# Flush interval (in seconds) for the Elasticsearch output. This is the maximum amount of time between two
# batches of messages written to Elasticsearch. It is only effective at all if your minimum number of messages
# for this time period is less than output_batch_size * outputbuffer_processors.
output_flush_interval = 1
# As stream outputs are loaded only on demand, an output which is failing to initialize will be tried over and
# over again. To prevent this, the following configuration options define after how many faults an output will
# not be tried again for an also configurable amount of seconds.
output_fault_count_threshold = 5
output_fault_penalty_seconds = 30
# The number of parallel running processors.
# Raise this number if your buffers are filling up.
processbuffer_processors = 5
outputbuffer_processors = 3
# The following settings (outputbuffer_processor_*) configure the thread pools backing each output buffer processor.
# See https://docs.oracle.com/javase/8/docs/api/java/util/concurrent/ThreadPoolExecutor.html for technical details
# When the number of threads is greater than the core (see outputbuffer_processor_threads_core_pool_size),
# this is the maximum time in milliseconds that excess idle threads will wait for new tasks before terminating.
# Default: 5000
#outputbuffer_processor_keep_alive_time = 5000
# The number of threads to keep in the pool, even if they are idle, unless allowCoreThreadTimeOut is set
# Default: 3
#outputbuffer_processor_threads_core_pool_size = 3
# The maximum number of threads to allow in the pool
# Default: 30
#outputbuffer_processor_threads_max_pool_size = 30
# UDP receive buffer size for all message inputs (e. g. SyslogUDPInput).
#udp_recvbuffer_sizes = 1048576
# Wait strategy describing how buffer processors wait on a cursor sequence. (default: sleeping)
# Possible types:
# - yielding
# Compromise between performance and CPU usage.
# - sleeping
# Compromise between performance and CPU usage. Latency spikes can occur after quiet periods.
# - blocking
# High throughput, low latency, higher CPU usage.
# - busy_spinning
# Avoids syscalls which could introduce latency jitter. Best when threads can be bound to specific CPU cores.
processor_wait_strategy = blocking
# Size of internal ring buffers. Raise this if raising outputbuffer_processors does not help anymore.
# For optimum performance your LogMessage objects in the ring buffer should fit in your CPU L3 cache.
# Must be a power of 2. (512, 1024, 2048, ...)
ring_size = 65536
inputbuffer_ring_size = 65536
inputbuffer_processors = 2
inputbuffer_wait_strategy = blocking
# Enable the message journal.
message_journal_enabled = true
# The directory which will be used to store the message journal. The directory must be exclusively used by Graylog and
# must not contain any other files than the ones created by Graylog itself.
#
# ATTENTION:
# If you create a seperate partition for the journal files and use a file system creating directories like 'lost+found'
# in the root directory, you need to create a sub directory for your journal.
# Otherwise Graylog will log an error message that the journal is corrupt and Graylog will not start.
message_journal_dir = data/journal
# Journal hold messages before they could be written to Elasticsearch.
# For a maximum of 12 hours or 5 GB whichever happens first.
# During normal operation the journal will be smaller.
#message_journal_max_age = 12h
#message_journal_max_size = 5gb
#message_journal_flush_age = 1m
#message_journal_flush_interval = 1000000
#message_journal_segment_age = 1h
#message_journal_segment_size = 100mb
# Number of threads used exclusively for dispatching internal events. Default is 2.
#async_eventbus_processors = 2
# How many seconds to wait between marking node as DEAD for possible load balancers and starting the actual
# shutdown process. Set to 0 if you have no status checking load balancers in front.
lb_recognition_period_seconds = 3
# Journal usage percentage that triggers requesting throttling for this server node from load balancers. The feature is
# disabled if not set.
#lb_throttle_threshold_percentage = 95
# Every message is matched against the configured streams and it can happen that a stream contains rules which
# take an unusual amount of time to run, for example if its using regular expressions that perform excessive backtracking.
# This will impact the processing of the entire server. To keep such misbehaving stream rules from impacting other
# streams, Graylog limits the execution time for each stream.
# The default values are noted below, the timeout is in milliseconds.
# If the stream matching for one stream took longer than the timeout value, and this happened more than "max_faults" times
# that stream is disabled and a notification is shown in the web interface.
#stream_processing_timeout = 2000
#stream_processing_max_faults = 3
# Since 0.21 the Graylog server supports pluggable output modules. This means a single message can be written to multiple
# outputs. The next setting defines the timeout for a single output module, including the default output module where all
# messages end up.
#
# Time in milliseconds to wait for all message outputs to finish writing a single message.
#output_module_timeout = 10000
# Time in milliseconds after which a detected stale master node is being rechecked on startup.
#stale_master_timeout = 2000
# Time in milliseconds which Graylog is waiting for all threads to stop on shutdown.
#shutdown_timeout = 30000
# MongoDB connection string
# See https://docs.mongodb.com/manual/reference/connection-string/ for details
#mongodb_uri = mongodb://localhost/graylog
mongodb_uri = mongodb://mongo/graylog
# Authenticate against the MongoDB server
# '+'-signs in the username or password need to be replaced by '%2B'
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017/graylog
# Use a replica set instead of a single host
#mongodb_uri = mongodb://grayloguser:secret@localhost:27017,localhost:27018,localhost:27019/graylog?replicaSet=rs01
# DNS Seedlist https://docs.mongodb.com/manual/reference/connection-string/#dns-seedlist-connection-format
#mongodb_uri = mongodb+srv://server.example.org/graylog
# Increase this value according to the maximum connections your MongoDB server can handle from a single client
# if you encounter MongoDB connection problems.
mongodb_max_connections = 1000
# Number of threads allowed to be blocked by MongoDB connections multiplier. Default: 5
# If mongodb_max_connections is 100, and mongodb_threads_allowed_to_block_multiplier is 5,
# then 500 threads can block. More than that and an exception will be thrown.
# http://api.mongodb.com/java/current/com/mongodb/MongoOptions.html#threadsAllowedToBlockForConnectionMultiplier
mongodb_threads_allowed_to_block_multiplier = 5
# Email transport
#transport_email_enabled = false
#transport_email_hostname = mail.example.com
#transport_email_port = 587
#transport_email_use_auth = true
#transport_email_auth_username = you@example.com
#transport_email_auth_password = secret
#transport_email_subject_prefix = [graylog]
#transport_email_from_email = graylog@example.com
