roles/graylog: Add Graylog server deployment
The *graylog* role installs Graylog from the *graylog2.org* Yum repository and manages basic server configuration. It augments the default systemd unit to provide the `CAP_NET_BIND_SERVICE` capability to the Graylog server process via ambient capabilities, thereby allowing the server to bind to the privileged Syslog UDP port.
This commit is contained in:
101
roles/graylog/tasks/main.yml
Normal file
101
roles/graylog/tasks/main.yml
Normal file
@@ -0,0 +1,101 @@
|
||||
- name: ensure graylog repository is available
|
||||
package:
|
||||
name=https://packages.graylog2.org/repo/packages/graylog-3.1-repository_latest.rpm
|
||||
state=present
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: ensure graylog is installed
|
||||
package:
|
||||
name:
|
||||
- java-1.8.0-openjdk-headless
|
||||
- graylog-server
|
||||
state: present
|
||||
tags:
|
||||
- install
|
||||
|
||||
- name: ensure graylog-server systemd unit drop-in directory is present
|
||||
file:
|
||||
path: /etc/systemd/system/graylog-server.service.d
|
||||
mode: '0755'
|
||||
state: directory
|
||||
- name: ensure graylog-server systemd unit capabilities are configured
|
||||
copy:
|
||||
src: graylog-server-capabilities.systemd.conf
|
||||
dest: /etc/systemd/system/graylog-server.service.d/capabilities.conf
|
||||
mode: '0644'
|
||||
notify:
|
||||
- reload systemd
|
||||
- restart graylog
|
||||
- name: ensure graylog service is configured
|
||||
template:
|
||||
src=graylog-server.sysconfig.j2
|
||||
dest=/etc/sysconfig/graylog-server
|
||||
mode=0644
|
||||
notify: restart graylog
|
||||
|
||||
- name: ensure graylog server is configured
|
||||
template:
|
||||
src=server.conf.j2
|
||||
dest=/etc/graylog/server/server.conf
|
||||
owner=root
|
||||
group=graylog
|
||||
mode=640
|
||||
notify: restart graylog
|
||||
|
||||
- name: ensure syslog tls server certificate is installed
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest=/etc/graylog/syslog-tls.cer
|
||||
owner=root
|
||||
group=graylog
|
||||
mode=0640
|
||||
with_fileglob: files/{{ inventory_hostname }}.cer
|
||||
# The private key file must be in PKCS#8 format, not the more common PKCS#1
|
||||
- name: ensure syslog tls server private key is installed
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest=/etc/graylog/syslog-tls.key
|
||||
owner=root
|
||||
group=graylog
|
||||
mode=0640
|
||||
with_fileglob: files/{{ inventory_hostname }}.key
|
||||
- name: ensure syslog tls ca certificate is installed
|
||||
copy:
|
||||
src={{ item }}
|
||||
dest=/etc/graylog/syslog-tls-ca.crt
|
||||
owner=root
|
||||
group=graylog
|
||||
mode=0640
|
||||
with_fileglob: files/{{ inventory_hostname }}_ca.crt
|
||||
|
||||
- name: ensure firewall is configured for syslog
|
||||
firewalld:
|
||||
service: '{{ item.service }}'
|
||||
permanent: false
|
||||
immediate: true
|
||||
state: '{{ item.state }}'
|
||||
notify: save firewalld configuration
|
||||
with_items:
|
||||
- service: syslog
|
||||
state: '{{ "enabled" if graylog_use_syslog else "disabled" }}'
|
||||
- service: syslog-tls
|
||||
state: '{{ "enabled" if graylog_use_syslog_tls else "disabled" }}'
|
||||
|
||||
- name: ensure apache is allowed to proxy
|
||||
seboolean:
|
||||
name=httpd_can_network_connect
|
||||
persistent=yes
|
||||
state=yes
|
||||
|
||||
- name: ensure apache is configured to proxy for graylog
|
||||
template:
|
||||
src=graylog.httpd.conf.j2
|
||||
dest=/etc/httpd/conf.d/graylog.conf
|
||||
mode=0644
|
||||
notify: reload httpd
|
||||
|
||||
- name: ensure graylog starts at boot
|
||||
service:
|
||||
name=graylog-server
|
||||
enabled=yes
|
||||
Reference in New Issue
Block a user