chore: gitea-actions improvements, graylog/fluent-bit logging, zomboid mod

- Gitea actions: add handlers, improve deps and service template - Graylog: simplify container config, add Caddy reverse proxy - Add fluent-bit container for log forwarding - Add ClimbDownRope mod (Workshop ID: 3000725405) to zomboid 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-01-03 17:20:18 -05:00
parent 5832497bbd
commit cf200d82d6
13 changed files with 188 additions and 69 deletions
--- a/ansible/roles/gitea-actions/handlers/main.yml
+++ b/ansible/roles/gitea-actions/handlers/main.yml
@@ -5,3 +5,10 @@
    name: act_runner
    state: restarted
    daemon_reload: true
 - name: restart podman socket
  become: true
  ansible.builtin.systemd:
    name: podman.socket
    state: restarted
    daemon_reload: true
--- a/ansible/roles/gitea-actions/tasks/deps.yml
+++ b/ansible/roles/gitea-actions/tasks/deps.yml
@@ -8,12 +8,31 @@
    state: present
  tags: gitea-actions
- name: enable podman socket for gitea-runner
+- name: create podman socket override directory
  become: true
  ansible.builtin.file:
    path: /etc/systemd/system/podman.socket.d
    state: directory
    mode: "0755"
  tags: gitea-actions
 - name: configure podman socket for gitea-runner access
  become: true
  ansible.builtin.copy:
    dest: /etc/systemd/system/podman.socket.d/override.conf
    content: |
      [Socket]
      SocketMode=0660
      SocketGroup={{ gitea_runner_user }}
    mode: "0644"
  notify: restart podman socket
  tags: gitea-actions
 - name: enable system podman socket
  become: true
  become_user: "{{ gitea_runner_user }}"
  ansible.builtin.systemd:
    name: podman.socket
    daemon_reload: true
    enabled: true
    state: started
    scope: user
  tags: gitea-actions
--- a/ansible/roles/gitea-actions/templates/act_runner.service.j2
+++ b/ansible/roles/gitea-actions/templates/act_runner.service.j2
@@ -1,7 +1,7 @@
 [Unit]
 Description=Gitea Actions runner
 Documentation=https://gitea.com/gitea/act_runner
-After=network.target
+After=network.target podman.socket
 [Service]
 ExecStart={{ act_runner_bin }} daemon --config {{ act_runner_config_dir }}/config.yaml
@@ -10,8 +10,7 @@ TimeoutSec=0
 RestartSec=10
 Restart=always
 User={{ gitea_runner_user }}
-Environment="XDG_RUNTIME_DIR=/run/user/%(uid)"
+Environment="DOCKER_HOST=unix:///run/podman/podman.sock"
 Environment="DOCKER_HOST=unix:///run/user/%(uid)/podman/podman.sock"
 [Install]
 WantedBy=multi-user.target
--- a/ansible/roles/gitea-actions/templates/config.yaml.j2
+++ b/ansible/roles/gitea-actions/templates/config.yaml.j2
@@ -2,7 +2,7 @@ log:
  level: info
 runner:
-  file: .runner
+  file: {{ act_runner_work_dir }}/.runner
  capacity: 1
  timeout: 3h
  insecure: false
--- a/ansible/roles/podman/defaults/main.yml
+++ b/ansible/roles/podman/defaults/main.yml
@@ -37,11 +37,11 @@ zomboid_server_names:
 # Load order: Libraries first (damnlib, tsarslib), then dependent mods, then others
 zomboid_mods:
  workshop_items: >-
-    3171167894;3402491515;3330403100;2409333430;3073430075;3379334330;3110913021;3366300557;3034636011;3409287192;3005903549;3161951724;3413704851;3413706334;3287727378;3226885926;2625625421;3418252689;3418253716;3152529790;2478247379;2942793445;2991201484;2913633066;2873290424;3428008364;3253385114;2846036306;2642541073;3435796523;3008795514;3447272250;3026723485;2900580391;2870394916;3292659291;2969343830;2566953935;2962175696;3196180339;3258343790;3346905070;3320947974;3478633453;2952802178;3001592312;3052360250;3490370700;2932547723;2805630347;3504401781;2772575623;3110911330;3088951320;3213391371;2932549988;3041122351;2971246021;3539691958;3315443103;2886832257;2886832936;2886833398;2811383142;2799152995;3248388837;3566868353;3570973322;2897390033;3592777775;3596903773;3601417745;3614034284;3577903007;3407042038;3405178154;3402493701;3402812859;3616536783;3431734923;3429790870;2850935956;3307376332;3397182976;3432928943;3610005735;3540297822;3426448380;3579640010;3389448389;3393821407;3044705007;2866258937;3490188370;3508537032;3451167732;3461263912;2903771337
