From 9c1c82017a673c613fa83fce8e3bdbb00a5be561 Mon Sep 17 00:00:00 2001 From: Alpha Chen Date: Sun, 4 Feb 2024 14:09:40 -0800 Subject: [PATCH] logs --- lotus-land-story/logs.yml | 88 +++++++++++++++ lotus-land-story/templates/Caddyfile | 5 + .../templates/authelia_configuration.yml | 104 ++++++++++-------- .../templates/authelia_users_database.yml | 7 +- 4 files changed, 158 insertions(+), 46 deletions(-) create mode 100644 lotus-land-story/logs.yml diff --git a/lotus-land-story/logs.yml b/lotus-land-story/logs.yml new file mode 100644 index 0000000..00647c0 --- /dev/null +++ b/lotus-land-story/logs.yml @@ -0,0 +1,88 @@ +# https://www.parseable.com/docs/log-ingestion/agents/logstash + +- name: Set up Parseable + hosts: lotus-land-story + vars_files: + - vars.yml + tasks: + + - name: Create directories for volume mounting + ansible.builtin.file: + path: /mnt/lotus-land-story/parseable/{{ item }} + state: directory + mode: "0755" + loop: + - data + - staging + + # https://www.parseable.com/logstash/logstash.conf + - name: Configure Logstash + ansible.builtin.copy: + dest: /mnt/lotus-land-story/parseable/logstash.conf + content: | + output { + http { + id => "parseable" + format => "json_batch" + codec => "json" + url => "http://parseable:8000/api/v1/ingest" + headers => { + "Authorization" => "Basic YWRtaW46YWRtaW4=" + "x-p-stream" => "logstash" + } + http_method => "post" + http_compression => false + automatic_retries => 5 + retry_non_idempotent => true + connect_timeout => 30 + keepalive => false + content_type => "application/json" + } + } + mode: "0644" + + - name: Get docker network + community.docker.docker_network: + name: lotus_land_story + register: docker_network + + # https://www.parseable.com/logstash/docker-compose.yaml + - name: Run Parseable + community.docker.docker_container: + restart: true + name: parseable + image: parseable/parseable:v0.7.3 + command: + - parseable + - local-store + env: + P_FS_DIR: /parseable/data + P_STAGING_DIR: /parseable/staging + P_USERNAME: admin + P_PASSWORD: admin + P_OIDC_CLIENT_ID: parseable + P_OIDC_CLIENT_SECRET: "{{ parseable.oidc_secret }}" + P_OIDC_ISSUER: https://auth.{{ domain }} + P_ORIGIN_URI: https://logs.{{ domain }} + volumes: + - ./data:/parseable/data + - ./staging:/parseable/staging + restart_policy: unless-stopped + networks: + - name: lotus_land_story + + - name: Run Logstash + community.docker.docker_container: + restart: true + name: logstash + image: docker.elastic.co/logstash/logstash-oss:8.12.0 + command: logstash -f /etc/logstash/conf.d/logstash.conf + env: + LS_JAVA_OPTS: "-Xmx256m -Xms256m" + volumes: + - /mnt/lotus-land-story/parseable/logstash.conf:/etc/logstash/conf.d/logstash.conf + restart_policy: unless-stopped + networks: + - name: lotus_land_story + +# vim: ft=yaml.ansible diff --git a/lotus-land-story/templates/Caddyfile b/lotus-land-story/templates/Caddyfile index d832212..61dc52a 100644 --- a/lotus-land-story/templates/Caddyfile +++ b/lotus-land-story/templates/Caddyfile @@ -38,6 +38,7 @@ auth.{{ domain }} { search.{{ domain }} { forward_auth authelia:9091 { uri /api/verify?rd=https://auth.{{ domain }} + # copy_headers Remote-User # This import needs to be included if you're relying on a trusted proxies configuration. import trusted_proxy_list @@ -95,4 +96,8 @@ paperless.{{ domain }} { } } +logs.{{ domain }} { + reverse_proxy parseable:8000 +} + # vim: ts=4 diff --git a/lotus-land-story/templates/authelia_configuration.yml b/lotus-land-story/templates/authelia_configuration.yml index 469ec51..f3393f6 100644 --- a/lotus-land-story/templates/authelia_configuration.yml +++ b/lotus-land-story/templates/authelia_configuration.yml @@ -1,3 +1,5 @@ +# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-client-secrets + theme: auto jwt_secret: {{ authelia.jwt_secret }} default_redirection_url: https://auth.