chore: gitea-actions improvements, graylog/fluent-bit logging, zomboid mod

- Gitea actions: add handlers, improve deps and service template - Graylog: simplify container config, add Caddy reverse proxy - Add fluent-bit container for log forwarding - Add ClimbDownRope mod (Workshop ID: 3000725405) to zomboid 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-03 17:20:18 -05:00
parent 5832497bbd
commit cf200d82d6
13 changed files with 188 additions and 69 deletions
--- a/ansible/roles/gitea-actions/handlers/main.yml
+++ b/ansible/roles/gitea-actions/handlers/main.yml
@@ -5,3 +5,10 @@
    name: act_runner
    state: restarted
    daemon_reload: true
+
+- name: restart podman socket
+  become: true
+  ansible.builtin.systemd:
+    name: podman.socket
+    state: restarted
+    daemon_reload: true
--- a/ansible/roles/gitea-actions/tasks/deps.yml
+++ b/ansible/roles/gitea-actions/tasks/deps.yml
@@ -8,12 +8,31 @@
    state: present
  tags: gitea-actions

- name: enable podman socket for gitea-runner
+- name: create podman socket override directory
+  become: true
+  ansible.builtin.file:
+    path: /etc/systemd/system/podman.socket.d
+    state: directory
+    mode: "0755"
+  tags: gitea-actions
+
+- name: configure podman socket for gitea-runner access
+  become: true
+  ansible.builtin.copy:
+    dest: /etc/systemd/system/podman.socket.d/override.conf
+    content: |
+      [Socket]
+      SocketMode=0660
+      SocketGroup={{ gitea_runner_user }}
+    mode: "0644"
+  notify: restart podman socket
+  tags: gitea-actions
+
+- name: enable system podman socket
  become: true
-  become_user: "{{ gitea_runner_user }}"
  ansible.builtin.systemd:
    name: podman.socket
+    daemon_reload: true
    enabled: true
    state: started
-    scope: user
  tags: gitea-actions
--- a/ansible/roles/gitea-actions/templates/act_runner.service.j2
+++ b/ansible/roles/gitea-actions/templates/act_runner.service.j2
@@ -1,7 +1,7 @@
 [Unit]
 Description=Gitea Actions runner
 Documentation=https://gitea.com/gitea/act_runner
-After=network.target
+After=network.target podman.socket

 [Service]
 ExecStart={{ act_runner_bin }} daemon --config {{ act_runner_config_dir }}/config.yaml
@@ -10,8 +10,7 @@ TimeoutSec=0
 RestartSec=10
 Restart=always
 User={{ gitea_runner_user }}
-Environment="XDG_RUNTIME_DIR=/run/user/%(uid)"
-Environment="DOCKER_HOST=unix:///run/user/%(uid)/podman/podman.sock"
+Environment="DOCKER_HOST=unix:///run/podman/podman.sock"

 [Install]
 WantedBy=multi-user.target
--- a/ansible/roles/gitea-actions/templates/config.yaml.j2
+++ b/ansible/roles/gitea-actions/templates/config.yaml.j2
@@ -2,7 +2,7 @@ log:
  level: info