# Encryption settings
#
# ATTENTION:
# Using SMTP with STARTTLS *and* SMTPS at the same time is *not* possible.
# Use SMTP with STARTTLS, see https://en.wikipedia.org/wiki/Opportunistic_TLS
#transport_email_use_tls = true
# Use SMTP over SSL (SMTPS), see https://en.wikipedia.org/wiki/SMTPS
# This is deprecated on most SMTP services!
#transport_email_use_ssl = false
# Specify and uncomment this if you want to include links to the stream in your stream alert mails.
# This should define the fully qualified base url to your web interface exactly the same way as it is accessed by your users.
#transport_email_web_interface_url = https://graylog.example.com
# The default connect timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 5s
#http_connect_timeout = 5s
# The default read timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_read_timeout = 10s
# The default write timeout for outgoing HTTP connections.
# Values must be a positive duration (and between 1 and 2147483647 when converted to milliseconds).
# Default: 10s
#http_write_timeout = 10s
# HTTP proxy for outgoing HTTP connections
# ATTENTION: If you configure a proxy, make sure to also configure the "http_non_proxy_hosts" option so internal
# HTTP connections with other nodes does not go through the proxy.
# Examples:
# - http://proxy.example.com:8123
# - http://username:password@proxy.example.com:8123
#http_proxy_uri =
# A list of hosts that should be reached directly, bypassing the configured proxy server.
# This is a list of patterns separated by ",". The patterns may start or end with a "*" for wildcards.
# Any host matching one of these patterns will be reached through a direct connection instead of through a proxy.
# Examples:
# - localhost,127.0.0.1
# - 10.0.*,*.example.com
#http_non_proxy_hosts =
# Disable the optimization of Elasticsearch indices after index cycling. This may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is to optimize
# cycled indices.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
#disable_index_optimization = true
# Optimize the index down to <= index_optimization_max_num_segments. A higher number may take some load from Elasticsearch
# on heavily used systems with large indices, but it will decrease search performance. The default is 1.
#
# ATTENTION: These settings have been moved to the database in Graylog 2.2.0. When you upgrade, make sure to set these
# to your previous settings so they will be migrated to the database!
# This configuration setting is only used on the first start of Graylog. After that,
# index related settings can be changed in the Graylog web interface on the 'System / Indices' page.
# Also see https://docs.graylog.org/docs/index-model#index-set-configuration
#index_optimization_max_num_segments = 1
# The threshold of the garbage collection runs. If GC runs take longer than this threshold, a system notification
# will be generated to warn the administrator about possible problems with the system. Default is 1 second.
#gc_warning_threshold = 1s
# Connection timeout for a configured LDAP server (e. g. ActiveDirectory) in milliseconds.
#ldap_connection_timeout = 2000
# Disable the use of a native system stats collector (currently OSHI)
#disable_native_system_stats_collector = false
# The default cache time for dashboard widgets. (Default: 10 seconds, minimum: 1 second)
#dashboard_widget_default_cache_time = 10s
# For some cluster-related REST requests, the node must query all other nodes in the cluster. This is the maximum number
# of threads available for this. Increase it, if '/cluster/*' requests take long to complete.
# Should be http_thread_pool_size * average_cluster_size if you have a high number of concurrent users.
proxied_requests_thread_pool_size = 32
# The server is writing processing status information to the database on a regular basis. This setting controls how
# often the data is written to the database.
# Default: 1s (cannot be less than 1s)
#processing_status_persist_interval = 1s
# Configures the threshold for detecting outdated processing status records. Any records that haven't been updated
# in the configured threshold will be ignored.
# Default: 1m (one minute)
#processing_status_update_threshold = 1m
# Configures the journal write rate threshold for selecting processing status records. Any records that have a lower
# one minute rate than the configured value might be ignored. (dependent on number of messages in the journal)
# Default: 1
#processing_status_journal_write_rate_threshold = 1
# Configures the prefix used for graylog event indices
# Default: gl-events
#default_events_index_prefix = gl-events
# Configures the prefix used for graylog system event indices
# Default: gl-system-events
#default_system_events_index_prefix = gl-system-events
# Automatically load content packs in "content_packs_dir" on the first start of Graylog.
#content_packs_loader_enabled = false
# The directory which contains content packs which should be loaded on the first start of Graylog.
#content_packs_dir = /usr/share/graylog/data/contentpacks
# A comma-separated list of content packs (files in "content_packs_dir") which should be applied on
# the first start of Graylog.
# Default: empty
#content_packs_auto_install = grok-patterns.json
# The allowed TLS protocols for system wide TLS enabled servers. (e.g. message inputs, http interface)
# Setting this to an empty value, leaves it up to system libraries and the used JDK to chose a default.
# Default: TLSv1.2,TLSv1.3 (might be automatically adjusted to protocols supported by the JDK)
#enabled_tls_protocols= TLSv1.2,TLSv1.3
# Enable Prometheus exporter HTTP server.
# Default: false
#prometheus_exporter_enabled = false
# IP address and port for the Prometheus exporter HTTP server.
# Default: 127.0.0.1:9833
#prometheus_exporter_bind_address = 127.0.0.1:9833
# Path to the Prometheus exporter core mapping file. If this option is enabled, the full built-in core mapping is
# replaced with the mappings in this file.
# This file is monitored for changes and updates will be applied at runtime.
# Default: none
#prometheus_exporter_mapping_file_path_core = prometheus-exporter-mapping-core.yml
# Path to the Prometheus exporter custom mapping file. If this option is enabled, the mappings in this file are
# configured in addition to the built-in core mappings. The mappings in this file cannot overwrite any core mappings.
# This file is monitored for changes and updates will be applied at runtime.
# Default: none
#prometheus_exporter_mapping_file_path_custom = prometheus-exporter-mapping-custom.yml
# Configures the refresh interval for the monitored Prometheus exporter mapping files.
# Default: 60s
#prometheus_exporter_mapping_file_refresh_interval = 60s
# Optional allowed paths for Graylog data files. If provided, certain operations in Graylog will only be permitted
# if the data file(s) are located in the specified paths (for example, with the CSV File lookup adapter).
# All subdirectories of indicated paths are allowed by default. This Provides an additional layer of security,
# and allows administrators to control where in the file system Graylog users can select files from.
#allowed_auxiliary_paths = /etc/graylog/data-files,/etc/custom-allowed-path