{{ domain }}/ @@ -18,6 +20,7 @@ access_control: default_policy: deny rules: - domain: "*.{{ domain }}" + # policy: one_factor policy: two_factor session: @@ -42,48 +45,59 @@ identity_providers: issuer_private_key: | {{ authelia.oidc_private_key | indent(6) }} clients: - - id: grafana - description: Grafana - secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ - public: false - # authorization_policy: two_factor - redirect_uris: - - https://grafana.{{ domain }}/login/generic_oauth - scopes: - - openid - - profile - - groups - - email - userinfo_signing_algorithm: none - - id: tailscale - description: Tailscale - secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0 - redirect_uris: - - https://login.tailscale.com/a/oauth_response - scopes: - - openid - - email - - profile - - id: gitea - description: Gitea - secret: $argon2id$v=19$m=65536,t=3,p=4$bMcI49gLNfk6ovxXbg9jFQ$qE/G5lDzkFebKopyGv1FOqkiA64HhRJ9kq+TJCR0HM0 - public: false - # authorization_policy: two_factor - redirect_uris: - - https://git.{{ domain }}/user/oauth2/authelia/callback - scopes: - - openid - - email - - profile - userinfo_signing_algorithm: none - - id: miniflux - description: Miniflux - secret: $argon2id$v=19$m=65536,t=3,p=4$tK5aBDAHOmNsEZzSYS88eg$z6tkZVIzB0x6RQjCM0v34lguS454lcQd/Sm0+xRfg7w - public: false - redirect_uris: - - https://rss.{{ domain }}/oauth2/oidc/callback - scopes: - - openid - - email - - profile - userinfo_signing_algorithm: none + + - id: grafana + description: Grafana + secret: $argon2id$v=19$m=65536,t=3,p=4$bHcAAorVdHuZzuz53WfAQA$x+pIDTo6SsGyY9JD4OZ7dT6pkEcPf8Yh6Yb7DXco8aQ + public: false + redirect_uris: + - https://grafana.{{ domain }}/login/generic_oauth + scopes: + - openid + - profile + - groups + - email + + - id: tailscale + description: Tailscale + secret: $argon2id$v=19$m=65536,t=3,p=4$RivlSdV1WE/NLfd3Pzrubw$ljSvHj9sb0byolv7fk5G3nL415nS7Ze2RMASwPgfBX0 + redirect_uris: + - https://login.tailscale.com/a/oauth_response + scopes: + - openid + - email + - profile + + - id: gitea + description: Gitea + secret: $argon2id$v=19$m=65536,t=3,p=4$bMcI49gLNfk6ovxXbg9jFQ$qE/G5lDzkFebKopyGv1FOqkiA64HhRJ9kq+TJCR0HM0 + public: false + redirect_uris: + - https://git.{{ domain }}/user/oauth2/authelia/callback + scopes: + - openid + - email + - profile + + - id: miniflux + description: Miniflux + secret: $argon2id$v=19$m=65536,t=3,p=4$tK5aBDAHOmNsEZzSYS88eg$z6tkZVIzB0x6RQjCM0v34lguS454lcQd/Sm0+xRfg7w + public: false + redirect_uris: + - https://rss.{{ domain }}/oauth2/oidc/callback + scopes: + - openid + - email + - profile + + - id: parseable + description: Parseable + secret: $argon2id$v=19$m=65536,t=3,p=4$glcGbEsVvimlXW08i18Mbg$5VsdS3E8897Dsb1n+BMO5SAy1a1Sq9jeCLcTADTMGtA + public: false + redirect_uris: + - https://logs.{{ domain }}/api/v1/o/code + scopes: + - openid + - email + - profile + - groups diff --git a/lotus-land-story/templates/authelia_users_database.yml b/lotus-land-story/templates/authelia_users_database.yml index 3c40ec3..7f11dfc 100644 --- a/lotus-land-story/templates/authelia_users_database.yml +++ b/lotus-land-story/templates/authelia_users_database.yml @@ -2,7 +2,12 @@ users: alpha: disabled: false displayname: "Alpha" - password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0" # yamllint disable-line rule:line-length + password: "$argon2id$v=19$m=65536,t=3,p=4$JHtyy/vVD+37neJUjy5Shw$6GODmDOXW/v7cfhqwuEp30bVSCWLT5R3OEe/Gi5FGX0" # yamllint disable-line rule:line-length email: alpha@kejadlen.dev groups: - admins + lydia: + disabled: false + displayname: "Lydia" + password: "$argon2id$v=19$m=65536,t=3,p=4$ALAevUUnRK1hcwf5jp1OkA$aSwuYjEMrbtcAGfhsclL901QKF5S+6u42NQFG7S8DkI" # yamllint disable-line rule:line-length + email: lydia.islan@gmail.com