configpolicy

Go to file

Dustin C. Hatch d9f46d6d62 r/promtail: Optionally run with DAC_READ_SEARCH

The *promtail* service runs as an unprivileged user by default, which is
fine in most cases (i.e. when scraping only the Journal), but may not
always be sufficient to read logs from other files.  Rather than run
Promtail as root in these cases, we can assign it the
CAP_DAC_READ_SEARCH capability, which will allow it to read any file,
but does not grant it any of root's other privileges.

To enable this functionality, the `promtail_dac_read_search` Ansible
variable can be set to `true` for a host or group.  This will create a
systemd unit configuration extension that configures the service to have
the CAP_DAC_READ_SEARCH capability in its ambient set.

2024-02-28 19:00:26 -06:00

.certs @ 13f97e4fa1

websites: dustin.hatch.name: Deploy new site

2022-04-23 15:30:40 -05:00

certs

hosts: Decommission dc-4k6s8e.p.b

2023-10-28 16:07:56 -05:00

pyrocufflink-dns: Drop group

2024-02-22 10:23:19 -06:00

group_vars

promtail: Role/Playbook to deploy Promtail

2024-02-22 19:23:31 -06:00

host_vars

gw1: Allow rpm.grafana.com via proxy

2024-02-22 20:40:51 -06:00

passwords/kojiweb_secret

hosts: Add koji0.pyrocufflink.blue

2018-08-12 10:27:20 -05:00

roles

r/promtail: Optionally run with DAC_READ_SEARCH

2024-02-28 19:00:26 -06:00

vars

ci: Remove extraneous copy of ssh_known_hosts

2024-01-28 12:18:55 -06:00

vault

hosts: gw1: Deploy BURP, collectd

2024-01-19 20:52:48 -06:00

.gitignore

r/blackbox-exporter: Deploy blackbox_exporter

2022-08-10 22:18:53 -05:00

.gitmodules

certs: Add certificates submodule

2020-02-22 16:28:06 -06:00

.vault-secret.sh

vault-secret: Get key from Bitwarden

2023-04-23 20:05:00 -05:00

alertmanager.yml

r/alertmanager: Deploy AlertManager

2022-08-10 22:18:53 -05:00

ansible.cfg

ansible.cfg: Disable stupid group name warning

2019-09-19 19:50:35 -05:00

ansible.yml

ansible: Install Ansible

2018-04-08 12:20:03 -05:00

aria2.yml

aria2: Deploy aria2 download manager

2018-08-19 14:17:48 -05:00

base.yml

r/ssu-user-ca: Configure sshd TrustedUserCAKeys

2024-02-01 18:46:40 -06:00

bitwarden_rs.yml

bitwarden_rs: Deploy Bitwarden_rs using Docker

2019-09-19 19:27:29 -05:00

blackbox-exporter.yml

r/blackbox-exporter: Deploy blackbox_exporter

2022-08-10 22:18:53 -05:00

burp-client.yml

burp-client: Switch from cron to systemd timer

2023-05-23 09:51:07 -05:00

burp-server.yml

burp-{client,server}: PBs to deploy BURP

2018-08-08 20:14:25 -05:00

certbot.yml

certbot: Playbook to deploy certbot

2018-06-13 22:23:27 -05:00

collectd.yml

collect: Import dyngroups.yml playbook

2022-12-19 10:20:57 -06:00

dch-gw.yml

dch-gw: Initial commit

2018-03-27 20:44:43 -05:00

dch-proxy.yml

dch-proxy: PB to deploy HAProxy

2018-07-01 15:19:20 -05:00

dch-root-ca.crt

pyrocufflink: Trust DCH Root CA

2018-06-04 20:03:55 -05:00

dch-vpn.yml

Move VPN server to dedicated VM

2018-10-07 21:42:18 -05:00

dhcpcd.yml

dhcpcd: Install and configure dhcpcd

2018-03-13 23:19:50 -05:00

dhcpd.yml

dhcpd: Install and configure ISC DHCPD

2018-03-27 20:44:43 -05:00

docker.yml

roles/docker: Install and set up Docker daemon

2019-09-19 19:27:12 -05:00

domain-controller.yml

domain-controller: Configure local AD authentication

2018-03-11 18:16:17 -05:00

dyngroups.yml

dyngroups: Always run all tasks

2024-01-09 18:18:34 -06:00

facts.yml

facts: Do not collect facts in first play

2023-10-27 17:40:50 -05:00

fileserver.yml

fileserver: Configure Apache ~user directories

2019-01-04 20:52:23 -06:00

firewalld.yml

firewalld: Playbook to bootstrap firewalld

2018-01-29 15:11:07 -06:00

frigate.yml

r/frigate: Add role to deploy Frigate

2021-08-21 17:16:58 -05:00

gitea.yml

r/gitea: use sshd_config.d

2023-11-13 17:45:21 -06:00

grafana.yml

grafana: Redirect HTTP to HTTPS

2022-08-10 21:55:54 -05:00

graylog.yml

graylog: Add PB to deploy Graylog server

2019-10-28 18:47:09 -05:00

hassdb.yml

hassdb: Fix playbook

2020-08-29 14:22:17 -05:00

homeassistant.yml