133
ansible/roles/podman/files/graylog/graylogctl Normal file
View File

@@ -0,0 +1,133 @@
#!/usr/bin/env bash
CMD=$1
NOHUP=${NOHUP:=$(which nohup)}
PS=${PS:=$(which ps)}
# default java
JAVA_CMD=${JAVA_CMD:=$(which java)}
get_pid() {
cat "${GRAYLOG_PID}" 2> /dev/null
}
pid_running() {
kill -0 $1 2> /dev/null
}
die() {
echo $*
exit 1
}
if [ -n "$JAVA_HOME" ]
then
# try to use $JAVA_HOME
if [ -x "$JAVA_HOME"/bin/java ]
then
JAVA_CMD="$JAVA_HOME"/bin/java
else
die "$JAVA_HOME"/bin/java is not executable
fi
fi
# resolve links - $0 may be a softlink
GRAYLOGCTL="$0"
while [ -h "$GRAYLOGCTL" ]; do
ls=$(ls -ld "$GRAYLOGCTL")
link=$(expr "$ls" : '.*-> \(.*\)$')
if expr "$link" : '/.*' > /dev/null; then
GRAYLOGCTL="$link"
else
GRAYLOGCTL=$(dirname "$GRAYLOGCTL")/"$link"
fi
done
# take variables from environment if set
GRAYLOGCTL_DIR=${GRAYLOGCTL_DIR:=$(dirname "$GRAYLOGCTL")}
GRAYLOG_SERVER_JAR=${GRAYLOG_SERVER_JAR:=graylog.jar}
GRAYLOG_CONF=${GRAYLOG_CONF:=/etc/graylog/server/server.conf}
GRAYLOG_PID=${GRAYLOG_PID:=/tmp/graylog.pid}
LOG_FILE=${LOG_FILE:=log/graylog-server.log}
LOG4J=${LOG4J:=}
DEFAULT_JAVA_OPTS="-Djava.net.preferIPv4Stack=true -Dlog4j2.formatMsgNoLookups=true -Djdk.tls.acknowledgeCloseNotify=true -Xms1g -Xmx1g -XX:NewRatio=1 -server -XX:+ResizeTLAB -XX:-OmitStackTraceInFastThrow"
if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseParNewGC; then
DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseParNewGC"
fi
if $JAVA_CMD -XX:+PrintFlagsFinal 2>&1 |grep -q UseConcMarkSweepGC; then
DEFAULT_JAVA_OPTS="${DEFAULT_JAVA_OPTS} -XX:+UseConcMarkSweepGC -XX:+CMSConcurrentMTEnabled -XX:+CMSClassUnloadingEnabled"
fi
JAVA_OPTS="${JAVA_OPTS:="$DEFAULT_JAVA_OPTS"}"
start() {
echo "Starting graylog-server ..."
cd "$GRAYLOGCTL_DIR/.."
"${NOHUP}" "${JAVA_CMD}" ${JAVA_OPTS} ${LOG4J} -jar "${GRAYLOG_SERVER_JAR}" server -f "${GRAYLOG_CONF}" -p "${GRAYLOG_PID}" >> "${LOG_FILE}" 2>> "${LOG_FILE}" &
}
run() {
echo "Running graylog-server ..."
cd "$GRAYLOGCTL_DIR/.."
exec "${JAVA_CMD}" ${JAVA_OPTS} ${LOG4J} -jar "${GRAYLOG_SERVER_JAR}" server -f "${GRAYLOG_CONF}" -p "${GRAYLOG_PID}"
}
stop() {
if [ ! -f "${GRAYLOG_PID}" ]; then
die "Not stopping. PID file not found: ${GRAYLOG_PID}"
fi
PID=$(get_pid)
echo "Stopping graylog-server ($PID) ..."
echo "Waiting for graylog-server to halt."
kill $PID
while "$PS" -p $PID > /dev/null; do sleep 1; done;
rm -f "${GRAYLOG_PID}"
echo "graylog-server stopped"
}
restart() {
echo "Restarting graylog-server ..."
stop
start
}
status() {
PID=$(get_pid)
if [ ! -z $PID ]; then
if pid_running $PID; then
echo "graylog-server running with PID ${PID}"
return 0
else
rm "${GRAYLOG_PID}"
die "Removed stale PID file ${GRAYLOG_PID} with ${PID}."
fi
fi
die "graylog-server not running"
}
case "$CMD" in
start)
start
;;
stop)
stop
;;
restart)
restart
;;
status)
status
;;
run)
run
;;
*)
echo "Usage $0 {start|stop|restart|status|run}"
esac

