configpolicy/roles/promtail/tasks/deploy.yml

- name: ensure promtail user is a member of systemd-journal group
  user:
    name: promtail
    system: true
    groups: systemd-journal
    append: true
    shell: /bin/false
    state: present
  tags:
  - user

- name: ensure promtail is configured
  copy:
    content: |
      {{ promtail_config | to_nice_yaml(indent=2) }}
    dest: /etc/promtail/config.yml
    mode: u=rw,go=r
    owner: root
    group: root
  notify:
  - restart promtail
  tags:
  - config

- name: ensure promtail ca certificate is set
  copy:
    content: |-
      {{ promtail_ca }}
    dest: /etc/promtail/ca.crt
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - restart promtail
  tags:
  - config
  - cert

- name: ensure promtail systemd unit extension directory exists
  file:
    path: /etc/systemd/system/promtail.service.d
    owner: root
    group: root
    mode: u=rwx,go=rx
    state: directory
  tags:
  - systemd
- name: ensure promtail service capabilities are configured
  template:
    src: capabilities.conf.j2
    dest: /etc/systemd/system/promtail.service.d/capabilities.conf
    owner: root
    group: root
    mode: u=rw,go=r
  notify:
  - reload systemd
  - restart promtail
  tags:
  - systemd

- name: ensure promtail service starts at boot
  service:
    name: promtail
    enabled: true
  tags:
  - service

- meta: flush_handlers

- name: ensure promtail is running
  service:
    name: promtail
    state: started
  tags:
  - service

- name: ensure promtail http port is open in the firewall
  firewalld:
    port: >-
      {{ promtail_config.server.http_listen_port }}/tcp
    permanent: true
    immediate: true
    state: enabled
  when: >-
    promtail_config.server.http_listen_port|d(0) > 0
    and host_uses_firewalld|d(true)
  tags:
  - firewall