+    3171167894;3402491515;3330403100;2409333430;3073430075;3379334330;3110913021;3366300557;3034636011;3409287192;3005903549;3161951724;3413704851;3413706334;3287727378;3226885926;2625625421;3418252689;3418253716;3152529790;2478247379;2942793445;2991201484;2913633066;2873290424;3428008364;3253385114;2846036306;2642541073;3435796523;3008795514;3447272250;3026723485;2900580391;2870394916;3292659291;2969343830;2566953935;2962175696;3196180339;3258343790;3346905070;3320947974;3478633453;2952802178;3001592312;3052360250;3490370700;2932547723;2805630347;3504401781;2772575623;3110911330;3088951320;3213391371;2932549988;3041122351;2971246021;3539691958;3315443103;2886832257;2886832936;2886833398;2811383142;2799152995;3248388837;3566868353;3570973322;2897390033;3592777775;3596903773;3601417745;3614034284;3577903007;3407042038;3405178154;3402493701;3402812859;3616536783;3431734923;3429790870;2850935956;3307376332;3397182976;3432928943;3610005735;3540297822;3426448380;3579640010;3389448389;3393821407;3044705007;2866258937;3490188370;3508537032;3451167732;3461263912;2903771337;3629835761;3000725405
  # Build 42 requires backslash prefix for each mod ID
  # Load order: 1) damnlib 2) tsarslib 3) KI5 vehicles 4) Autotsar vehicles 5) Everything else
  mod_ids: >-
-    \damnlib;\tsarslib;\KI5trailers;\91range;\93fordF350;\82porsche911;\90bmwE30;\91fordLTD;\89dodgeCaravan;\84jeepXJ;\63beetle;\76chevyKseries;\85chevyCaprice;\85pontiacParisienne;\92jeepYJ;\92jeepYJJP18;\87buickRegal;\isoContainers;\85buickLeSabre;\85oldsmobileDelta88;\93chevySuburban;\93chevySuburbanExpanded;\67commando;\90pierceArrow;\69camaro;\70barracuda;\70dodge;\86chevyCUCV;\81deloreanDMC12;\81deloreanDMC12BTTF;\92nissanGTR;\92amgeneralM998;\88toyotaHilux;\91geoMetro;\66pontiacLeMans;\67gt500;\49powerWagon;\86fordE150;\86fordE150dnd;\86fordE150mm;\86fordE150pd;\86fordE150expanded;\89volvo200;\93fordElgin;\86oshkoshP19A;\92fordCVPI;\87chevySuburban;\68firebird;\77firebird;\82firebird;\82firebirdKITT;\04vwTouran;\90fordF350ambulance;\93mustangSSP;\87toyotaMR2;\73fordFalcon;\73fordFalconPS;\93townCar;\84merc;\91nissan240sx;\59meteor;\ECTO1;\87fordB700;\93fordTaurus;\75grandPrix;\89trooper;\63Type2Van;\99fordCVPI;\91fordRanger;\98stagea;\82jeepJ10;\82jeepJ10t;\88chevyS10;\89fordBronco;\83amgeneralM923;\78amgeneralM35A2;\78amgeneralM35A2extra;\78amgeneralM49A2C;\78amgeneralM50A3;\78amgeneralM62;\80manKat1;\65banshee;\89defender;\97bushmaster;\84cadillacDeVille;\84buickElectra;\84oldsmobile98;\85chevyStepVan;\85chevyStepVanexpanded;\autotsartrailers;\ATA_Jeep;\ATA_Jeep_x10;\ATA_Jeep_x2;\ATA_Jeep_x4;\ATA_Mustang;\ATA_Mustang_x2;\ATA_Mustang_x4;\ATA_Bus;\VanillaFoodsExpanded;\TombWardrobeALT;\TombWardrobeALTVanilla;\TombBodyCompat;\TombBodyCompatBootsExp;\TombBody;\TombBodyCustom;\TombBodyTex;\TombBodyTexDOLL;\TombBodyTexNUDE;\SM4BootsExpandedB42;\SM4BootsExpandedFlatshoes;\GanydeBielovzki's Frockin Splendor!;\RandomClothing;\EFTBP;\AliceGear;\TableSaw;\stanks_suicide;\STA_PryOpen;\AutoReload;\DBFaster50;\DBFaster60;\DBFaster70;\DBFaster80;\FixBlowTorchPropaneTank;\MiniHealthPanel;\P4HasBeenRead;\Project_Cook;\NeatUI_Framework;\ModernStatus;\CleanHotBar;\REORDER_THE_HOTBAR
