From 19009bde1ac789458195293a543b5a1442036cee Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Thu, 22 Feb 2024 19:23:31 -0600
Subject: [PATCH] promtail: Role/Playbook to deploy Promtail

Promtail is the log sending client for Grafana Loki.  For traditional
Linux systems, an RPM package is available from upstream, making
installation fairly simple.  Configuration is stored in a YAML file, so
again, it's straightforward to configure via Ansible variables.  Really,
the only interesting step is adding the _promtail_ user, which is
created by the RPM package, to the _systemd-journal_ group, so that
Promtail can read the systemd journal files.
---
 group_vars/all.yml                         | 17 ++++++
 promtail.yml                               |  3 +
 roles/promtail/defaults/main.yml           | 24 ++++++++
 roles/promtail/files/grafana-promtail.repo |  8 +++
 roles/promtail/handlers/main.yml           |  4 ++
 roles/promtail/tasks/deploy.yml            | 64 ++++++++++++++++++++++
 roles/promtail/tasks/install.yml           | 14 +++++
 roles/promtail/tasks/main.yml              |  7 +++
 roles/promtail/vars/main.yml               | 29 ++++++++++
 9 files changed, 170 insertions(+)
 create mode 100644 promtail.yml
 create mode 100644 roles/promtail/defaults/main.yml
 create mode 100644 roles/promtail/files/grafana-promtail.repo
 create mode 100644 roles/promtail/handlers/main.yml
 create mode 100644 roles/promtail/tasks/deploy.yml
 create mode 100644 roles/promtail/tasks/install.yml
 create mode 100644 roles/promtail/tasks/main.yml
 create mode 100644 roles/promtail/vars/main.yml

diff --git a/group_vars/all.yml b/group_vars/all.yml
index 47a761d..2732950 100644
--- a/group_vars/all.yml
+++ b/group_vars/all.yml
@@ -83,3 +83,20 @@ firemon_networks:
 - 172.24.16.0/20
 - 172.28.33.0/24
 - 10.64.11.0/24
+
+promtail_clients:
+- url: https://loki.pyrocufflink.blue/loki/api/v1/push
+  tls_config:
+    ca_file: /etc/promtail/ca.crt
+promtail_ca: |
+  -----BEGIN CERTIFICATE-----
+  MIIBgTCCATOgAwIBAgIUTf/ZBSJEi8IQb8Ndoxp4/tHB/lcwBQYDK2VwMEAxCzAJ
+  BgNVBAYTAlVTMRgwFgYDVQQKDA9EdXN0aW4gQy4gSGF0Y2gxFzAVBgNVBAMMDkRD
+  SCBSb290IENBIFIzMB4XDTI0MDIxNzIwMjkzNloXDTM0MDIxNzIwMjkzNlowQDEL
+  MAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UEAwwO
+  RENIIFJvb3QgQ0EgUjMwKjAFBgMrZXADIQDORylVcWcxwGDJvsJIc2NctfNfDaIU
+  T6mLebahKdshaKM/MD0wHQYDVR0OBBYEFLZoxAHBvWqbLWMga/DAAlG9ido5MA8G
+  A1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgEGMAUGAytlcANBANLV79joVd9s9bmL
+  0a91HqvOotOnN/416Ek4UTl95jIqy/TvTfRjXX56wSALXqP1iYQM5i3zk3gVEhh4
+  DaY+6wQ=
+  -----END CERTIFICATE-----
diff --git a/promtail.yml b/promtail.yml
new file mode 100644
index 0000000..4a5625d
--- /dev/null
+++ b/promtail.yml
@@ -0,0 +1,3 @@
+- hosts: '!kubelet'
+  roles:
+  - promtail
diff --git a/roles/promtail/defaults/main.yml b/roles/promtail/defaults/main.yml
new file mode 100644
index 0000000..e5066e7
--- /dev/null
+++ b/roles/promtail/defaults/main.yml
@@ -0,0 +1,24 @@
+promtail_positions_file: /tmp/positions.yaml
+
+promtail_clients:
+  - url: http://localhost:3100/loki/api/v1/push
+
+promtail_scrape_configs:
+- '{{ promtail_default_scrape.journal }}'
+
+promtail_ca: ''
+
+promtail_config:
+  server:
+    http_listen_port: 9080
+    grpc_listen_port: 0
+
+  positions:
+    filename: >-
+      {{ promtail_positions_file }}
+
+  clients: >-
+    {{ promtail_clients }}
+
+  scrape_configs: >-
+    {{ promtail_scrape_configs }}
diff --git a/roles/promtail/files/grafana-promtail.repo b/roles/promtail/files/grafana-promtail.repo
new file mode 100644
index 0000000..bb3cdd4
--- /dev/null
+++ b/roles/promtail/files/grafana-promtail.repo
@@ -0,0 +1,8 @@
+[grafana-promtail]
