1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
|
class profiles::graylog {
include ::java
class { 'mongodb::globals':
version => '4.4.11',
manage_package_repo => true,
pidfilepath => '/run/mongodb/mongodb.pid',
} -> class { 'mongodb::server':
bind_ip => [ '127.0.0.1', ],
}
# Why can't usit file be well written‽
systemd::dropin_file { 'mongodb-runtime-dir.conf':
unit => 'mongod.service',
content => @(EOF)
[Service]
RuntimeDirectory=mongodb
| EOF
}
class { 'elasticsearch':
version => '7.10.2',
manage_repo => true,
config => {
'cluster' => {
'name' => 'graylog',
}
}
}
$password_secret = extlib::cache_data('graylog', 'password_secret', extlib::random_password(128))
$root_password = '799e141582ed92803062eb890a05839a500c6f05ef531cc3c669c7ac42bed505'
class { 'graylog::repository':
version => '4.2',
} -> class { 'graylog::server':
config => {
'password_secret' => $password_secret,
'root_password_sha2' => $root_password,
# 'http_bind_address' => '[::]:9000',
'root_timezone' => lookup('profiles::common::timezone'),
}
}
# This allows graylog to bind to privileged ports.
# Used mostly to bind to the default syslog port.
systemd::dropin_file { 'graylog-bind.conf':
unit => 'graylog-server.service',
notify => Service['graylog-server'],
content => @(EOF)
[Service]
AmbientCapabilities=CAP_NET_BIND_SERVICE
| EOF
}
service_entry { 'gelf':
port => 12201,
comment => 'Graylog extended log format',
}
service_entry { 'mongo':
port => 27017,
proto => 'tcp',
comment => 'https://docs.mongodb.com/manual/reference/default-mongodb-port/'
}
service_entry { 'mongo-shard':
port => 27018,
proto => 'tcp',
}
service_entry { 'mongo-conf':
port => 27019,
proto => 'tcp',
}
include ::nginx
$certname = lookup('certname')
$certdir = $facts['letsencrypt_directory'][$certname]
$ssl = $certdir != undef
if $ssl {
$ssl_cert = "${certdir}/fullchain.pem"
$ssl_key = "${certdir}/privkey.pem"
} else {
$ssl_cert = undef
$ssl_key = undef
}
nginx::resource::server { 'graylog':
ssl => $ssl,
ssl_redirect => $ssl,
ssl_cert => $ssl_cert,
ssl_key => $ssl_key,
access_log => 'absent',
error_log => 'absent',
ipv6_enable => true,
listen_options => 'default_server',
ipv6_listen_options => 'default_server',
use_default_location => false,
}
nginx::resource::location { '/':
ssl => $ssl,
ssl_only => $ssl,
proxy => 'http://127.0.0.1:9000',
server => 'graylog',
}
}
|