2
ansible/roles/podman/files/hass/configuration.yaml
View File

@@ -9,7 +9,7 @@ http:
use_x_forwarded_for: true
trusted_proxies:
- 127.0.0.1
- 172.0.0.0/8
- 10.0.0.0/8
homeassistant:
time_zone: America/New_York

1028
ansible/roles/podman/files/nginx/mime.types Normal file
View File

File diff suppressed because it is too large Load Diff

0
ansible/roles/http/files/nginx/modsec_includes.conf → ansible/roles/podman/files/nginx/modsec_includes.conf
View File

22
ansible/roles/podman/handlers/main.yml
View File

@@ -2,7 +2,27 @@
- name: restorecon podman
become: true
ansible.builtin.command: |
restorecon -Frv {{ podman_home }}
restorecon -Frv {{ podman_home }}/.local/share/volumes
tags:
- podman
- selinux
- name: restart nginx
become: true
become_user: "{{ podman_user }}"
ansible.builtin.command: |
podman restart nginx
tags:
- nginx
- http
- https
- modsec
- modsec_rules
- name: restart firewalld
become: true
ansible.builtin.service:
name: firewalld
state: restarted
tags:
- firewall

1
ansible/roles/podman/meta/main.yml
View File

@@ -1,3 +1,4 @@
---
dependencies:
- role: common
- role: ssl

95
ansible/roles/podman/tasks/configuration-nginx-http.yml Normal file
View File

@@ -0,0 +1,95 @@
---
- name: create required nginx volumes
become: true
ansible.builtin.file:
path: "{{ nginx_path }}/etc"
state: directory
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
tags: http
- name: setup nginx base configuration
become: true
ansible.builtin.template:
src: templates/nginx/nginx.conf.j2
dest: "{{ nginx_path }}/etc/nginx.conf"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
notify:
- restorecon podman
- restart nginx
tags: http
- name: create required nginx files
become: true
ansible.builtin.copy:
src: "files/nginx/{{ item }}"
dest: "{{ nginx_path }}/etc/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
loop:
- mime.types
notify:
- restorecon podman
- restart nginx
tags: http
- name: setup nginx directories
become: true
ansible.builtin.file:
path: "{{ nginx_path }}/etc/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
state: directory
mode: 0755
notify: restorecon podman
loop:
- sites-enabled
- sites-available
tags: http
- name: template nginx http sites-available
become: true
ansible.builtin.template:
src: "templates/nginx/sites/{{ item }}.j2"
dest: "{{ nginx_path }}/etc/sites-available/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
loop:
- "{{ ci_server_name }}.http.conf"
#- "{{ pi_server_name }}.conf"
- "{{ home_server_name }}.conf"
- "{{ assistant_server_name }}.conf"
- "{{ video_server_name }}.conf"
- "{{ parts_server_name }}.conf"
- "{{ logs_server_name }}.conf"
notify:
- restorecon podman
- restart nginx
tags: http
- name: enable desired nginx http sites
become: true
ansible.builtin.file:
src: "../sites-available/{{ item }}"
dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
state: link
loop:
- "{{ ci_server_name }}.http.conf"
#- "{{ pi_server_name }}.conf"
- "{{ parts_server_name }}.conf"
- "{{ home_server_name }}.conf"
- "{{ assistant_server_name }}.conf"
- "{{ video_server_name }}.conf"
- "{{ logs_server_name }}.conf"
notify:
- restorecon podman
- restart nginx
tags: http

58
ansible/roles/podman/tasks/configuration-nginx-https.yml Normal file
View File

@@ -0,0 +1,58 @@
---
- name: create nginx ssl directory
become: true
ansible.builtin.file:
path: "{{ nginx_path }}/etc/ssl"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
state: directory
tags: https
- name: stat dhparam
become: true
ansible.builtin.stat:
path: "{{ nginx_path }}/etc/ssl/dhparam.pem"
register: dhparam
tags: https
- name: generate openssl dhparam for nginx
become: true
ansible.builtin.command: |
openssl dhparam -out {{ nginx_path }}/ssl/dhparam.pem 2048
when: not dhparam.stat.exists
args:
creates: "{{ nginx_path }}/ssl/dhparam.pem"
tags: https
- name: template nginx https sites-available
become: true
ansible.builtin.template:
src: "templates/nginx/sites/{{ item }}.j2"
dest: "{{ nginx_path }}/etc/sites-available/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
loop:
- "{{ ci_server_name }}.https.conf"
- "{{ parts_server_name }}.https.conf"
notify:
- restorecon podman
- restart nginx
tags: https
- name: enable desired nginx https sites
become: true
ansible.builtin.file:
src: "../sites-available/{{ item }}"
dest: "{{ nginx_path }}/etc/sites-enabled/{{ item }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
state: link
loop:
- "{{ ci_server_name }}.https.conf"
- "{{ parts_server_name }}.https.conf"
notify:
- restorecon podman
- restart nginx
tags: https