 runner:
-  file: .runner
+  file: {{ act_runner_work_dir }}/.runner
  capacity: 1
  timeout: 3h
  insecure: false
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -37,11 +37,11 @@ zomboid_server_names:
 # Load order: Libraries first (damnlib, tsarslib), then dependent mods, then others
 zomboid_mods:
  workshop_items: >-
-    3171167894;3402491515;3330403100;2409333430;3073430075;3379334330;3110913021;3366300557;3034636011;3409287192;3005903549;3161951724;3413704851;3413706334;3287727378;3226885926;2625625421;3418252689;3418253716;3152529790;2478247379;2942793445;2991201484;2913633066;2873290424;3428008364;3253385114;2846036306;2642541073;3435796523;3008795514;3447272250;3026723485;2900580391;2870394916;3292659291;2969343830;2566953935;2962175696;3196180339;3258343790;3346905070;3320947974;3478633453;2952802178;3001592312;3052360250;3490370700;2932547723;2805630347;3504401781;2772575623;3110911330;3088951320;3213391371;2932549988;3041122351;2971246021;3539691958;3315443103;2886832257;2886832936;2886833398;2811383142;2799152995;3248388837;3566868353;3570973322;2897390033;3592777775;3596903773;3601417745;3614034284;3577903007;3407042038;3405178154;3402493701;3402812859;3616536783;3431734923;3429790870;2850935956;3307376332;3397182976;3432928943;3610005735;3540297822;3426448380;3579640010;3389448389;3393821407;3044705007;2866258937;3490188370;3508537032;3451167732;3461263912;2903771337
+    3171167894;3402491515;3330403100;2409333430;3073430075;3379334330;3110913021;3366300557;3034636011;3409287192;3005903549;3161951724;3413704851;3413706334;3287727378;3226885926;2625625421;3418252689;3418253716;3152529790;2478247379;2942793445;2991201484;2913633066;2873290424;3428008364;3253385114;2846036306;2642541073;3435796523;3008795514;3447272250;3026723485;2900580391;2870394916;3292659291;2969343830;2566953935;2962175696;3196180339;3258343790;3346905070;3320947974;3478633453;2952802178;3001592312;3052360250;3490370700;2932547723;2805630347;3504401781;2772575623;3110911330;3088951320;3213391371;2932549988;3041122351;2971246021;3539691958;3315443103;2886832257;2886832936;2886833398;2811383142;2799152995;3248388837;3566868353;3570973322;2897390033;3592777775;3596903773;3601417745;3614034284;3577903007;3407042038;3405178154;3402493701;3402812859;3616536783;3431734923;3429790870;2850935956;3307376332;3397182976;3432928943;3610005735;3540297822;3426448380;3579640010;3389448389;3393821407;3044705007;2866258937;3490188370;3508537032;3451167732;3461263912;2903771337;3629835761;3000725405
  # Build 42 requires backslash prefix for each mod ID
  # Load order: 1) damnlib 2) tsarslib 3) KI5 vehicles 4) Autotsar vehicles 5) Everything else
  mod_ids: >-
-    \damnlib;\tsarslib;\KI5trailers;\91range;\93fordF350;\82porsche911;\90bmwE30;\91fordLTD;\89dodgeCaravan;\84jeepXJ;\63beetle;\76chevyKseries;\85chevyCaprice;\85pontiacParisienne;\92jeepYJ;\92jeepYJJP18;\87buickRegal;\isoContainers;\85buickLeSabre;\85oldsmobileDelta88;\93chevySuburban;\93chevySuburbanExpanded;\67commando;\90pierceArrow;\69camaro;\70barracuda;\70dodge;\86chevyCUCV;\81deloreanDMC12;\81deloreanDMC12BTTF;\92nissanGTR;\92amgeneralM998;\88toyotaHilux;\91geoMetro;\66pontiacLeMans;\67gt500;\49powerWagon;\86fordE150;\86fordE150dnd;\86fordE150mm;\86fordE150pd;\86fordE150expanded;\89volvo200;\93fordElgin;\86oshkoshP19A;\92fordCVPI;\87chevySuburban;\68firebird;\77firebird;\82firebird;\82firebirdKITT;\04vwTouran;\90fordF350ambulance;\93mustangSSP;\87toyotaMR2;\73fordFalcon;\73fordFalconPS;\93townCar;\84merc;\91nissan240sx;\59meteor;\ECTO1;\87fordB700;\93fordTaurus;\75grandPrix;\89trooper;\63Type2Van;\99fordCVPI;\91fordRanger;\98stagea;\82jeepJ10;\82jeepJ10t;\88chevyS10;\89fordBronco;\83amgeneralM923;\78amgeneralM35A2;\78amgeneralM35A2extra;\78amgeneralM49A2C;\78amgeneralM50A3;\78amgeneralM62;\80manKat1;\65banshee;\89defender;\97bushmaster;\84cadillacDeVille;\84buickElectra;\84oldsmobile98;\85chevyStepVan;\85chevyStepVanexpanded;\autotsartrailers;\ATA_Jeep;\ATA_Jeep_x10;\ATA_Jeep_x2;\ATA_Jeep_x4;\ATA_Mustang;\ATA_Mustang_x2;\ATA_Mustang_x4;\ATA_Bus;\VanillaFoodsExpanded;\TombWardrobeALT;\TombWardrobeALTVanilla;\TombBodyCompat;\TombBodyCompatBootsExp;\TombBody;\TombBodyCustom;\TombBodyTex;\TombBodyTexDOLL;\TombBodyTexNUDE;\SM4BootsExpandedB42;\SM4BootsExpandedFlatshoes;\GanydeBielovzki's Frockin Splendor!;\RandomClothing;\EFTBP;\AliceGear;\TableSaw;\stanks_suicide;\STA_PryOpen;\AutoReload;\DBFaster50;\DBFaster60;\DBFaster70;\DBFaster80;\FixBlowTorchPropaneTank;\MiniHealthPanel;\P4HasBeenRead;\Project_Cook;\NeatUI_Framework;\ModernStatus;\CleanHotBar;\REORDER_THE_HOTBAR
