logs

lotus-land-story/logs.yml

@@ -0,0 +1,88 @@
+# https://www.parseable.com/docs/log-ingestion/agents/logstash
+
+- name: Set up Parseable
+  hosts: lotus-land-story
+  vars_files:
+    - vars.yml
+  tasks:
+
+    - name: Create directories for volume mounting
+      ansible.builtin.file:
+        path: /mnt/lotus-land-story/parseable/{{ item }}
+        state: directory
+        mode: "0755"
+      loop:
+        - data
+        - staging
+
+    # https://www.parseable.com/logstash/logstash.conf
+    - name: Configure Logstash
+      ansible.builtin.copy:
+        dest: /mnt/lotus-land-story/parseable/logstash.conf
+        content: |
+          output {
+              http {
+                  id => "parseable"
+                  format => "json_batch"
+                  codec => "json"
+                  url => "http://parseable:8000/api/v1/ingest"
+                  headers => {
+                      "Authorization" => "Basic YWRtaW46YWRtaW4="
+                      "x-p-stream" => "logstash"
+                  }
+                  http_method => "post"
+                  http_compression => false
+                  automatic_retries => 5
+                  retry_non_idempotent => true
+                  connect_timeout => 30
+                  keepalive => false
+                  content_type => "application/json"
+              }
+          }
+        mode: "0644"
+
+    - name: Get docker network
+      community.docker.docker_network:
+        name: lotus_land_story
+      register: docker_network
+
+    # https://www.parseable.com/logstash/docker-compose.yaml
+    - name: Run Parseable
+      community.docker.docker_container:
+        restart: true
+        name: parseable
+        image: parseable/parseable:v0.7.3
+        command:
+          - parseable
+          - local-store
+        env:
+          P_FS_DIR: /parseable/data
+          P_STAGING_DIR: /parseable/staging
+          P_USERNAME: admin
+          P_PASSWORD: admin
+          P_OIDC_CLIENT_ID: parseable
+          P_OIDC_CLIENT_SECRET: "{{ parseable.oidc_secret }}"
+          P_OIDC_ISSUER: https://auth.{{ domain }}
+          P_ORIGIN_URI: https://logs.{{ domain }}
+        volumes:
+          - ./data:/parseable/data
+          - ./staging:/parseable/staging
+        restart_policy: unless-stopped
+        networks:
+          - name: lotus_land_story
+
+    - name: Run Logstash
+      community.docker.docker_container:
+        restart: true
+        name: logstash
+        image: docker.elastic.co/logstash/logstash-oss:8.12.0
+        command: logstash -f /etc/logstash/conf.d/logstash.conf
+        env:
+          LS_JAVA_OPTS: "-Xmx256m -Xms256m"
+        volumes:
+          - /mnt/lotus-land-story/parseable/logstash.conf:/etc/logstash/conf.d/logstash.conf
+        restart_policy: unless-stopped
+        networks:
+          - name: lotus_land_story
+
+# vim: ft=yaml.ansible

lotus-land-story/templates/Caddyfile

@@ -38,6 +38,7 @@ auth.{{ domain }} {
 search.{{ domain }} {
  	forward_auth authelia:9091 {
  		uri /api/verify?rd=https://auth.{{ domain }}
+		# copy_headers Remote-User
 
  		# This import needs to be included if you're relying on a trusted proxies configuration.
  		import trusted_proxy_list
@@ -95,4 +96,8 @@ paperless.{{ domain }} {
 	}
 }
 
+logs.{{ domain }} {
+	reverse_proxy parseable:8000
+}
+
 # vim: ts=4

lotus-land-story/templates/authelia_configuration.yml

@@ -1,3 +1,5 @@
+# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-client-secrets
+
 theme: auto
 jwt_secret: {{ authelia.jwt_secret }}
 default_redirection_url: https://auth.{{ domain }}/
@@ -18,6 +20,7 @@ access_control:
   default_policy: deny
   rules:
     - domain: "*.{{ domain }}"
+      # policy: one_factor
       policy: two_factor
 