50
ansible/roles/http/tasks/modsec.yml → ansible/roles/podman/tasks/configuration-nginx-modsec.yml
View File

@@ -4,21 +4,26 @@
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: root
group: root
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
loop:
- "{{ nginx_conf_path }}"
- "{{ modsec_rules_path }}"
notify: restorecon podman
tags: modsec
- name: create modsec_includes.conf
become: true
ansible.builtin.copy:
src: files/nginx/modsec_includes.conf
dest: "{{ nginx_path }}/modsec_includes.conf"
dest: "{{ nginx_path }}/etc/modsec_includes.conf"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
notify: restart_nginx
notify:
- restorecon podman
- restart nginx
tags: modsec
- name: clone coreruleset and modsecurity
@@ -26,11 +31,10 @@
ansible.builtin.git:
repo: "{{ item.src }}"
dest: "{{ item.dest }}"
update: true
update: "{{ update_modsec | default(false) }}"
force: true
version: "{{ item.ver }}"
loop: "{{ modsec_git_urls }}"
notify: restart_nginx
tags: modsec
- name: setup modsec and coreruleset configs
@@ -38,11 +42,13 @@
ansible.builtin.copy:
src: "{{ item.src }}"
dest: "{{ item.dest }}"
force: true
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
force: "{{ update_modsec | default(false) }}"
mode: 0644
remote_src: true
loop: "{{ modsec_conf_links }}"
notify: restart_nginx
notify: restorecon podman
tags: modsec
- name: setup coreruleset rules
@@ -50,25 +56,33 @@
ansible.builtin.copy:
src: "{{ crs_rules_path }}/{{ item.name }}.conf"
dest: "{{ modsec_rules_path }}/{{ item.name }}.conf"
force: true
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
force: "{{ update_modsec | default(false) }}"
mode: 0644
remote_src: true
when: item.enabled
loop: "{{ crs_rule_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
notify: restorecon podman
tags:
- modsec
- modsec_rules
- name: setup coreruleset data
become: true
ansible.builtin.copy:
src: "{{ crs_rules_path }}/{{ item }}.data"
dest: "{{ modsec_rules_path }}/{{ item }}.data"
force: true
force: "{{ update_modsec | default(false) }}"
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
remote_src: true
loop: "{{ crs_data_links }}"
notify: restart_nginx
tags: modsec, modsec_rules
notify: restorecon podman
tags:
- modsec
- modsec_rules
- name: whitelist local ip addresses
become: true
@@ -76,9 +90,11 @@
path: "{{ modsec_crs_before_rule_conf }}"
regexp: "{{ modsec_whitelist_local_re }}"
line: "{{ modsec_whitelist_local }}"
mode: 0644
notify: restart_nginx
tags: modsec, modsec_rules, modsec_whitelist
notify: restart nginx
tags:
- modsec
- modsec_rules
- modsec_whitelist
- name: activate mod-security
become: true

22
ansible/roles/podman/tasks/configuration-nginx.yml Normal file
View File

@@ -0,0 +1,22 @@
---
- name: create letsencrypt shared root srv directory
become: true
ansible.builtin.file:
path: /srv/http/letsencrypt
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0644
state: directory
tags:
- ssl
- https
- import_tasks: configuration-nginx-http.yml
- import_tasks: configuration-nginx-https.yml
- import_tasks: configuration-nginx-modsec.yml
- meta: flush_handlers
tags:
- http
- modsec
- modsec_rules

22
ansible/roles/podman/tasks/container-drone.yml
View File

@@ -8,7 +8,7 @@
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
loop:
- "{{ drone_path }}/data"
tags: drone
@@ -20,12 +20,14 @@
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: drone
image: docker.io/drone/drone:latest
image: docker.io/drone/drone:2.11.1
recreate: false
restart: true
restart_policy: on-failure
log_driver: journald
env:
DRONE_LOGS_DEBUG: "true"
DRONE_RPC_DEBUG: "true"
DRONE_GITHUB_CLIENT_ID: "{{ drone_gh_client_id }}"
DRONE_GITHUB_CLIENT_SECRET: "{{ drone_gh_client_sec }}"
DRONE_GIT_ALWAYS_AUTH: "true"
@@ -39,12 +41,18 @@
- "8080:80"
tags: drone
- name: create systemd startup job for drone
include_tasks: systemd-generate.yml
vars:
container_name: drone
tags: drone
- name: create drone-ci worker container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: drone-runner
image: docker.io/80x86/drone-runner-podman:latest
image: docker.io/drone/drone-runner-docker:1.8.1
recreate: false
restart: true
restart_policy: on-failure
@@ -55,7 +63,13 @@
DRONE_RPC_PROTO: "{{ drone_server_proto }}"
DRONE_RUNNER_CAPACITY: "{{ drone_runner_capacity }}"
volumes:
- /run/user/1002/podman/podman.sock:/run/podman/podman.sock
- "/run/user/1002/podman/podman.sock:/var/run/docker.sock"
ports:
- "3000:3000"
tags: drone
- name: create systemd startup job for drone-runner
include_tasks: systemd-generate.yml
vars:
container_name: drone-runner
tags: drone