+    \damnlib;\tsarslib;\KI5trailers;\91range;\93fordF350;\82porsche911;\90bmwE30;\91fordLTD;\89dodgeCaravan;\84jeepXJ;\63beetle;\76chevyKseries;\85chevyCaprice;\85pontiacParisienne;\92jeepYJ;\92jeepYJJP18;\87buickRegal;\isoContainers;\85buickLeSabre;\85oldsmobileDelta88;\93chevySuburban;\93chevySuburbanExpanded;\67commando;\90pierceArrow;\69camaro;\70barracuda;\70dodge;\86chevyCUCV;\81deloreanDMC12;\81deloreanDMC12BTTF;\92nissanGTR;\92amgeneralM998;\88toyotaHilux;\91geoMetro;\66pontiacLeMans;\67gt500;\49powerWagon;\86fordE150;\86fordE150dnd;\86fordE150mm;\86fordE150pd;\86fordE150expanded;\89volvo200;\93fordElgin;\86oshkoshP19A;\92fordCVPI;\87chevySuburban;\68firebird;\77firebird;\82firebird;\82firebirdKITT;\04vwTouran;\90fordF350ambulance;\93mustangSSP;\87toyotaMR2;\73fordFalcon;\73fordFalconPS;\93townCar;\84merc;\91nissan240sx;\59meteor;\ECTO1;\87fordB700;\93fordTaurus;\75grandPrix;\89trooper;\63Type2Van;\99fordCVPI;\91fordRanger;\98stagea;\82jeepJ10;\82jeepJ10t;\88chevyS10;\89fordBronco;\83amgeneralM923;\78amgeneralM35A2;\78amgeneralM35A2extra;\78amgeneralM49A2C;\78amgeneralM50A3;\78amgeneralM62;\80manKat1;\65banshee;\89defender;\97bushmaster;\84cadillacDeVille;\84buickElectra;\84oldsmobile98;\85chevyStepVan;\85chevyStepVanexpanded;\autotsartrailers;\ATA_Jeep;\ATA_Jeep_x10;\ATA_Jeep_x2;\ATA_Jeep_x4;\ATA_Mustang;\ATA_Mustang_x2;\ATA_Mustang_x4;\ATA_Bus;\VanillaFoodsExpanded;\TombWardrobeALT;\TombWardrobeALTVanilla;\TombBodyCompat;\TombBodyCompatBootsExp;\TombBody;\TombBodyCustom;\TombBodyTex;\TombBodyTexDOLL;\TombBodyTexNUDE;\SM4BootsExpandedB42;\SM4BootsExpandedFlatshoes;\GanydeBielovzki's Frockin Splendor!;\RandomClothing;\EFTBP;\AliceGear;\TableSaw;\stanks_suicide;\STA_PryOpen;\AutoReload;\DBFaster50;\DBFaster60;\DBFaster70;\DBFaster80;\FixBlowTorchPropaneTank;\MiniHealthPanel;\P4HasBeenRead;\Project_Cook;\NeatUI_Framework;\ModernStatus;\CleanHotBar;\REORDER_THE_HOTBAR;\Ladders42131;\ClimbDownRope
 pihole_path: "{{ podman_volumes }}/pihole"
 sshpass_cron_path: "{{ podman_volumes }}/sshpass_cron"
 caddy_path: "{{ podman_volumes }}/caddy"
@@ -108,5 +108,7 @@ caddy_security_headers:
 # Graylog logging stack
 graylog_path: "{{ podman_volumes }}/graylog"
 logs_server_name: logs.debyl.io
-# Update tag to specific SHA after CI builds (e.g., :abc1234)
-gelf_proxy_image: git.debyl.io/debyltech/gelf-proxy:main
+# gelf_auth_token: defined in vault - X-Gelf-Token header for Lambda GELF HTTP auth
+
+# Fluent Bit is deployed as a systemd service (not container)
+# for direct journal access - see containers/base/fluent-bit.yml
--- a/ansible/roles/podman/handlers/main.yml
+++ b/ansible/roles/podman/handlers/main.yml
@@ -42,3 +42,11 @@
    scope: user
  tags:
    - zomboid
+
+- name: restart fluent-bit
+  become: true
+  ansible.builtin.systemd:
+    name: fluent-bit
+    state: restarted
+  tags:
+    - fluent-bit
--- a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml
+++ b/ansible/roles/podman/tasks/containers/base/fluent-bit.yml
@@ -0,0 +1,45 @@
+---
+# Fluent Bit - Log forwarder from journald to Graylog GELF
+# Deployed as systemd service (not container) for direct journal access
+
+# Clean up old container deployment if it exists
+- name: stop and remove fluent-bit container if exists
+  become: true
+  become_user: "{{ podman_user }}"
+  containers.podman.podman_container:
+    name: fluent-bit
+    state: absent
+  ignore_errors: true
+
+- name: disable old fluent-bit container systemd service
+  become: true
+  become_user: "{{ podman_user }}"
+  ansible.builtin.systemd:
+    name: fluent-bit
+    enabled: false
+    state: stopped
+    scope: user
+  ignore_errors: true
+
+- name: install fluent-bit package
+  become: true
+  ansible.builtin.dnf:
+    name: fluent-bit
+    state: present
+
+- name: deploy fluent-bit configuration
+  become: true
+  ansible.builtin.template:
+    src: fluent-bit/fluent-bit.conf.j2
+    dest: /etc/fluent-bit/fluent-bit.conf
+    owner: root
+    group: root
+    mode: '0644'
+  notify: restart fluent-bit
+
+- name: enable and start fluent-bit service
+  become: true
+  ansible.builtin.systemd:
+    name: fluent-bit
+    enabled: true
+    state: started
--- a/ansible/roles/podman/tasks/containers/debyltech/graylog.yml
+++ b/ansible/roles/podman/tasks/containers/debyltech/graylog.yml
@@ -1,6 +1,6 @@
 ---
 # Graylog Logging Stack
-# Deploys MongoDB, OpenSearch, Graylog, and GELF decryption proxy
+# Deploys MongoDB, OpenSearch, and Graylog