 session:
@@ -42,48 +45,59 @@ identity_providers:
     issuer_private_key: |
       {{ authelia.oidc_private_key | indent(6) }}
     clients:
-    - id: grafana
-      description: Grafana
-      secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
-      public: false
-      # authorization_policy: two_factor
-      redirect_uris:
-        - https://grafana.{{ domain }}/login/generic_oauth
-      scopes:
-        - openid
-        - profile
-        - groups
-        - email
-      userinfo_signing_algorithm: none
-    - id: tailscale
-      description: Tailscale
-      secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0
-      redirect_uris:
-        - https://login.tailscale.com/a/oauth_response
-      scopes:
-        - openid
-        - email
-        - profile
-    - id: gitea
-      description: Gitea
-      secret: $argon2id$v=19$m=65536,t=3,p=4$bMcI49gLNfk6ovxXbg9jFQ$qE/G5lDzkFebKopyGv1FOqkiA64HhRJ9kq+TJCR0HM0
-      public: false
-      # authorization_policy: two_factor
-      redirect_uris:
-        - https://git.{{ domain }}/user/oauth2/authelia/callback
-      scopes:
-        - openid
-        - email
-        - profile
-      userinfo_signing_algorithm: none
-    - id: miniflux
-      description: Miniflux
-      secret: $argon2id$v=19$m=65536,t=3,p=4$tK5aBDAHOmNsEZzSYS88eg$z6tkZVIzB0x6RQjCM0v34lguS454lcQd/Sm0+xRfg7w
-      public: false
-      redirect_uris:
-        - https://rss.{{ domain }}/oauth2/oidc/callback
-      scopes:
-        - openid
-        - email
-        - profile
-      userinfo_signing_algorithm: none
+
+      - id: grafana
+        description: Grafana
+        secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ
+        public: false
+        redirect_uris:
+          - https://grafana.{{ domain }}/login/generic_oauth
+        scopes:
+          - openid
+          - profile
+          - groups
+          - email
+
+      - id: tailscale
+        description: Tailscale
+        secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0
+        redirect_uris:
+          - https://login.tailscale.com/a/oauth_response
+        scopes:
+          - openid
+          - email
+          - profile
+
+      - id: gitea
+        description: Gitea
+        secret: $argon2id$v=19$m=65536,t=3,p=4$bMcI49gLNfk6ovxXbg9jFQ$qE/G5lDzkFebKopyGv1FOqkiA64HhRJ9kq+TJCR0HM0
+        public: false
+        redirect_uris:
+          - https://git.{{ domain }}/user/oauth2/authelia/callback
+        scopes:
+          - openid
+          - email
+          - profile
+
+      - id: miniflux
+        description: Miniflux
+        secret: $argon2id$v=19$m=65536,t=3,p=4$tK5aBDAHOmNsEZzSYS88eg$z6tkZVIzB0x6RQjCM0v34lguS454lcQd/Sm0+xRfg7w
+        public: false
+        redirect_uris:
+          - https://rss.{{ domain }}/oauth2/oidc/callback
+        scopes:
+          - openid
+          - email
+          - profile
+
+      - id: parseable
+        description: Parseable
+        secret: $argon2id$v=19$m=65536,t=3,p=4$glcGbEsVvimlXW08i18Mbg$5VsdS3E8897Dsb1n+BMO5SAy1a1Sq9jeCLcTADTMGtA
+        public: false
+        redirect_uris:
+          - https://logs.{{ domain }}/api/v1/o/code
+        scopes:
+          - openid
+          - email
+          - profile
+          - groups

lotus-land-story/templates/authelia_users_database.yml

@@ -2,7 +2,12 @@ users:
   alpha:
     disabled: false
     displayname: "Alpha"
-    password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0"  # yamllint disable-line rule:line-length
+    password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0" # yamllint disable-line rule:line-length
     email: alpha@kejadlen.dev
     groups:
       - admins
+  lydia:
+    disabled: false
+    displayname: "Lydia"
+    password: "$argon2id$v=19$m=65536,t=3,p=4$ALAevUUnRK1hcwf5jp1OkA$aSwuYjEMrbtcAGfhsclL901QKF5S+6u42NQFG7S8DkI" # yamllint disable-line rule:line-length
+    email: lydia.islan@gmail.com