diff options
| author | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-10-12 22:33:15 +0200 |
|---|---|---|
| committer | Hugo Hörnquist <hugo@lysator.liu.se> | 2022-10-12 22:33:15 +0200 |
| commit | 9bef7d37599a5dd80a30daec65bc7fc6641bb5c8 (patch) | |
| tree | 62cc6fa6831d300b253b84a5ca88d2d9b0bd0bb4 | |
| parent | Revert "Add githook for updating description from metadata.json." (diff) | |
| download | profiles-graylog.tar.gz profiles-graylog.tar.xz | |
Add graylog.graylog
| -rw-r--r-- | manifests/graylog.pp | 111 |
1 files changed, 111 insertions, 0 deletions
diff --git a/manifests/graylog.pp b/manifests/graylog.pp new file mode 100644 index 0000000..0c56b55 --- /dev/null +++ b/manifests/graylog.pp @@ -0,0 +1,111 @@ +class profiles::graylog { + + include ::java + + class { 'mongodb::globals': + version => '4.4.11', + manage_package_repo => true, + pidfilepath => '/run/mongodb/mongodb.pid', + } -> class { 'mongodb::server': + bind_ip => [ '127.0.0.1', ], + } + + # Why can't usit file be well written‽ + systemd::dropin_file { 'mongodb-runtime-dir.conf': + unit => 'mongod.service', + content => @(EOF) + [Service] + RuntimeDirectory=mongodb + | EOF + } + + class { 'elasticsearch': + version => '7.10.2', + manage_repo => true, + config => { + 'cluster' => { + 'name' => 'graylog', + } + } + } + + $password_secret = extlib::cache_data('graylog', 'password_secret', extlib::random_password(128)) + $root_password = '799e141582ed92803062eb890a05839a500c6f05ef531cc3c669c7ac42bed505' + + class { 'graylog::repository': + version => '4.2', + } -> class { 'graylog::server': + config => { + 'password_secret' => $password_secret, + 'root_password_sha2' => $root_password, + # 'http_bind_address' => '[::]:9000', + 'root_timezone' => lookup('profiles::common::timezone'), + } + } + + # This allows graylog to bind to privileged ports. + # Used mostly to bind to the default syslog port. + systemd::dropin_file { 'graylog-bind.conf': + unit => 'graylog-server.service', + notify => Service['graylog-server'], + content => @(EOF) + [Service] + AmbientCapabilities=CAP_NET_BIND_SERVICE + | EOF + } + + service_entry { 'gelf': + port => 12201, + comment => 'Graylog extended log format', + } + + service_entry { 'mongo': + port => 27017, + proto => 'tcp', + comment => 'https://docs.mongodb.com/manual/reference/default-mongodb-port/' + } + + service_entry { 'mongo-shard': + port => 27018, + proto => 'tcp', + } + + service_entry { 'mongo-conf': + port => 27019, + proto => 'tcp', + } + + include ::nginx + + $certname = lookup('certname') + $certdir = $facts['letsencrypt_directory'][$certname] + $ssl = $certdir != undef + if $ssl { + $ssl_cert = "${certdir}/fullchain.pem" + $ssl_key = "${certdir}/privkey.pem" + } else { + $ssl_cert = undef + $ssl_key = undef + } + + + nginx::resource::server { 'graylog': + ssl => $ssl, + ssl_redirect => $ssl, + ssl_cert => $ssl_cert, + ssl_key => $ssl_key, + access_log => 'absent', + error_log => 'absent', + ipv6_enable => true, + listen_options => 'default_server', + ipv6_listen_options => 'default_server', + use_default_location => false, + } + + nginx::resource::location { '/': + ssl => $ssl, + ssl_only => $ssl, + proxy => 'http://127.0.0.1:9000', + server => 'graylog', + } +} |