 # System prerequisite: OpenSearch requires increased virtual memory
 - name: set vm.max_map_count for OpenSearch
@@ -72,12 +72,10 @@
  tags: graylog

 # MongoDB container
- name: pull graylog-mongo image
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_image:
-    name: docker.io/mongo:6
-    state: present
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: graylog-mongo
+    container_image: docker.io/mongo:6
  tags: graylog

 - name: create graylog-mongo container
@@ -87,7 +85,6 @@
    name: graylog-mongo
    image: docker.io/mongo:6
    state: started
-    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    volumes:
@@ -103,12 +100,10 @@
  tags: graylog

 # OpenSearch container
- name: pull graylog-opensearch image
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_image:
-    name: docker.io/opensearchproject/opensearch:2
-    state: present
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: graylog-opensearch
+    container_image: docker.io/opensearchproject/opensearch:2
  tags: graylog

 - name: create graylog-opensearch container
@@ -118,7 +113,6 @@
    name: graylog-opensearch
    image: docker.io/opensearchproject/opensearch:2
    state: started
-    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    env:
@@ -138,16 +132,14 @@
  tags: graylog

 # Graylog container
- name: pull graylog image
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_image:
-    name: docker.io/graylog/graylog:6.0
-    state: present
+- import_tasks: podman/podman-check.yml
+  vars:
+    container_name: graylog
+    container_image: docker.io/graylog/graylog:6.0
  tags: graylog