128
ansible/roles/podman/tasks/container-graylog.yml Normal file
View File

@@ -0,0 +1,128 @@
---
- name: create required graylog volumes
become: true
ansible.builtin.file:
path: "{{ item }}"
state: directory
owner: "{{ podman_subuid.stdout }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
loop:
- "{{ graylog_path }}/mongo"
- "{{ graylog_path }}/elastic"
- "{{ graylog_path }}/conf"
- "{{ graylog_path }}/bin"
tags: graylog
- name: copy configuration files
become: true
ansible.builtin.copy:
src: "files/graylog/{{ item.src }}"
dest: "{{ graylog_path }}/{{ item.dest }}"
owner: "{{ podman_subuid.stdout }}"
group: "{{ podman_user }}"
mode: 0644
loop:
- src: "graylogctl"
dest: "bin/graylogctl"
- src: "graylog.conf"
dest: "conf/graylog.conf"
notify: restorecon podman
tags: graylog
- name: unshare chown the elastic volume
become: true
become_user: "{{ podman_user }}"
ansible.builtin.command: |
podman unshare chown -R 1000:1000 {{ graylog_path }}/elastic
tags: graylog
- meta: flush_handlers
tags: graylog
- name: create graylog mongodb container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: graylog-mongo
image: docker.io/mongo:4.2
recreate: false
restart: false
restart_policy: on-failure
network:
- shared
volumes:
- "{{ graylog_path }}/mongo:/data/db"
tags: graylog
- name: create systemd startup job for graylog-mongo
include_tasks: systemd-generate.yml
vars:
container_name: graylog-mongo
tags: graylog
- name: create graylog elasticsearch container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: graylog-elastic
image: docker.elastic.co/elasticsearch/elasticsearch-oss:7.10.2
recreate: true
restart: false
restart_policy: on-failure
network:
- shared
volumes:
- "{{ graylog_path }}/elastic:/usr/share/elasticsearch/data"
env:
http.host: "0.0.0.0"
transport.host: "localhost"
network.host: "0.0.0.0"
cluster.name: "graylog"
ES_JAVA_OPTS: "-Dlog4j2.formatMsgNoLookups=true -Xms512m -Xmx2048m"
tags: graylog
- name: create systemd startup job for graylog-elastic
include_tasks: systemd-generate.yml
vars:
container_name: graylog-elastic
tags: graylog
- name: create graylog container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: graylog
image: docker.io/graylog/graylog:4.2
recreate: false
restart: true
restart_policy: on-failure
sysctl:
net.ipv6.conf.all.disable_ipv6: 1
net.ipv6.conf.default.disable_ipv6: 1
network:
- shared
- host
volumes:
- "{{ graylog_path }}/conf:/usr/share/graylog/data/config"
- "{{ graylog_path }}/bin:/usr/share/graylog/bin"
env:
GRAYLOG_PASSWORD_SECRET: "{{ graylog_secret }}"
GRAYLOG_ROOT_PASSWORD_SHA2: "{{ graylog_root_pass_sha2 }}"
GRAYLOG_HTTP_EXTERNAL_URI: http://{{ ansible_default_ipv4.address }}:9000/
GRAYLOG_HTTP_BIND_ADDRESS: 0.0.0.0:9000
GRAYLOG_MONGODB_URI: mongodb://graylog-mongo/graylog
GRAYLOG_ELASTICSEARCH_HOSTS: http://graylog-elastic:9200
ports:
- "{{ graylog_port }}:9000"
- "{{ syslog_udp_default }}:{{ syslog_udp_default }}/udp"
- "{{ syslog_udp_unifi }}:{{ syslog_udp_unifi }}/udp"
- "{{ syslog_udp_error }}:{{ syslog_udp_error }}/udp"
tags: graylog
- name: create systemd startup job for graylog
include_tasks: systemd-generate.yml
vars:
container_name: graylog
tags: graylog

4
ansible/roles/podman/tasks/container-hass.yml
View File

@@ -8,7 +8,7 @@
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
loop:
- "{{ hass_path }}/media"
- "{{ hass_path }}/config"
tags: hass
@@ -22,7 +22,7 @@
group: "{{ podman_user }}"
mode: 0644
notify: restorecon podman
with_items:
loop:
- configuration.yaml
- automations.yaml
tags: hass

25
ansible/roles/podman/tasks/container-nginx.yml Normal file
View File

@@ -0,0 +1,25 @@
---
- name: create nginx container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: nginx
image: docker.io/owasp/modsecurity:nginx
entrypoint: ""
command: ["nginx", "-g", "daemon off;"]
recreate: false
restart: true
restart_policy: on-failure:3
log_driver: journald
network:
- host
cap_add:
- CAP_NET_BIND_SERVICE
ports:
- 80:80
- 443:443
volumes:
- "{{ nginx_path }}/etc:/etc/nginx:ro"
- "/srv/http/letsencrypt:/srv/http/letsencrypt:z"
- "/etc/letsencrypt:/etc/letsencrypt:ro"
tags: nginx

