promtail: Role/Playbook to deploy Promtail

Promtail is the log sending client for Grafana Loki.  For traditional
Linux systems, an RPM package is available from upstream, making
installation fairly simple.  Configuration is stored in a YAML file, so
again, it's straightforward to configure via Ansible variables.  Really,
the only interesting step is adding the _promtail_ user, which is
created by the RPM package, to the _systemd-journal_ group, so that
Promtail can read the systemd journal files.

group_vars/all.yml

@@ -83,3 +83,20 @@ firemon_networks:
 - 172.24.16.0/20
 - 172.28.33.0/24
 - 10.64.11.0/24
+
+promtail_clients:
+- url: https://loki.pyrocufflink.blue/loki/api/v1/push
+  tls_config:
+    ca_file: /etc/promtail/ca.crt
+promtail_ca: |
+  -----BEGIN CERTIFICATE-----
+  MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
+  BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
+  SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
+  MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
+  RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
+  T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
+  A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
+  0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
+  DaY+6wQ=
+  -----END CERTIFICATE-----

promtail.yml

@@ -0,0 +1,3 @@
+- hosts: '!kubelet'
+  roles:
+  - promtail

roles/promtail/defaults/main.yml

@@ -0,0 +1,24 @@
+promtail_positions_file: /tmp/positions.yaml
+
+promtail_clients:
+  - url: http://localhost:3100/loki/api/v1/push
+
+promtail_scrape_configs:
+- '{{ promtail_default_scrape.journal }}'
+
+promtail_ca: ''
+
+promtail_config:
+  server:
+    http_listen_port: 9080
+    grpc_listen_port: 0
+
+  positions:
+    filename: >-
+      {{ promtail_positions_file }}
+
+  clients: >-
+    {{ promtail_clients }}
+
+  scrape_configs: >-
+    {{ promtail_scrape_configs }}

roles/promtail/files/grafana-promtail.repo

@@ -0,0 +1,8 @@
+[grafana-promtail]
+name=grafana-promtail
+baseurl=https://rpm.grafana.com
+repo_gpgcheck=1
+enabled=1
+gpgcheck=1
+gpgkey=https://rpm.grafana.com/gpg.key
+includepkgs=promtail

roles/promtail/handlers/main.yml

@@ -0,0 +1,4 @@
+- name: reload promtail
+  service:
+    name: promtail
+    state: restarted

roles/promtail/tasks/deploy.yml

@@ -0,0 +1,64 @@
+- name: ensure promtail user is a member of systemd-journal group
+  user:
+    name: promtail
+    system: true
+    groups: systemd-journal
+    append: true
+    shell: /bin/false
+    state: present
+  tags:
+  - user
+
+- name: ensure promtail is configured
+  copy:
+    content: |
+      {{ promtail_config | to_nice_yaml(indent=2) }}
+    dest: /etc/promtail/config.yml
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload promtail
+  tags:
+  - config
+
+- name: ensure promtail ca certificate is set
+  copy:
+    content: |-
+      {{ promtail_ca }}
+    dest: /etc/promtail/ca.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload promtail
+  tags:
+  - config
+  - cert
+
+- name: ensure promtail service starts at boot
+  service:
+    name: promtail
+    enabled: true
+  tags:
+  - service
+
+- name: ensure promtail is running
+  service:
+    name: promtail
+    state: started
+  tags:
+  - service
+
+- name: ensure promtail http port is open in the firewall
+  firewalld:
+    port: >-
+      {{ promtail_config.server.http_listen_port }}/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+  when: >-
+    promtail_config.server.http_listen_port|d(0) > 0
+    and host_uses_firewalld|d(true)
+  tags:
+  - firewall

roles/promtail/tasks/install.yml

@@ -0,0 +1,14 @@
+- name: ensure grafana-promtail yum repository is configured
+  copy:
+    src: grafana-promtail.repo
+    dest: /etc/yum.repos.d/grafana-promtail.repo
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - repo
+
+- name: ensure promtail is installed
+  package:
+    name: promtail
+    state: present

roles/promtail/tasks/main.yml

@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - promtail

roles/promtail/vars/main.yml

@@ -0,0 +1,29 @@
+promtail_default_scrape:
+  journal:
+    job_name: journal
+    journal:
+      json: false
+      labels:
+        job: systemd-journal
+    relabel_configs:
+      - source_labels:
+          - __journal__hostname
+        target_label: hostname
+      - source_labels:
+          - __journal__systemd_unit
+        target_label: unit
+      - source_labels:
+          - __journal_syslog_identifier
+        target_label: syslog_identifier
+      - source_labels:
+          - __journal_priority
+        target_label: priority
+      - source_labels:
+          - __journal_message_id
+        target_label: message_id
+      - source_labels:
+          - __journal__comm
+        target_label: command
+      - source_labels:
+          - __journal__transport
+        target_label: transport