+name=grafana-promtail
+baseurl=https://rpm.grafana.com
+repo_gpgcheck=1
+enabled=1
+gpgcheck=1
+gpgkey=https://rpm.grafana.com/gpg.key
+includepkgs=promtail
diff --git a/roles/promtail/handlers/main.yml b/roles/promtail/handlers/main.yml
new file mode 100644
index 0000000..4438971
--- /dev/null
+++ b/roles/promtail/handlers/main.yml
@@ -0,0 +1,4 @@
+- name: reload promtail
+  service:
+    name: promtail
+    state: restarted
diff --git a/roles/promtail/tasks/deploy.yml b/roles/promtail/tasks/deploy.yml
new file mode 100644
index 0000000..dbdb7c5
--- /dev/null
+++ b/roles/promtail/tasks/deploy.yml
@@ -0,0 +1,64 @@
+- name: ensure promtail user is a member of systemd-journal group
+  user:
+    name: promtail
+    system: true
+    groups: systemd-journal
+    append: true
+    shell: /bin/false
+    state: present
+  tags:
+  - user
+
+- name: ensure promtail is configured
+  copy:
+    content: |
+      {{ promtail_config | to_nice_yaml(indent=2) }}
+    dest: /etc/promtail/config.yml
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  notify:
+  - reload promtail
+  tags:
+  - config
+
+- name: ensure promtail ca certificate is set
+  copy:
+    content: |-
+      {{ promtail_ca }}
+    dest: /etc/promtail/ca.crt
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  notify:
+  - reload promtail
+  tags:
+  - config
+  - cert
+
+- name: ensure promtail service starts at boot
+  service:
+    name: promtail
+    enabled: true
+  tags:
+  - service
+
+- name: ensure promtail is running
+  service:
+    name: promtail
+    state: started
+  tags:
+  - service
+
+- name: ensure promtail http port is open in the firewall
+  firewalld:
+    port: >-
+      {{ promtail_config.server.http_listen_port }}/tcp
+    permanent: true
+    immediate: true
+    state: enabled
+  when: >-
+    promtail_config.server.http_listen_port|d(0) > 0
+    and host_uses_firewalld|d(true)
+  tags:
+  - firewall
diff --git a/roles/promtail/tasks/install.yml b/roles/promtail/tasks/install.yml
new file mode 100644
index 0000000..d1e7126
--- /dev/null
+++ b/roles/promtail/tasks/install.yml
@@ -0,0 +1,14 @@
+- name: ensure grafana-promtail yum repository is configured
+  copy:
+    src: grafana-promtail.repo
+    dest: /etc/yum.repos.d/grafana-promtail.repo
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - repo
+
+- name: ensure promtail is installed
+  package:
+    name: promtail
+    state: present
diff --git a/roles/promtail/tasks/main.yml b/roles/promtail/tasks/main.yml
new file mode 100644
index 0000000..9323bff
--- /dev/null
+++ b/roles/promtail/tasks/main.yml
@@ -0,0 +1,7 @@
+- block:
+  - import_tasks: install.yml
+    tags:
+    - install
+  - import_tasks: deploy.yml
+  tags:
+  - promtail
diff --git a/roles/promtail/vars/main.yml b/roles/promtail/vars/main.yml
new file mode 100644
index 0000000..da4dd58
--- /dev/null
+++ b/roles/promtail/vars/main.yml
@@ -0,0 +1,29 @@
+promtail_default_scrape:
+  journal:
+    job_name: journal
+    journal:
+      json: false
+      labels:
+        job: systemd-journal
+    relabel_configs:
+      - source_labels:
+          - __journal__hostname
+        target_label: hostname
+      - source_labels:
+          - __journal__systemd_unit
+        target_label: unit
+      - source_labels:
+          - __journal_syslog_identifier
+        target_label: syslog_identifier
+      - source_labels:
+          - __journal_priority
+        target_label: priority
+      - source_labels:
+          - __journal_message_id
+        target_label: message_id
+      - source_labels:
+          - __journal__comm
+        target_label: command
+      - source_labels:
+          - __journal__transport
+        target_label: transport