dustin
/
configpolicy
1
1
Fork 0
Code Issues Releases Activity

wip: r/victoria-logs: Deploy VictoriaLogs

Dustin 2025-05-09 20:28:28 -05:00
parent 1768678213
commit 9f9cdef17f
10 changed files with 218 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

22
group_vars/victoria-logs.yml Normal file
View File

@ -0,0 +1,22 @@
victoria_logs_extra_args:
- '-syslog.listenAddr.tcp :601'
- '-syslog.listenAddr.udp :514'
victoria_logs_publish_ports:
- '514:514/udp'
- '601:601'
#- '6514:6514'
victoria_logs_firewall_ports:
- 514/udp
- 601/tcp
#- 6514/tcp
victoria_logs_caddy_server_name: logs.pyrocufflink.blue
victoria_logs_caddy_forward_auth:
url: https://auth.pyrocufflink.blue
path: /api/verify
location: '?rd=https://{{ victoria_logs_caddy_server_name }}'
victoria_logs_caddy_acme:
email: victoria_logs@pyrocufflink.blue
url: https://ca.pyrocufflink.blue/acme/acme/directory

7
hosts
View File

@ -238,6 +238,13 @@ vps
[unifi:children] [unifi:children]
unifi-test unifi-test
[victoria-logs]
[victoria-logs:children]
victoria-logs-test
[victoria-logs-test]
[vm-hosts] [vm-hosts]
vmhost0.pyrocufflink.blue vmhost0.pyrocufflink.blue
vmhost1.pyrocufflink.blue vmhost1.pyrocufflink.blue

12
roles/victoria-logs/defaults/main.yml Normal file
View File

@ -0,0 +1,12 @@
# vim: set ft=yaml.jinja :
victoria_logs_version: 1.19.0
victoria_logs_container_image_tag: v{{ victoria_logs_version }}-victorialogs
victoria_logs_container_image_repo: docker.io/victoriametrics/victoria-logs
victoria_logs_container_image: >-
{{ victoria_logs_container_image_repo }}:{{ victoria_logs_container_image_tag }}
victoria_logs_publish_ports: []
victoria_logs_extra_args: []
victoria_logs_args: >-
{{ victoria_logs_default_args + victoria_logs_extra_args }}

4
roles/victoria-logs/handlers/main.yml Normal file
View File

@ -0,0 +1,4 @@
- name: restart victoria-logs
service:
name: victoria-logs
state: restarted

3
roles/victoria-logs/meta/main.yml Normal file
View File

@ -0,0 +1,3 @@
dependencies:
- systemd-base
- caddy

92
roles/victoria-logs/tasks/main.yml Normal file
View File

@ -0,0 +1,92 @@
- name: ensure victoria logs group exists
group:
name: victoria-logs
system: true
tags:
- user
- group
- name: ensure victoria logs user exists
user:
name: victoria-logs
system: true
home: /var/lib/victoria-logs
group: victoria-logs
createhome: false
register: victoria_logs_user
tags:
- user
- name: ensure podman is installed
package:
name: podman
state: present
tags:
- install
- name: ensure victoria logs container image is present
podman_image:
name: '{{ victoria_logs_container_image_repo }}'
tag: '{{ victoria_logs_container_image_tag }}'
state: present
tags:
- container
- container-image
- name: ensure victoria logs systemd container unit is configured
template:
src: victoria-logs.container.j2
dest: /etc/containers/systemd/victoria-logs.container
owner: root
group: root
mode: u=rw,go=r
notify:
- reload systemd
- restart victoria-logs
tags:
- systemd
- container
- name: flush handlers
meta: flush_handlers
- name: ensure victoria logs is running
service:
name: victoria-logs
state: started
tags:
- service
- name: ensure firewall is configured for victoria logs
firewalld:
port: '{{ item }}'
immediate: true
permanent: true
state: enabled
loop: '{{ victoria_logs_firewall_ports }}'
when: host_uses_firewalld|d(true)
tags:
- firewalld
- name: ensure caddy is configured to proxy for victoria logs
template:
src: Caddyfile.j2
dest: /etc/caddy/Caddyfile.d/victoria-logs.caddyfile
owner: root
group: root
mode: u=rw,go=r
notify:
- reload caddy
tags:
- caddy
- config
- name: flush_handlers
meta: flush_handlers
- name: ensure caddy is running
service:
name: caddy
state: started
tags:
- caddy
- service

23
roles/victoria-logs/templates/Caddyfile.j2 Normal file
View File

@ -0,0 +1,23 @@
{# vim: set sw=4 ts=4 sts=4 et : #}
{{ victoria_logs_caddy_server_name }} {
{% if victoria_logs_caddy_forward_auth|d %}
forward_auth {{ victoria_logs_caddy_forward_auth.url }} {
uri {{ victoria_logs_caddy_forward_auth.path }}
header_up Host {upstream_hostport}
@unauthorized status 401
handle_response @unauthorized {
respond "" 303
header Location {{ victoria_logs_caddy_forward_auth.url }}{{ victoria_logs_caddy_forward_auth.location }}
}
}
{% endif %}
reverse_proxy 127.0.0.1:9428
{% if victoria_logs_caddy_acme|d %}
tls {{ victoria_logs_caddy_acme.email }} {
ca {{ victoria_logs_caddy_acme.url }}
}
{% endif %}
}

47
roles/victoria-logs/templates/victoria-logs.container.j2 Normal file
View File

@ -0,0 +1,47 @@
[Unit]
Description=Victoria Logs
Wants=network.target
After=network.target
StartLimitIntervalSec=1s
StartLimitBurst=1
[Container]
Image={{ victoria_logs_container_image }}
Pull=never
Exec={{ victoria_logs_args | join(' ') }}
User={{ victoria_logs_user.uid }}
Group={{ victoria_logs_user.group }}
Volume=%S/%p:/data:rw,z,U
NoNewPrivileges=yes
ReadOnly=yes
ReadOnlyTmpfs=yes
AddCapability=CAP_NET_BIND_SERVICE
PublishPort=9428:9428
{% for portspec in victoria_logs_publish_ports %}
PublishPort={{ portspec }}
{% endfor %}
HealthCmd=/usr/bin/wget -q -O /dev/null 127.0.0.1:9428/health
HealthInterval=1m
HealthOnFailure=stop
[Service]
StateDirectory=%p
Restart=always
RestartSec=1
MemoryDenyWriteExecute=yes
PrivateTmp=yes
ProtectClock=yes
ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectProc=invisible
ProtectSystem=strict
ReadWritePaths=%S/%p
ReadWritePaths=%S/containers/storage
ReadWritePaths=%t
ReadWritePaths=/etc/containers/networks
RestrictRealtime=yes
UMask=0077
[Install]
WantedBy=multi-user.target

3
roles/victoria-logs/vars/main.yml Normal file
View File

@ -0,0 +1,3 @@
victoria_logs_default_args:
- '-httpListenAddr 0.0.0.0:9428'
- -storageDataPath /data

5
victoria-logs.yml Normal file
View File

@ -0,0 +1,5 @@
- hosts: victoria-logs
roles:
- role: victoria-logs
tags:
- victoria-logs