38
ansible/roles/podman/tasks/container-partkeepr.yml
View File

@@ -8,20 +8,13 @@
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
loop:
- "{{ partkeepr_path }}/mysql"
tags: partkeepr
- meta: flush_handlers
tags: partkeepr
- name: create partkeepr network
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_network:
name: partkeepr
tags: partkeepr
- name: create partkeepr-db container
become: true
become_user: "{{ podman_user }}"
@@ -33,7 +26,7 @@
restart_policy: on-failure
log_driver: journald
network:
- partkeepr
- shared
env:
MYSQL_RANDOM_ROOT_PASSWORD: "yes"
MYSQL_DATABASE: partkeepr
@@ -54,13 +47,13 @@
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: partkeepr
image: docker.io/mhubig/partkeepr:latest
image: docker.io/bdebyl/partkeepr:0.1.10
recreate: false
restart: false
restart_policy: on-failure
log_driver: journald
network:
- partkeepr
- shared
ports:
- "8081:80"
tags: partkeepr
@@ -70,26 +63,3 @@
vars:
container_name: partkeepr
tags: partkeepr
- name: create partkeepr-cron container
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_container:
name: partkeepr-cron
image: docker.io/mhubig/partkeepr:latest
entrypoint: ""
command: >
bash -c "crontab /etc/cron.d/partkeepr && cron -f"
recreate: false
restart: true
restart_policy: on-failure
log_driver: journald
network:
- partkeepr
tags: partkeepr
- name: create systemd startup job for partkeepr-cron
include_tasks: systemd-generate.yml
vars:
container_name: partkeepr-cron
tags: partkeepr

17
ansible/roles/podman/tasks/firewall.yml Normal file
View File

@@ -0,0 +1,17 @@
---
- name: set required podman firewall rules
become: true
ansible.posix.firewalld:
port: "{{ item }}"
permanent: true
state: enabled
loop:
- 80/tcp
- 443/tcp
- "{{ syslog_udp_default }}/udp"
- "{{ syslog_udp_error }}/udp"
- "{{ syslog_udp_unifi }}/udp"
notify: restart firewalld
tags:
- firewall
- http

4
ansible/roles/podman/tasks/main.yml
View File

@@ -1,6 +1,10 @@
---
- import_tasks: podman.yml
- import_tasks: configuration-nginx.yml
- import_tasks: firewall.yml
- import_tasks: container-awsddns.yml
- import_tasks: container-drone.yml
- import_tasks: container-hass.yml
- import_tasks: container-partkeepr.yml
- import_tasks: container-nginx.yml
- import_tasks: container-graylog.yml

54
ansible/roles/podman/tasks/podman.yml
View File

@@ -8,6 +8,28 @@
home: "{{ podman_home }}"
tags: podman
- name: set ulimits for podman user
become: true
community.general.pam_limits:
domain: podman
limit_type: "{{ item.type }}"
limit_item: "{{ item.name }}"
value: "{{ item.value }}"
loop:
- name: memlock
type: soft
value: "unlimited"
- name: memlock
type: hard
value: "unlimited"
- name: nofile
type: soft
value: 39693561
- name: memlock
type: hard
value: 39693561
tags: podman
- name: check if podman user lingering enabled
become: true
ansible.builtin.stat:
@@ -31,7 +53,7 @@
setype: "{{ item.setype }}"
state: present
notify: restorecon podman
with_items:
loop:
- { target: "{{ podman_home }}", setype: "user_home_dir_t" }
- { target: "{{ podman_path }}", setype: "container_file_t" }
tags:
@@ -42,17 +64,41 @@
become: true
become_user: "{{ podman_user }}"
ansible.builtin.file:
path: "{{ podman_home }}/{{ item }}"
path: "{{ item }}"
state: directory
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
mode: 0755
notify: restorecon podman
with_items:
- ".config/systemd/user"
loop:
- "{{ podman_home }}/.config/systemd/user"
- "{{ podman_containers }}"
- "{{ podman_volumes }}"
tags: podman
- meta: flush_handlers
tags: podman
- name: create podman shared network
become: true
become_user: "{{ podman_user }}"
containers.podman.podman_network:
name: shared
tags: podman
- name: allow unprivileged ports to lower number
become: true
ansible.posix.sysctl:
name: net.ipv4.ip_unprivileged_port_start
value: "80"
sysctl_set: true
state: present
reload: true
tags: podman
- name: fetch subuid of {{ podman_user }}
become: true
ansible.builtin.shell: |
cat /etc/subuid | awk -F':' '/{{ podman_user }}/{ print $2 }' | head -n 1
register: podman_subuid
tags: always

4
ansible/roles/http/templates/nginx/nginx.conf.j2 → ansible/roles/podman/templates/nginx/nginx.conf.j2
View File

@@ -4,7 +4,7 @@ worker_processes 1;
load_module /usr/lib/nginx/modules/ngx_http_modsecurity_module.so;
error_log /var/log/nginx/error.log notice;
error_log syslog:server=localhost:{{ syslog_udp_error }},tag=nginx,severity=info notice;
error_log syslog:server=127.0.0.1:{{ syslog_udp_error }},tag=nginx,severity=info notice;
events {
worker_connections 1024;
@@ -46,7 +46,7 @@ http {
'"nginx_access": true }';
access_log /var/log/nginx/access.log main;
access_log syslog:server=localhost:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json;
access_log syslog:server=127.0.0.1:{{ syslog_udp_default }},tag=nginx,severity=info graylog_json;
sendfile on;
server_tokens off;

3
ansible/roles/http/templates/nginx/sites/assistant.bdebyl.net.conf.j2 → ansible/roles/podman/templates/nginx/sites/assistant.bdebyl.net.conf.j2
View File

@@ -2,8 +2,9 @@ upstream hass {
server 127.0.0.1:8123;
}
server {
resolver 192.168.1.12 ipv6=off;
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80;
server_name {{ assistant_server_name }};

0
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.http.conf.j2 → ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.http.conf.j2
View File

