Dustin C. Hatch
3d4bf3dd6c
Messages from sources other than the systemd journal do not have a `hostname` field by default. This could make filtering logs difficult if there are multiple servers that host the same application. Thus, we need to inject the host name statically into every record, to ensure they can be correctly traced to their source machine.
222 lines
6.0 KiB
YAML
222 lines
6.0 KiB
YAML
ansible_become_method: community.general.doas
|
|
ansible_become_password: unused
|
|
|
|
root_authorized_keys: |
|
|
{% if ansible_distribution == "Fedora" and ansible_distribution_version|int >= 34 %}
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINZCN2cxMDwedJ1Ke23Z3CZRcOYjqW8fFqsooRus7RK0AAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIAB6xTCSNz+AcQCWcyVKs84tThXN4wpLgCo2Lc48L6EsAAAABHNzaDo= dustin@luma.pyrocufflink.blue
|
|
{% else %}
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIJsL5fSylmiJmBtW0DH/viAAmtU2E/2M17GPvysiyRs+ dustin@rosalina
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBw1T18jnBfR5reKAACOs/LMcs+jbclj6Eh8z56kJE7+ dustin@luma
|
|
{% endif %}
|
|
|
|
|
|
managed_users:
|
|
- name: dustin
|
|
comment: Dustin C. Hatch
|
|
uid: 3000016
|
|
groups:
|
|
- wheel
|
|
- name: jenkins
|
|
comment: Jenkins
|
|
uid: 3000018
|
|
groups:
|
|
- wheel
|
|
|
|
doas_authorized_ssh_keys: |
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIF4yQAS0bAQ9Ymxgxv828MsX0z4ff/Fs//0PQOtPexRJAAAABHNzaDo= dustin@rosalina.pyrocufflink.blue
|
|
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINal4+Gn/KuyP6YTsQuW4cphfDcjrS428osVIqnqMfagAAAABHNzaDo= dustin@luma.pyrocufflink.blue
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDD3Ebb7dyEyCylgEjmhFxvGqbPkT+0KSpI+xEGXLFnn jenkins
|
|
|
|
sshca_url: https://sshca.pyrocufflink.blue
|
|
ssh_trusted_user_ca_keys: >-
|
|
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINyi18IfxAf9wLnyffnMrThYpqxVwu0rsuiLoqW6rcwF sshca.pyrocufflink.blue
|
|
|
|
certbot_account_email: dustin@hatch.name
|
|
smtp:
|
|
mode: relay
|
|
host: mail.pyrocufflink.blue
|
|
|
|
dch_networks:
|
|
jazz:
|
|
description: Legacy network
|
|
vlan_id: 1
|
|
ipv4_address: 172.31.0.0/27
|
|
router_iface: vlan1
|
|
dns_search:
|
|
- pyrocufflink.jazz
|
|
dns_servers:
|
|
- fd99:8cd7:6528:fe1e::4:1
|
|
- fd99:8cd7:6528:fe1e::3:1
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
sla_id: 1
|
|
ntp_servers:
|
|
- tyrande.pyrocufflink.jazz
|
|
|
|
mgmt:
|
|
description: Management network
|
|
vlan_id: 10
|
|
router_iface: vlan10
|
|
ipv4_address: 172.30.0.240/28
|
|
ntp_servers:
|
|
- dc0.pyrocufflink.blue
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
|
|
blue:
|
|
description: pyrocufflink.blue AD domain members only
|
|
vlan_id: 30
|
|
ipv4_address: 172.30.0.0/26
|
|
ipv6_address: fd99:8cd7:6528:fe1e::/64
|
|
router_iface: vlan30
|
|
dns_search:
|
|
- pyrocufflink.blue
|
|
dns_servers:
|
|
- fd99:8cd7:6528:fe1e::4:1
|
|
- fd99:8cd7:6528:fe1e::3:1
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
sla_id: 30
|
|
ntp_servers:
|
|
- dc0.pyrocufflink.blue
|
|
|
|
red:
|
|
description: Non-domain member machines
|
|
vlan_id: 101
|
|
ipv4_address: 172.31.1.0/24
|
|
router_iface: vlan101
|
|
dns_servers:
|
|
- fd99:8cd7:6528:fe1e::4:1
|
|
- fd99:8cd7:6528:fe1e::3:1
|
|
dns_servers_v4:
|
|
- 172.30.0.4
|
|
sla_id: 101
|
|
ntp_servers:
|
|
- dc0.pyrocufflink.blue
|
|
|
|
guest:
|
|
description: Guest Wi-Fi
|
|
vlan_id: 100
|
|
ipv4_address: 172.24.100.0/24