homeassistant: Split out Zigbee/Zwave playbooks

2021-12-18 16:45:52 -06:00

hostname.yml

hostname: Also write /etc/hosts

2018-04-08 10:11:43 -05:00

hosts

nut: Drop group

2024-02-22 10:24:16 -06:00

hosts.gw

hosts: Deploy Squid on gw1

2024-01-27 20:09:34 -06:00

hosts.offline

nut-monitor: Configure upsmon

2024-01-19 20:50:03 -06:00

jellyfin.yml

jellyfin: Deploy Jellyfin media server

2023-09-12 13:38:35 -05:00

jenkins-slave.yml

jenkins-slave: Apply ssh-hostkeys role

2018-04-08 12:32:02 -05:00

journal2ntfy.yml

journal2ntfy: Script to send log messagess via ntfy

2023-05-17 14:51:21 -05:00

koji-builder.yml

koji: Add playbooks for Koji

2018-08-12 10:14:25 -05:00

koji-hub.yml

koji: Add playbooks for Koji

2018-08-12 10:14:25 -05:00

koji-web.yml

koji: Add playbooks for Koji

2018-08-12 10:14:25 -05:00

koji.yml

koji: Add playbooks for Koji

2018-08-12 10:14:25 -05:00

kube-root-ca.crt

metrics: Scrape metrics from Kubernetes API server

2023-05-22 21:21:08 -05:00

metricspi.yml

metricspi: Apply victoria-metrics-nginx role

2022-08-12 13:14:41 -05:00

minio.yml

minio: Install and configure MinIO

2023-05-09 21:37:46 -05:00

motioneye.yml

motioneye: Deploy motionEye camera software

2020-10-03 11:29:39 -05:00

named-server.yml

named-server: Playbook to deploy BIND

2018-01-29 15:10:04 -06:00

net-ifaces.yml

net-ifaces: PB to apply net-ifaces role

2018-07-23 17:35:10 -05:00

network.yml

network: Playbook to configure networking

2018-03-27 20:44:43 -05:00

nextcloud.yml

roles/cert: Add handler topic notification

2020-12-26 10:38:17 -06:00

ntp.yml

ntp: Initial PB and role to set up ntpd

2018-04-22 11:19:22 -05:00

nut.yml

nut-monitor: Configure upsmon

2024-01-19 20:50:03 -06:00

postgresql.yml

postgresql: PB to deploy PostgreSQL server

2018-04-14 15:28:46 -05:00

promtail.yml

promtail: Role/Playbook to deploy Promtail

2024-02-22 19:23:31 -06:00

protonvpn.yml

pyrocufflink-dns: Cloudflare over ProtonVPN

2020-09-06 11:06:58 -05:00

pxe.yml

r/netboot/basementhud: Configure NBD export

2022-08-15 17:18:48 -05:00

pyrocufflink.yml

pyrocufflink: Trust DCH Root CA

2018-06-04 20:03:55 -05:00

radius.yml

radius: PB to configure RADIUS servers

2018-05-06 13:09:18 -05:00

radvd.yml

radvd: Install and configure radvd

2018-03-27 20:44:43 -05:00

remount.yml

remount: Do not remount SquashFS volumes

2022-08-12 13:40:06 -05:00

repohost.yml

r/repohost: Configure Yum package repo host

2023-11-07 20:51:10 -06:00

rngd.yml

rngd: PB to set up rngd

2018-08-13 20:25:22 -05:00

samba-dc.yml

samba-dc: Do not apply sudo role

2023-10-27 17:57:20 -05:00

smtp-relay.yml

smtp-relay: PB to deploy Postfix SMTP relay

2018-04-15 11:38:51 -05:00

squid.yml

squid: Add role and PB to deploy Squid

2018-08-12 16:00:32 -05:00

synapse.yml

roles/synapse: Add cert role dependency

2021-01-31 15:38:18 -06:00

systemd-networkd.yml

r/systemd-networkd: Role to configure networkd

2021-10-10 16:09:15 -05:00

systemd-resolved.yml

r/systemd-resolved: Manage systemd resolver daemon

2022-08-12 14:35:14 -05:00

taiga.yml

taiga: Add playbook for Taiga

2019-09-19 19:51:45 -05:00

unifi.yml

unifi: Deploy Unifi Network controller

2023-07-07 10:05:01 -05:00

victoria-metrics.yml

r/vmalert: Deploy vmalert

2022-08-11 21:40:19 -05:00

vmhost.yml

r/vmhost: mount shared filesystems

2021-10-10 16:09:15 -05:00

websites.yml

websites: Add hatchlearningcenter.org

2022-11-30 22:04:29 -06:00

wheelhost.yml

wheelhost: Publish wheels built by Jenkins

2019-03-22 10:19:27 -05:00

zabbix-agent.yml

zabbix: Playbooks for Zabbix server, agents

2018-04-14 15:31:17 -05:00

zabbix-server.yml

zabbix: Playbooks for Zabbix server, agents

2018-04-14 15:31:17 -05:00

zabbix.yml

zabbix: Playbooks for Zabbix server, agents

2018-04-14 15:31:17 -05:00

zezere.yml

zezere: role/playbook to deploy Zezere

2021-07-05 09:34:25 -05:00

zigbee2mqtt.yml

homeassistant: Split out Zigbee/Zwave playbooks

2021-12-18 16:45:52 -06:00

zwavejs2mqtt.yml

homeassistant: Split out Zigbee/Zwave playbooks

2021-12-18 16:45:52 -06:00