+    \damnlib;\tsarslib;\KI5trailers;\91range;\93fordF350;\82porsche911;\90bmwE30;\91fordLTD;\89dodgeCaravan;\84jeepXJ;\63beetle;\76chevyKseries;\85chevyCaprice;\85pontiacParisienne;\92jeepYJ;\92jeepYJJP18;\87buickRegal;\isoContainers;\85buickLeSabre;\85oldsmobileDelta88;\93chevySuburban;\93chevySuburbanExpanded;\67commando;\90pierceArrow;\69camaro;\70barracuda;\70dodge;\86chevyCUCV;\81deloreanDMC12;\81deloreanDMC12BTTF;\92nissanGTR;\92amgeneralM998;\88toyotaHilux;\91geoMetro;\66pontiacLeMans;\67gt500;\49powerWagon;\86fordE150;\86fordE150dnd;\86fordE150mm;\86fordE150pd;\86fordE150expanded;\89volvo200;\93fordElgin;\86oshkoshP19A;\92fordCVPI;\87chevySuburban;\68firebird;\77firebird;\82firebird;\82firebirdKITT;\04vwTouran;\90fordF350ambulance;\93mustangSSP;\87toyotaMR2;\73fordFalcon;\73fordFalconPS;\93townCar;\84merc;\91nissan240sx;\59meteor;\ECTO1;\87fordB700;\93fordTaurus;\75grandPrix;\89trooper;\63Type2Van;\99fordCVPI;\91fordRanger;\98stagea;\82jeepJ10;\82jeepJ10t;\88chevyS10;\89fordBronco;\83amgeneralM923;\78amgeneralM35A2;\78amgeneralM35A2extra;\78amgeneralM49A2C;\78amgeneralM50A3;\78amgeneralM62;\80manKat1;\65banshee;\89defender;\97bushmaster;\84cadillacDeVille;\84buickElectra;\84oldsmobile98;\85chevyStepVan;\85chevyStepVanexpanded;\autotsartrailers;\ATA_Jeep;\ATA_Jeep_x10;\ATA_Jeep_x2;\ATA_Jeep_x4;\ATA_Mustang;\ATA_Mustang_x2;\ATA_Mustang_x4;\ATA_Bus;\VanillaFoodsExpanded;\TombWardrobeALT;\TombWardrobeALTVanilla;\TombBodyCompat;\TombBodyCompatBootsExp;\TombBody;\TombBodyCustom;\TombBodyTex;\TombBodyTexDOLL;\TombBodyTexNUDE;\SM4BootsExpandedB42;\SM4BootsExpandedFlatshoes;\GanydeBielovzki's Frockin Splendor!;\RandomClothing;\EFTBP;\AliceGear;\TableSaw;\stanks_suicide;\STA_PryOpen;\AutoReload;\DBFaster50;\DBFaster60;\DBFaster70;\DBFaster80;\FixBlowTorchPropaneTank;\MiniHealthPanel;\P4HasBeenRead;\Project_Cook;\NeatUI_Framework;\ModernStatus;\CleanHotBar;\REORDER_THE_HOTBAR;\Ladders42131;\ClimbDownRope
 pihole_path: "{{ podman_volumes }}/pihole"
 sshpass_cron_path: "{{ podman_volumes }}/sshpass_cron"
 caddy_path: "{{ podman_volumes }}/caddy"
@@ -108,5 +108,7 @@ caddy_security_headers:
 # Graylog logging stack
 graylog_path: "{{ podman_volumes }}/graylog"
 logs_server_name: logs.debyl.io
-# Update tag to specific SHA after CI builds (e.g., :abc1234)
+# gelf_auth_token: defined in vault - X-Gelf-Token header for Lambda GELF HTTP auth
-gelf_proxy_image: git.debyl.io/debyltech/gelf-proxy:main
+
 # Fluent Bit is deployed as a systemd service (not container)
 # for direct journal access - see containers/base/fluent-bit.yml
--- a/ansible/roles/podman/handlers/main.yml
+++ b/ansible/roles/podman/handlers/main.yml
@@ -42,3 +42,11 @@
    scope: user
  tags:
    - zomboid
 - name: restart fluent-bit
  become: true
  ansible.builtin.systemd:
    name: fluent-bit
    state: restarted
  tags:
    - fluent-bit
--- a/ansible/roles/podman/tasks/containers/base/fluent-bit.yml
+++ b/ansible/roles/podman/tasks/containers/base/fluent-bit.yml
@@ -0,0 +1,45 @@
 ---
 # Fluent Bit - Log forwarder from journald to Graylog GELF
 # Deployed as systemd service (not container) for direct journal access
 # Clean up old container deployment if it exists
 - name: stop and remove fluent-bit container if exists
  become: true
  become_user: "{{ podman_user }}"
  containers.podman.podman_container:
    name: fluent-bit
    state: absent
  ignore_errors: true