|
|
router_iface: vlan100
|
|
|
|
dmz:
|
|
description: DMZ
|
|
vlan_id: 254
|
|
router_iface: vlan254
|
|
|
|
|
|
firemon_networks:
|
|
- 192.168.0.0/16
|
|
- 172.16.0.0/20
|
|
- 172.24.16.0/20
|
|
- 172.28.33.0/24
|
|
- 10.64.11.0/24
|
|
|
|
promtail_clients:
|
|
- url: https://loki.pyrocufflink.blue/loki/api/v1/push
|
|
tls_config:
|
|
ca_file: /etc/promtail/ca.crt
|
|
promtail_ca: |
|
|
-----BEGIN CERTIFICATE-----
|
|
MIIBxDCCAWqgAwIBAgIUbHz2tssa09zsHk+EdGD3QKprMKQwCgYIKoZIzj0EAwQw
|
|
QDELMAkGA1UEBhMCVVMxGDAWBgNVBAoMD0R1c3RpbiBDLiBIYXRjaDEXMBUGA1UE
|
|
AwwORENIIFJvb3QgQ0EgUjIwHhcNMjMwOTI0MjA1MzA5WhcNNDMwOTE5MjA1MzA5
|
|
WjBAMQswCQYDVQQGEwJVUzEYMBYGA1UECgwPRHVzdGluIEMuIEhhdGNoMRcwFQYD
|
|
VQQDDA5EQ0ggUm9vdCBDQSBSMjBZMBMGByqGSM49AgEGCCqGSM49AwEHA0IABE2D
|
|
NJHRcjuA19ZoprBKaxIfUxAbz6LigM7dgtO6+isaMlxRAVJmsITADIE/22RrUDgD
|
|
Ofkt2iZTUjMrz3AxXhWjQjBAMB0GA1UdDgQWBBTM+d8kb1koGmKRtJs4gN9zYa+6
|
|
oTASBgNVHRMBAf8ECDAGAQH/AgEBMAsGA1UdDwQEAwIBBjAKBggqhkjOPQQDBANI
|
|
ADBFAiEA2Ka8mMiAFLmrFWt0dAml247re2+i4UPhyHcOBfNK+goCIHv+vEw7CHZQ
|
|
irIa697nfe4KiXIMwHlAMS1+1QZohFDC
|
|
-----END CERTIFICATE-----
|
|
|
|
dnf_automatic_email_from: dnf@pyrocufflink.net
|
|
dnf_automatic_email_to: gyrfalcon@ebonfire.com
|
|
dnf_automatic_email_host: mail.pyrocufflink.blue
|
|
|
|
dnf_automatic_schedule: >-
|
|
{{ ['Mon', 'Tue', 'Wed', 'Thu']
|
|
| random(seed=inventory_hostname)
|
|
| string
|
|
}} *-*-* 04:00:00 America/Chicago
|
|
|
|
fluent_bit_default_filters:
|
|
- name: record_modifier
|
|
match: '*'
|
|
record:
|
|
- hostname ${HOSTNAME}
|
|
# Avoid log amplification from logging the result of sending logs!
|
|
- name: grep
|
|
match: host.fluent-bit.service
|
|
exclude: message \[output:http:victorialogs\] .+, HTTP status=200$
|
|
- name: rewrite_tag
|
|
alias: ntfy
|
|
match: host.*
|
|
rule: transport kernel ntfy true
|
|
- name: grep
|
|
match: ntfy
|
|
alias: ntfy.filter
|
|
regex: message ^md
|
|
- name: lua
|
|
alias: ntfy.populate
|
|
match: ntfy
|
|
code: |
|
|
function ntfy_transform(tag, timestamp, record)
|
|
record["topic"] = "alerts"
|
|
record["tags"] = {
|
|
record["hostname"],
|
|
record["syslog_identifier"],
|
|
}
|
|
return 1, timestamp, record
|
|
end
|
|
call: ntfy_transform
|
|
- name: record_modifier
|
|
alias: ntfy.clean
|
|
match: ntfy
|
|
allowlist_key:
|
|
- message
|
|
- tags
|
|
- topic
|
|
|
|
fluent_bit_filters: '{{ fluent_bit_default_filters }}'
|
|
|
|
fluent_bit_output_template_victorialogs:
|
|
host: logs.pyrocufflink.blue
|
|
port: 443
|
|
tls: true
|
|
tls.verify: true
|
|
tls.verify_hostname: true
|
|
tls.ca_file: /etc/pki/ca-trust/source/anchors/dch-root-ca-r2.crt
|
|
format: json_lines
|
|
json_date_format: iso8601
|
|
log_response_payload: false
|
|
|
|
fluent_bit_output_systemd:
|
|
name: http
|
|
alias: victorialogs
|
|
match: host.*
|
|
uri: /insert/jsonline?_stream_fields=hostname,systemd_unit&_msg_field=message&_time_field=date
|
|
|
|
fluent_bit_output_ntfy:
|
|
name: http
|
|
alias: ntfy
|
|
workers: 1
|
|
match: ntfy
|
|
host: ntfy.pyrocufflink.blue
|
|
port: 443
|
|
tls: true
|
|
tls.verify: true
|
|
tls.verify_hostname: true
|
|
uri: /
|
|
format: json_lines
|
|
json_date_key: false
|
|
log_response_payload: false
|
|
|
|
fluent_bit_main_outputs:
|
|
- '{{ fluent_bit_output_systemd | combine(fluent_bit_output_template_victorialogs) }}'
|
|
- '{{ fluent_bit_output_ntfy }}'
|
|
|
|
fluent_bit_outputs: '{{ fluent_bit_main_outputs }}'
|