diff --git a/ansible/roles/gitea-actions/handlers/main.yml b/ansible/roles/gitea-actions/handlers/main.yml index 57fad82..477a51c 100644 --- a/ansible/roles/gitea-actions/handlers/main.yml +++ b/ansible/roles/gitea-actions/handlers/main.yml @@ -5,3 +5,10 @@ name: act_runner state: restarted daemon_reload: true + +- name: restart podman socket + become: true + ansible.builtin.systemd: + name: podman.socket + state: restarted + daemon_reload: true diff --git a/ansible/roles/gitea-actions/tasks/deps.yml b/ansible/roles/gitea-actions/tasks/deps.yml index d7731a6..533d544 100644 --- a/ansible/roles/gitea-actions/tasks/deps.yml +++ b/ansible/roles/gitea-actions/tasks/deps.yml @@ -8,12 +8,31 @@ state: present tags: gitea-actions -- name: enable podman socket for gitea-runner +- name: create podman socket override directory + become: true + ansible.builtin.file: + path: /etc/systemd/system/podman.socket.d + state: directory + mode: "0755" + tags: gitea-actions + +- name: configure podman socket for gitea-runner access + become: true + ansible.builtin.copy: + dest: /etc/systemd/system/podman.socket.d/override.conf + content: | + [Socket] + SocketMode=0660 + SocketGroup={{ gitea_runner_user }} + mode: "0644" + notify: restart podman socket + tags: gitea-actions + +- name: enable system podman socket become: true - become_user: "{{ gitea_runner_user }}" ansible.builtin.systemd: name: podman.socket + daemon_reload: true enabled: true state: started - scope: user tags: gitea-actions diff --git a/ansible/roles/gitea-actions/templates/act_runner.service.j2 b/ansible/roles/gitea-actions/templates/act_runner.service.j2 index 851c194..0930b9f 100644 --- a/ansible/roles/gitea-actions/templates/act_runner.service.j2 +++ b/ansible/roles/gitea-actions/templates/act_runner.service.j2 @@ -1,7 +1,7 @@ [Unit] Description=Gitea Actions runner Documentation=https://gitea.com/gitea/act_runner -After=network.target +After=network.target podman.socket [Service] ExecStart={{ act_runner_bin }} daemon --config {{ act_runner_config_dir }}/config.yaml @@ -10,8 +10,7 @@ TimeoutSec=0 RestartSec=10 Restart=always User={{ gitea_runner_user }} -Environment="XDG_RUNTIME_DIR=/run/user/%(uid)" -Environment="DOCKER_HOST=unix:///run/user/%(uid)/podman/podman.sock" +Environment="DOCKER_HOST=unix:///run/podman/podman.sock" [Install] WantedBy=multi-user.target diff --git a/ansible/roles/gitea-actions/templates/config.yaml.j2 b/ansible/roles/gitea-actions/templates/config.yaml.j2 index 8581ee9..a9ee272 100644 --- a/ansible/roles/gitea-actions/templates/config.yaml.j2 +++ b/ansible/roles/gitea-actions/templates/config.yaml.j2 @@ -2,7 +2,7 @@ log: level: info runner: - file: .runner + file: {{ act_runner_work_dir }}/.runner capacity: 1 timeout: 3h insecure: false diff --git a/ansible/roles/podman/defaults/main.yml b/ansible/roles/podman/defaults/main.yml index 359f6eb..c66759a 100644 --- a/ansible/roles/podman/defaults/main.yml +++ b/ansible/roles/podman/defaults/main.yml @@ -37,11 +37,11 @@ zomboid_server_names: # Load order: Libraries first (damnlib, tsarslib), then dependent mods, then others zomboid_mods: workshop_items: >- - 3171167894;3402491515;3330403100;2409333430;3073430075;3379334330;3110913021;3366300557;3034636011;3409287192;3005903549;3161951724;3413704851;3413706334;3287727378;3226885926;2625625421;3418252689;3418253716;3152529790;2478247379;2942793445;2991201484;2913633066;2873290424;3428008364;3253385114;2846036306;2642541073;3435796523;3008795514;3447272250;3026723485;2900580391;2870394916;3292659291;2969343830;2566953935;2962175696;3196180339;3258343790;3346905070;3320947974;3478633453;2952802178;3001592312;3052360250;3490370700;2932547723;2805630347;3504401781;2772575623;3110911330;3088951320;3213391371;2932549988;3041122351;2971246021;3539691958;3315443103;2886832257;2886832936;2886833398;2811383142;2799152995;3248388837;3566868353;3570973322;2897390033;3592777775;3596903773;3601417745;3614034284;3577903007;3407042038;3405178154;3402493701;3402812859;3616536783;3431734923;3429790870;2850935956;3307376332;3397182976;3432928943;3610005735;3540297822;3426448380;3579640010;3389448389;3393821407;3044705007;2866258937;3490188370;3508537032;3451167732;3461263912;2903771337 + 3171167894;3402491515;3330403100;2409333430;3073430075;3379334330;3110913021;3366300557;3034636011;3409287192;3005903549;3161951724;3413704851;3413706334;3287727378;3226885926;2625625421;3418252689;3418253716;3152529790;2478247379;2942793445;2991201484;2913633066;2873290424;3428008364;3253385114;2846036306;2642541073;3435796523;3008795514;3447272250;3026723485;2900580391;2870394916;3292659291;2969343830;2566953935;2962175696;3196180339;3258343790;3346905070;3320947974;3478633453;2952802178;3001592312;3052360250;3490370700;2932547723;2805630347;3504401781;2772575623;3110911330;3088951320;3213391371;2932549988;3041122351;2971246021;3539691958;3315443103;2886832257;2886832936;2886833398;2811383142;2799152995;3248388837;3566868353;3570973322;2897390033;3592777775;3596903773;3601417745;3614034284;3577903007;3407042038;3405178154;3402493701;3402812859;3616536783;3431734923;3429790870;2850935956;3307376332;3397182976;3432928943;3610005735;3540297822;3426448380;3579640010;3389448389;3393821407;3044705007;2866258937;3490188370;3508537032;3451167732;3461263912;2903771337;3629835761;3000725405 # Build 42 requires backslash prefix for each mod ID # Load order: 1) damnlib 2) tsarslib 3) KI5 vehicles 4) Autotsar vehicles 5) Everything else mod_ids: >- - \damnlib;\tsarslib;\KI5trailers;\91range;\93fordF350;\82porsche911;\90bmwE30;\91fordLTD;\89dodgeCaravan;\84jeepXJ;\63beetle;\76chevyKseries;\85chevyCaprice;\85pontiacParisienne;\92jeepYJ;\92jeepYJJP18;\87buickRegal;\isoContainers;\85buickLeSabre;\85oldsmobileDelta88;\93chevySuburban;\93chevySuburbanExpanded;\67commando;\90pierceArrow;\69camaro;\70barracuda;\70dodge;\86chevyCUCV;\81deloreanDMC12;\81deloreanDMC12BTTF;\92nissanGTR;\92amgeneralM998;\88toyotaHilux;\91geoMetro;\66pontiacLeMans;\67gt500;\49powerWagon;\86fordE150;\86fordE150dnd;\86fordE150mm;\86fordE150pd;\86fordE150expanded;\89volvo200;\93fordElgin;\86oshkoshP19A;\92fordCVPI;\87chevySuburban;\68firebird;\77firebird;\82firebird;\82firebirdKITT;\04vwTouran;\90fordF350ambulance;\93mustangSSP;\87toyotaMR2;\73fordFalcon;\73fordFalconPS;\93townCar;\84merc;\91nissan240sx;\59meteor;\ECTO1;\87fordB700;\93fordTaurus;\75grandPrix;\89trooper;\63Type2Van;\99fordCVPI;\91fordRanger;\98stagea;\82jeepJ10;\82jeepJ10t;\88chevyS10;\89fordBronco;\83amgeneralM923;\78amgeneralM35A2;\78amgeneralM35A2extra;\78amgeneralM49A2C;\78amgeneralM50A3;\78amgeneralM62;\80manKat1;\65banshee;\89defender;\97bushmaster;\84cadillacDeVille;\84buickElectra;\84oldsmobile98;\85chevyStepVan;\85chevyStepVanexpanded;\autotsartrailers;\ATA_Jeep;\ATA_Jeep_x10;\ATA_Jeep_x2;\ATA_Jeep_x4;\ATA_Mustang;\ATA_Mustang_x2;\ATA_Mustang_x4;\ATA_Bus;\VanillaFoodsExpanded;\TombWardrobeALT;\TombWardrobeALTVanilla;\TombBodyCompat;\TombBodyCompatBootsExp;\TombBody;\TombBodyCustom;\TombBodyTex;\TombBodyTexDOLL;\TombBodyTexNUDE;\SM4BootsExpandedB42;\SM4BootsExpandedFlatshoes;\GanydeBielovzki's Frockin Splendor!;\RandomClothing;\EFTBP;\AliceGear;\TableSaw;\stanks_suicide;\STA_PryOpen;\AutoReload;\DBFaster50;\DBFaster60;\DBFaster70;\DBFaster80;\FixBlowTorchPropaneTank;\MiniHealthPanel;\P4HasBeenRead;\Project_Cook;\NeatUI_Framework;\ModernStatus;\CleanHotBar;\REORDER_THE_HOTBAR + \damnlib;\tsarslib;\KI5trailers;\91range;\93fordF350;\82porsche911;\90bmwE30;\91fordLTD;\89dodgeCaravan;\84jeepXJ;\63beetle;\76chevyKseries;\85chevyCaprice;\85pontiacParisienne;\92jeepYJ;\92jeepYJJP18;\87buickRegal;\isoContainers;\85buickLeSabre;\85oldsmobileDelta88;\93chevySuburban;\93chevySuburbanExpanded;\67commando;\90pierceArrow;\69camaro;\70barracuda;\70dodge;\86chevyCUCV;\81deloreanDMC12;\81deloreanDMC12BTTF;\92nissanGTR;\92amgeneralM998;\88toyotaHilux;\91geoMetro;\66pontiacLeMans;\67gt500;\49powerWagon;\86fordE150;\86fordE150dnd;\86fordE150mm;\86fordE150pd;\86fordE150expanded;\89volvo200;\93fordElgin;\86oshkoshP19A;\92fordCVPI;\87chevySuburban;\68firebird;\77firebird;\82firebird;\82firebirdKITT;\04vwTouran;\90fordF350ambulance;\93mustangSSP;\87toyotaMR2;\73fordFalcon;\73fordFalconPS;\93townCar;\84merc;\91nissan240sx;\59meteor;\ECTO1;\87fordB700;\93fordTaurus;\75grandPrix;\89trooper;\63Type2Van;\99fordCVPI;\91fordRanger;\98stagea;\82jeepJ10;\82jeepJ10t;\88chevyS10;\89fordBronco;\83amgeneralM923;\78amgeneralM35A2;\78amgeneralM35A2extra;\78amgeneralM49A2C;\78amgeneralM50A3;\78amgeneralM62;\80manKat1;\65banshee;\89defender;\97bushmaster;\84cadillacDeVille;\84buickElectra;\84oldsmobile98;\85chevyStepVan;\85chevyStepVanexpanded;\autotsartrailers;\ATA_Jeep;\ATA_Jeep_x10;\ATA_Jeep_x2;\ATA_Jeep_x4;\ATA_Mustang;\ATA_Mustang_x2;\ATA_Mustang_x4;\ATA_Bus;\VanillaFoodsExpanded;\TombWardrobeALT;\TombWardrobeALTVanilla;\TombBodyCompat;\TombBodyCompatBootsExp;\TombBody;\TombBodyCustom;\TombBodyTex;\TombBodyTexDOLL;\TombBodyTexNUDE;\SM4BootsExpandedB42;\SM4BootsExpandedFlatshoes;\GanydeBielovzki's Frockin Splendor!;\RandomClothing;\EFTBP;\AliceGear;\TableSaw;\stanks_suicide;\STA_PryOpen;\AutoReload;\DBFaster50;\DBFaster60;\DBFaster70;\DBFaster80;\FixBlowTorchPropaneTank;\MiniHealthPanel;\P4HasBeenRead;\Project_Cook;\NeatUI_Framework;\ModernStatus;\CleanHotBar;\REORDER_THE_HOTBAR;\Ladders42131;\ClimbDownRope pihole_path: "{{ podman_volumes }}/pihole" sshpass_cron_path: "{{ podman_volumes }}/sshpass_cron" caddy_path: "{{ podman_volumes }}/caddy" @@ -108,5 +108,7 @@ caddy_security_headers: # Graylog logging stack graylog_path: "{{ podman_volumes }}/graylog" logs_server_name: logs.debyl.io -# Update tag to specific SHA after CI builds (e.g., :abc1234) -gelf_proxy_image: git.debyl.io/debyltech/gelf-proxy:main +# gelf_auth_token: defined in vault - X-Gelf-Token header for Lambda GELF HTTP auth + +# Fluent Bit is deployed as a systemd service (not container) +# for direct journal access - see containers/base/fluent-bit.yml diff --git a/ansible/roles/podman/handlers/main.yml b/ansible/roles/podman/handlers/main.yml index fa095dd..6d45864 100644 --- a/ansible/roles/podman/handlers/main.yml +++ b/ansible/roles/podman/handlers/main.yml @@ -42,3 +42,11 @@ scope: user tags: - zomboid + +- name: restart fluent-bit + become: true + ansible.builtin.systemd: + name: fluent-bit + state: restarted + tags: + - fluent-bit diff --git a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml b/ansible/roles/podman/tasks/containers/base/fluent-bit.yml new file mode 100644 index 0000000..8cf2a09 --- /dev/null +++ b/ansible/roles/podman/tasks/containers/base/fluent-bit.yml @@ -0,0 +1,45 @@ +--- +# Fluent Bit - Log forwarder from journald to Graylog GELF +# Deployed as systemd service (not container) for direct journal access + +# Clean up old container deployment if it exists +- name: stop and remove fluent-bit container if exists + become: true + become_user: "{{ podman_user }}" + containers.podman.podman_container: + name: fluent-bit + state: absent + ignore_errors: true + +- name: disable old fluent-bit container systemd service + become: true + become_user: "{{ podman_user }}" + ansible.builtin.systemd: + name: fluent-bit + enabled: false + state: stopped + scope: user + ignore_errors: true + +- name: install fluent-bit package + become: true + ansible.builtin.dnf: + name: fluent-bit + state: present + +- name: deploy fluent-bit configuration + become: true + ansible.builtin.template: + src: fluent-bit/fluent-bit.conf.j2 + dest: /etc/fluent-bit/fluent-bit.conf + owner: root + group: root + mode: '0644' + notify: restart fluent-bit + +- name: enable and start fluent-bit service + become: true + ansible.builtin.systemd: + name: fluent-bit + enabled: true + state: started diff --git a/ansible/roles/podman/tasks/containers/debyltech/graylog.yml b/ansible/roles/podman/tasks/containers/debyltech/graylog.yml index 79f53df..a149833 100644 --- a/ansible/roles/podman/tasks/containers/debyltech/graylog.yml +++ b/ansible/roles/podman/tasks/containers/debyltech/graylog.yml @@ -1,6 +1,6 @@ --- # Graylog Logging Stack -# Deploys MongoDB, OpenSearch, Graylog, and GELF decryption proxy +# Deploys MongoDB, OpenSearch, and Graylog # System prerequisite: OpenSearch requires increased virtual memory - name: set vm.max_map_count for OpenSearch @@ -72,12 +72,10 @@ tags: graylog # MongoDB container -- name: pull graylog-mongo image - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_image: - name: docker.io/mongo:6 - state: present +- import_tasks: podman/podman-check.yml + vars: + container_name: graylog-mongo + container_image: docker.io/mongo:6 tags: graylog - name: create graylog-mongo container @@ -87,7 +85,6 @@ name: graylog-mongo image: docker.io/mongo:6 state: started - recreate: true restart_policy: on-failure:3 log_driver: journald volumes: @@ -103,12 +100,10 @@ tags: graylog # OpenSearch container -- name: pull graylog-opensearch image - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_image: - name: docker.io/opensearchproject/opensearch:2 - state: present +- import_tasks: podman/podman-check.yml + vars: + container_name: graylog-opensearch + container_image: docker.io/opensearchproject/opensearch:2 tags: graylog - name: create graylog-opensearch container @@ -118,7 +113,6 @@ name: graylog-opensearch image: docker.io/opensearchproject/opensearch:2 state: started - recreate: true restart_policy: on-failure:3 log_driver: journald env: @@ -138,16 +132,14 @@ tags: graylog # Graylog container -- name: pull graylog image - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_image: - name: docker.io/graylog/graylog:6.0 - state: present +- import_tasks: podman/podman-check.yml + vars: + container_name: graylog + container_image: docker.io/graylog/graylog:6.0 tags: graylog # Graylog uses host network to reach MongoDB/OpenSearch on 127.0.0.1 -# Binds to: 9000 (web UI), 12202 (GELF UDP from gelf-proxy) +# Binds to: 9000 (web UI), 12202 (GELF HTTP input proxied via Caddy) - name: create graylog container become: true become_user: "{{ podman_user }}" @@ -155,7 +147,6 @@ name: graylog image: docker.io/graylog/graylog:6.0 state: started - recreate: true restart_policy: on-failure:3 log_driver: journald network: host @@ -178,38 +169,3 @@ vars: container_name: graylog tags: graylog - -# GELF Decryption Proxy (container) -- import_tasks: gitea/podman-gitea-login.yml - tags: graylog - -- name: pull gelf-proxy image - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_image: - name: "{{ gelf_proxy_image }}" - state: present - tags: graylog - -- name: create gelf-proxy container - become: true - become_user: "{{ podman_user }}" - containers.podman.podman_container: - name: gelf-proxy - image: "{{ gelf_proxy_image }}" - state: started - recreate: true - restart_policy: on-failure:3 - log_driver: journald - network: host - env: - GELF_KEY: "{{ gelf_encryption_key }}" - GELF_LISTEN: ":12201" - GELF_FORWARD: "127.0.0.1:12202" - tags: graylog - -- name: create systemd startup job for gelf-proxy - include_tasks: podman/systemd-generate.yml - vars: - container_name: gelf-proxy - tags: graylog diff --git a/ansible/roles/podman/tasks/firewall.yml b/ansible/roles/podman/tasks/firewall.yml index 1d7503f..973e670 100644 --- a/ansible/roles/podman/tasks/firewall.yml +++ b/ansible/roles/podman/tasks/firewall.yml @@ -69,5 +69,7 @@ - 1080/tcp - 1443/tcp - 7000/tcp + # gelf-proxy (removed - now using GELF HTTP via Caddy) + - 12201/udp notify: restart firewalld tags: firewall diff --git a/ansible/roles/podman/tasks/main.yml b/ansible/roles/podman/tasks/main.yml index 530c336..f20e4d8 100644 --- a/ansible/roles/podman/tasks/main.yml +++ b/ansible/roles/podman/tasks/main.yml @@ -81,6 +81,12 @@ image: docker.io/louislam/uptime-kuma:1 tags: debyltech, uptime-kuma +- import_tasks: containers/debyltech/graylog.yml + tags: debyltech, graylog + +- import_tasks: containers/base/fluent-bit.yml + tags: fluent-bit, graylog + - import_tasks: containers/home/nosql.yml vars: image: docker.io/redis:7.2.1-alpine diff --git a/ansible/roles/podman/templates/caddy/Caddyfile.j2 b/ansible/roles/podman/templates/caddy/Caddyfile.j2 index 2040757..d096741 100644 --- a/ansible/roles/podman/templates/caddy/Caddyfile.j2 +++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2 @@ -177,6 +177,49 @@ } } +# Graylog Logs - {{ logs_server_name }} +{{ logs_server_name }} { + # GELF HTTP endpoint - open for Lambda (auth via header) + # Must come BEFORE ip_restricted_site to allow external access + @gelf_authorized { + path /gelf + header X-Gelf-Token "{{ gelf_auth_token }}" + } + + handle @gelf_authorized { + reverse_proxy localhost:12202 + } + + # Reject unauthorized GELF requests + handle /gelf { + respond "Unauthorized" 401 + } + + # IP restriction for Graylog web UI (excludes /gelf which is handled above) + @local { + remote_ip {{ caddy_local_networks | join(' ') }} + } + + @denied { + not remote_ip {{ caddy_local_networks | join(' ') }} + not path /gelf + } + + handle @denied { + redir https://debyl.io{uri} 302 + } + + handle @local { + import common_headers + reverse_proxy localhost:9000 + } + + log { + output file /var/log/caddy/graylog.log + format json + } +} + # ============================================================================ # COMPLEX CONFIGURATIONS # ============================================================================ diff --git a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 new file mode 100644 index 0000000..165458e --- /dev/null +++ b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2 @@ -0,0 +1,32 @@ +[SERVICE] + Flush 5 + Daemon Off + Log_Level info + Parsers_File parsers.conf + +# Read from systemd journal - filter for Podman container logs +# Container logs come from conmon process with CONTAINER_NAME field +[INPUT] + Name systemd + Tag journal.* + Systemd_Filter _COMM=conmon + Read_From_Tail On + Strip_Underscores On + +# Extract container name for better filtering in Graylog +[FILTER] + Name record_modifier + Match journal.* + Record host {{ ansible_hostname }} + Record source podman + +# Output to Graylog GELF UDP (local, port 12203) +# Graylog needs a GELF UDP input configured on this port +[OUTPUT] + Name gelf + Match journal.* + Host 127.0.0.1 + Port 12203 + Mode udp + Gelf_Short_Message_Key MESSAGE + Gelf_Host_Key host diff --git a/ansible/vars/vault.yml b/ansible/vars/vault.yml index e3a714c..f52bd7c 100644 Binary files a/ansible/vars/vault.yml and b/ansible/vars/vault.yml differ