 - name: disable old fluent-bit container systemd service
  become: true
  become_user: "{{ podman_user }}"
  ansible.builtin.systemd:
    name: fluent-bit
    enabled: false
    state: stopped
    scope: user
  ignore_errors: true
 - name: install fluent-bit package
  become: true
  ansible.builtin.dnf:
    name: fluent-bit
    state: present
 - name: deploy fluent-bit configuration
  become: true
  ansible.builtin.template:
    src: fluent-bit/fluent-bit.conf.j2
    dest: /etc/fluent-bit/fluent-bit.conf
    owner: root
    group: root
    mode: '0644'
  notify: restart fluent-bit
 - name: enable and start fluent-bit service
  become: true
  ansible.builtin.systemd:
    name: fluent-bit
    enabled: true
    state: started
--- a/ansible/roles/podman/tasks/containers/debyltech/graylog.yml
+++ b/ansible/roles/podman/tasks/containers/debyltech/graylog.yml
@@ -1,6 +1,6 @@
 ---
 # Graylog Logging Stack
-# Deploys MongoDB, OpenSearch, Graylog, and GELF decryption proxy
+# Deploys MongoDB, OpenSearch, and Graylog
 # System prerequisite: OpenSearch requires increased virtual memory
 - name: set vm.max_map_count for OpenSearch
@@ -72,12 +72,10 @@
  tags: graylog
 # MongoDB container
- name: pull graylog-mongo image
+- import_tasks: podman/podman-check.yml
-  become: true
+  vars:
-  become_user: "{{ podman_user }}"
+    container_name: graylog-mongo
-  containers.podman.podman_image:
+    container_image: docker.io/mongo:6
    name: docker.io/mongo:6
    state: present
  tags: graylog
 - name: create graylog-mongo container
@@ -87,7 +85,6 @@
    name: graylog-mongo
    image: docker.io/mongo:6
    state: started
    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    volumes:
@@ -103,12 +100,10 @@
  tags: graylog
 # OpenSearch container
- name: pull graylog-opensearch image
+- import_tasks: podman/podman-check.yml
-  become: true
+  vars:
-  become_user: "{{ podman_user }}"
+    container_name: graylog-opensearch
-  containers.podman.podman_image:
+    container_image: docker.io/opensearchproject/opensearch:2
    name: docker.io/opensearchproject/opensearch:2
    state: present
  tags: graylog
 - name: create graylog-opensearch container
@@ -118,7 +113,6 @@
    name: graylog-opensearch
    image: docker.io/opensearchproject/opensearch:2
    state: started
    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    env:
@@ -138,16 +132,14 @@
  tags: graylog
 # Graylog container
- name: pull graylog image
+- import_tasks: podman/podman-check.yml
-  become: true
+  vars:
-  become_user: "{{ podman_user }}"
+    container_name: graylog
-  containers.podman.podman_image:
+    container_image: docker.io/graylog/graylog:6.0
    name: docker.io/graylog/graylog:6.0
    state: present
  tags: graylog
 # Graylog uses host network to reach MongoDB/OpenSearch on 127.0.0.1
-# Binds to: 9000 (web UI), 12202 (GELF UDP from gelf-proxy)
+# Binds to: 9000 (web UI), 12202 (GELF HTTP input proxied via Caddy)
 - name: create graylog container
  become: true
  become_user: "{{ podman_user }}"
@@ -155,7 +147,6 @@
    name: graylog
    image: docker.io/graylog/graylog:6.0
    state: started
    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    network: host
@@ -178,38 +169,3 @@
  vars:
    container_name: graylog
  tags: graylog
 # GELF Decryption Proxy (container)
 - import_tasks: gitea/podman-gitea-login.yml
  tags: graylog
 - name: pull gelf-proxy image
  become: true
  become_user: "{{ podman_user }}"
  containers.podman.podman_image:
    name: "{{ gelf_proxy_image }}"
    state: present
  tags: graylog
 - name: create gelf-proxy container