 # Graylog uses host network to reach MongoDB/OpenSearch on 127.0.0.1
-# Binds to: 9000 (web UI), 12202 (GELF UDP from gelf-proxy)
+# Binds to: 9000 (web UI), 12202 (GELF HTTP input proxied via Caddy)
 - name: create graylog container
  become: true
  become_user: "{{ podman_user }}"
@@ -155,7 +147,6 @@
    name: graylog
    image: docker.io/graylog/graylog:6.0
    state: started
-    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    network: host
@@ -178,38 +169,3 @@
  vars:
    container_name: graylog
  tags: graylog
-
-# GELF Decryption Proxy (container)
- import_tasks: gitea/podman-gitea-login.yml
-  tags: graylog
-
- name: pull gelf-proxy image
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_image:
-    name: "{{ gelf_proxy_image }}"
-    state: present
-  tags: graylog
-
- name: create gelf-proxy container
-  become: true
-  become_user: "{{ podman_user }}"
-  containers.podman.podman_container:
-    name: gelf-proxy
-    image: "{{ gelf_proxy_image }}"
-    state: started
-    recreate: true
-    restart_policy: on-failure:3
-    log_driver: journald
-    network: host
-    env:
-      GELF_KEY: "{{ gelf_encryption_key }}"
-      GELF_LISTEN: ":12201"
-      GELF_FORWARD: "127.0.0.1:12202"
-  tags: graylog
-
- name: create systemd startup job for gelf-proxy
-  include_tasks: podman/systemd-generate.yml
-  vars:
-    container_name: gelf-proxy
-  tags: graylog
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -69,5 +69,7 @@
    - 1080/tcp
    - 1443/tcp
    - 7000/tcp
+    # gelf-proxy (removed - now using GELF HTTP via Caddy)
+    - 12201/udp
  notify: restart firewalld
  tags: firewall
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -81,6 +81,12 @@
    image: docker.io/louislam/uptime-kuma:1
  tags: debyltech, uptime-kuma

+- import_tasks: containers/debyltech/graylog.yml
+  tags: debyltech, graylog
+
+- import_tasks: containers/base/fluent-bit.yml
+  tags: fluent-bit, graylog
+
 - import_tasks: containers/home/nosql.yml
  vars:
    image: docker.io/redis:7.2.1-alpine
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -177,6 +177,49 @@
 	}
 }

+# Graylog Logs - {{ logs_server_name }}
+{{ logs_server_name }} {
+	# GELF HTTP endpoint - open for Lambda (auth via header)
+	# Must come BEFORE ip_restricted_site to allow external access
+	@gelf_authorized {
+		path /gelf
+		header X-Gelf-Token "{{ gelf_auth_token }}"
+	}
+
+	handle @gelf_authorized {
+		reverse_proxy localhost:12202
+	}
+
+	# Reject unauthorized GELF requests
+	handle /gelf {
+		respond "Unauthorized" 401
+	}
+
+	# IP restriction for Graylog web UI (excludes /gelf which is handled above)
+	@local {
+		remote_ip {{ caddy_local_networks | join(' ') }}
+	}
+
+	@denied {
+		not remote_ip {{ caddy_local_networks | join(' ') }}
+		not path /gelf
+	}
+
+	handle @denied {
+		redir https://debyl.io{uri} 302
+	}
+
+	handle @local {
+		import common_headers
+		reverse_proxy localhost:9000
+	}
+
+	log {
+		output file /var/log/caddy/graylog.log
+		format json
+	}
+}
+
 # ============================================================================
 # COMPLEX CONFIGURATIONS
 # ============================================================================
--- a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
+++ b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
@@ -0,0 +1,32 @@
+[SERVICE]
+    Flush        5
+    Daemon       Off
+    Log_Level    info
+    Parsers_File parsers.conf
+
+# Read from systemd journal - filter for Podman container logs
+# Container logs come from conmon process with CONTAINER_NAME field
+[INPUT]
+    Name            systemd
+    Tag             journal.*
+    Systemd_Filter  _COMM=conmon
+    Read_From_Tail  On
+    Strip_Underscores On
+
+# Extract container name for better filtering in Graylog
+[FILTER]
+    Name          record_modifier
+    Match         journal.*
+    Record        host {{ ansible_hostname }}
+    Record        source podman
+
+# Output to Graylog GELF UDP (local, port 12203)
+# Graylog needs a GELF UDP input configured on this port
+[OUTPUT]
+    Name          gelf
+    Match         journal.*
+    Host          127.0.0.1
+    Port          12203
+    Mode          udp
+    Gelf_Short_Message_Key MESSAGE
+    Gelf_Host_Key host
--- a/ansible/vars/vault.yml
+++ b/ansible/vars/vault.yml