9
ansible/roles/http/templates/nginx/sites/ci.bdebyl.net.https.conf.j2 → ansible/roles/podman/templates/nginx/sites/ci.bdebyl.net.https.conf.j2
View File

@@ -9,15 +9,16 @@ geo $local_access {
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name {{ ci_server_name }};
ssl_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ ci_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ ci_server_name }}/fullchain.pem;
ssl_dhparam ssl/dhparam.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
@@ -28,14 +29,14 @@ server {
ssl_stapling on;
ssl_stapling_verify on;
resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
resolver 9.9.9.9 valid=60s ipv6=off;
location / {
if ($local_access = 1) {
access_log off;
}
add_header Allow "GET, POST, HEAD" always;
add_header Content-Security-Policy "default-src 'self'; img-src 'self' https://*.githubusercontent.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline'; img-src 'self' https://*.githubusercontent.com https://*.github.com; frame-ancestors 'self'; base-uri 'none',base-uri 'self'; form-action 'self'" always;
add_header Referrer-Policy "same-origin" always;
add_header Strict-Transport-Security "max-age=630720000; includeSubDomains" always;
add_header X-Content-Type-Options "nosniff" always;

6
ansible/roles/http/templates/nginx/sites/home.bdebyl.net.conf.j2 → ansible/roles/podman/templates/nginx/sites/home.bdebyl.net.conf.j2
View File

@@ -5,15 +5,15 @@ geo $whitelisted {
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80 default_server;
server_name {{ home_server_name }};
if ($whitelisted = 1) {
return 302 http://192.168.1.12;
return 302 http://{{ ansible_default_ipv4.address }};
}
if ($whitelisted = 0) {
return 302 $scheme://bdebyl.net$request_uri;
}
}
}

7
ansible/roles/http/templates/nginx/sites/logs.bdebyl.net.conf.j2 → ansible/roles/podman/templates/nginx/sites/logs.bdebyl.net.conf.j2
View File

@@ -1,5 +1,5 @@
upstream graylog {
server localhost:{{ graylog_port }};
server 127.0.0.1:{{ graylog_port }};
}
geo $local_access {
@@ -9,10 +9,9 @@ geo $local_access {
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80;
listen [::]:80;
server_name {{ logs_server_name }};
location / {
@@ -30,4 +29,4 @@ server {
proxy_buffering off;
proxy_pass http://graylog;
}
}
}

4
ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.conf.j2 → ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.conf.j2
View File

@@ -5,7 +5,7 @@ geo $whitelisted {
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80;
server_name {{ parts_server_name }};
@@ -18,4 +18,4 @@ server {
location / {
return 302 https://$host$request_uri;
}
}
}

8
ansible/roles/http/templates/nginx/sites/parts.bdebyl.net.https.conf.j2 → ansible/roles/podman/templates/nginx/sites/parts.bdebyl.net.https.conf.j2
View File

@@ -4,12 +4,12 @@ geo $whitelisted {
}
upstream partkeepr {
server localhost:8081;
server 127.0.0.1:8081;
}
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
resolver 127.0.0.1 127.0.0.53 9.9.9.9 valid=60s;
@@ -19,7 +19,7 @@ server {
ssl_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/{{ parts_server_name }}/privkey.pem;
ssl_trusted_certificate /etc/letsencrypt/live/{{ parts_server_name }}/fullchain.pem;
ssl_dhparam ssl/dhparam.pem;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;
ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384;
ssl_prefer_server_ciphers off;
@@ -54,4 +54,4 @@ server {
chunked_transfer_encoding off;
}
}
}

5
ansible/roles/http/templates/nginx/sites/pi.bdebyl.net.conf.j2 → ansible/roles/podman/templates/nginx/sites/pi.bdebyl.net.conf.j2
View File

@@ -6,7 +6,7 @@
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80;
@@ -54,5 +54,4 @@ server {
location ~ /\.ht {
deny all;
}
}
}

2
ansible/roles/http/templates/nginx/sites/video.bdebyl.net.conf.j2 → ansible/roles/podman/templates/nginx/sites/video.bdebyl.net.conf.j2
View File

@@ -4,7 +4,7 @@ upstream shinobi {
server {
modsecurity on;
modsecurity_rules_file {{ nginx_path }}/modsec_includes.conf;
modsecurity_rules_file /etc/nginx/modsec_includes.conf;
listen 80;
server_name {{ video_server_name }};

35
ansible/roles/ssl/tasks/certbot.yml
View File

@@ -1,30 +1,4 @@
---
- name: create nginx ssl directory
become: true
ansible.builtin.file:
path: /etc/nginx/ssl
owner: root
group: root
mode: 0644
state: directory
tags: ssl
- name: stat dhparam
become: true
ansible.builtin.stat:
path: /etc/nginx/ssl/dhparam.pem
register: dhparam
tags: ssl
- name: generate openssl dhparam for nginx
become: true
ansible.builtin.command: |
openssl dhparam -out /etc/nginx/ssl/dhparam.pem 2048
when: not dhparam.stat.exists
args:
creates: /etc/nginx/ssl/dhparam.pem
tags: ssl
- name: create ssl certificate for ci server
become: true
ansible.builtin.command: |
@@ -37,3 +11,12 @@
- "{{ ci_server_name }}"
- "{{ parts_server_name }}"
tags: ssl
- name: set group ownership for /etc/letsencrypt/
become: true
ansible.builtin.file:
path: /etc/letsencrypt
owner: "{{ podman_user }}"
group: "{{ podman_user }}"
recurse: true
tags: ssl