  become: true
  become_user: "{{ podman_user }}"
  containers.podman.podman_container:
    name: gelf-proxy
    image: "{{ gelf_proxy_image }}"
    state: started
    recreate: true
    restart_policy: on-failure:3
    log_driver: journald
    network: host
    env:
      GELF_KEY: "{{ gelf_encryption_key }}"
      GELF_LISTEN: ":12201"
      GELF_FORWARD: "127.0.0.1:12202"
  tags: graylog
 - name: create systemd startup job for gelf-proxy
  include_tasks: podman/systemd-generate.yml
  vars:
    container_name: gelf-proxy
  tags: graylog
--- a/ansible/roles/podman/tasks/firewall.yml
+++ b/ansible/roles/podman/tasks/firewall.yml
@@ -69,5 +69,7 @@
    - 1080/tcp
    - 1443/tcp
    - 7000/tcp
    # gelf-proxy (removed - now using GELF HTTP via Caddy)
    - 12201/udp
  notify: restart firewalld
  tags: firewall
--- a/ansible/roles/podman/tasks/main.yml
+++ b/ansible/roles/podman/tasks/main.yml
@@ -81,6 +81,12 @@
    image: docker.io/louislam/uptime-kuma:1
  tags: debyltech, uptime-kuma
 - import_tasks: containers/debyltech/graylog.yml
  tags: debyltech, graylog
 - import_tasks: containers/base/fluent-bit.yml
  tags: fluent-bit, graylog
 - import_tasks: containers/home/nosql.yml
  vars:
    image: docker.io/redis:7.2.1-alpine
--- a/ansible/roles/podman/templates/caddy/Caddyfile.j2
+++ b/ansible/roles/podman/templates/caddy/Caddyfile.j2
@@ -177,6 +177,49 @@
 	}
 }
 # Graylog Logs - {{ logs_server_name }}
 {{ logs_server_name }} {
 	# GELF HTTP endpoint - open for Lambda (auth via header)
 	# Must come BEFORE ip_restricted_site to allow external access
 	@gelf_authorized {
 		path /gelf
 		header X-Gelf-Token "{{ gelf_auth_token }}"
 	}
 	handle @gelf_authorized {
 		reverse_proxy localhost:12202
 	}
 	# Reject unauthorized GELF requests
 	handle /gelf {
 		respond "Unauthorized" 401
 	}
 	# IP restriction for Graylog web UI (excludes /gelf which is handled above)
 	@local {
 		remote_ip {{ caddy_local_networks | join(' ') }}
 	}
 	@denied {
 		not remote_ip {{ caddy_local_networks | join(' ') }}
 		not path /gelf
 	}
 	handle @denied {
 		redir https://debyl.io{uri} 302
 	}
 	handle @local {
 		import common_headers
 		reverse_proxy localhost:9000
 	}
 	log {
 		output file /var/log/caddy/graylog.log
 		format json
 	}
 }
 # ============================================================================
 # COMPLEX CONFIGURATIONS
 # ============================================================================
--- a/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
+++ b/ansible/roles/podman/templates/fluent-bit/fluent-bit.conf.j2
@@ -0,0 +1,32 @@
 [SERVICE]
    Flush        5
    Daemon       Off
    Log_Level    info
    Parsers_File parsers.conf
 # Read from systemd journal - filter for Podman container logs
 # Container logs come from conmon process with CONTAINER_NAME field
 [INPUT]
    Name            systemd
    Tag             journal.*
    Systemd_Filter  _COMM=conmon
    Read_From_Tail  On
    Strip_Underscores On
 # Extract container name for better filtering in Graylog
 [FILTER]
    Name          record_modifier
    Match         journal.*
    Record        host {{ ansible_hostname }}
    Record        source podman
 # Output to Graylog GELF UDP (local, port 12203)
 # Graylog needs a GELF UDP input configured on this port
 [OUTPUT]
    Name          gelf
    Match         journal.*
    Host          127.0.0.1
    Port          12203
    Mode          udp
    Gelf_Short_Message_Key MESSAGE
    Gelf_Host_Key host
--- a/ansible/vars/vault.yml
+++ b/ansible/vars/vault.yml