CCCHH/ansible-infra
CCCHH/ansible-infra
4
2
Fork 1
Code Issues 4 Pull requests 1 Wiki Activity Actions

adding loki
Some checks failed
/ Ansible Lint (push) Failing after 1m55s
Details

Browse source
This commit is contained in:
chris 2025-04-28 20:04:19 +02:00
commit 456117a789
Signed by: c6ristian
SSH key fingerprint: SHA256:B3m+yzpaxGXSEcDBpPHfvza/DNC0wuX+CKMeGq8wgak
9 changed files with 205 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

13
inventories/chaosknoten/host_vars/grafana.yaml
View file

@ -12,15 +12,28 @@ docker_compose__configuration_files:
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/prometheus_alerts.rules.yaml') }}"
- name: alertmanager_alert_templates.tmpl - name: alertmanager_alert_templates.tmpl
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/alertmanager_alert_templates.tmpl') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/alertmanager_alert_templates.tmpl') }}"
- name: loki.yaml
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/docker_compose/loki.yaml') }}"
certbot__version_spec: "" certbot__version_spec: ""
certbot__acme_account_email_address: le-admin@hamburg.ccc.de certbot__acme_account_email_address: le-admin@hamburg.ccc.de
certbot__certificate_domains: certbot__certificate_domains:
- "grafana.hamburg.ccc.de" - "grafana.hamburg.ccc.de"
- "loki.hamburg.ccc.de"
certbot__new_cert_commands: certbot__new_cert_commands:
- "systemctl reload nginx.service" - "systemctl reload nginx.service"
nginx__version_spec: "" nginx__version_spec: ""
nginx__deploy_redirect_conf: false
nginx__deploy_htpasswds: true
nginx__htpasswds:
- name: loki
content: "{{ lookup('ansible.builtin.template', 'resources/chaosknoten/grafana/nginx/loki.htpasswd.j2') }}"
nginx__configurations: nginx__configurations:
- name: redirectv6
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/redirect.conf') }}"
- name: grafana.hamburg.ccc.de - name: grafana.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf') }}" content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/grafana.hamburg.ccc.de.conf') }}"
- name: loki.hamburg.ccc.de
content: "{{ lookup('ansible.builtin.file', 'resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf') }}"

12
resources/chaosknoten/grafana/docker_compose/compose.yaml.j2
View file

@ -55,7 +55,19 @@ services:
- /dev/null:/etc/prometheus/pve.yml - /dev/null:/etc/prometheus/pve.yml
loki:
image: grafana/loki:3
container_name: loki
ports:
- 13100:3100
- 19099:9099
restart: unless-stopped
volumes:
- ./configs/loki.yaml:/etc/loki/local-config.yaml
- loki_data:/var/loki
volumes: volumes:
graf_data: {} graf_data: {}
prom_data: {} prom_data: {}
alertmanager_data: {} alertmanager_data: {}
loki_data: {}

12
resources/chaosknoten/grafana/docker_compose/grafana-datasource.yml
View file

@ -7,3 +7,15 @@ datasources:
isDefault: true isDefault: true
access: proxy access: proxy
editable: true editable: true
- name: Loki
type: loki
url: http://loki:3100
access: proxy
editable: true
jsonData:
timeout: 60
maxLines: 3000
httpHeaderName1: "X-Scope-OrgID"
secureJsonData:
httpHeaderValue1: "chaos"

52
resources/chaosknoten/grafana/docker_compose/loki.yaml Normal file
View file

@ -0,0 +1,52 @@
auth_enabled: true
server:
http_listen_port: 3100
grpc_listen_port: 9099
log_level: warn
limits_config:
retention_period: 14d
common:
instance_addr: 127.0.0.1
path_prefix: /var/loki
storage:
filesystem:
chunks_directory: /var/loki/chunks
rules_directory: /var/loki/rules
replication_factor: 1
ring:
kvstore:
store: inmemory
storage_config:
filesystem:
directory: /var/loki/chunks
index_queries_cache_config:
embedded_cache:
enabled: true
max_size_mb: 80
ttl: 30m
schema_config:
configs:
- from: 2025-04-28
store: tsdb
object_store: filesystem
schema: v13
index:
prefix: index_
period: 24h
chunk_store_config:
chunk_cache_config:
embedded_cache:
enabled: true
max_size_mb: 80
ttl: 30m
write_dedupe_cache_config:
embedded_cache:
enabled: true
max_size_mb: 80
ttl: 30m

71
resources/chaosknoten/grafana/nginx/loki.hamburg.ccc.de.conf Normal file
View file

@ -0,0 +1,71 @@
server {
# Wieske
allow 172.31.17.128/25;
allow 212.12.51.128/28;
allow 2a00:14b0:42:100::/56;
# Z9
allow 2a07:c480:0:100::/56;
allow 2a07:c481:1::/48;
deny all;
listen [2a00:14b0:4200:3380:0000:5a5f:1dbc:6a39]:9099 ssl http2;
listen 172.31.17.145:9099 ssl http2;
server_name loki.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loki.hamburg.ccc.de/privkey.pem;
auth_basic "loki";
auth_basic_user_file loki.htpasswd;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 9099;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Scope-OrgID $remote_user;
grpc_pass grpc://localhost:19009;
}
}
server {
# Wieske
allow 172.31.17.128/25;
allow 212.12.51.128/28;
allow 2a00:14b0:42:100::/56;
# Z9
allow 2a07:c480:0:100::/56;
allow 2a07:c481:1::/48;
deny all;
listen [2a00:14b0:4200:3380:0000:5a5f:1dbc:6a39]:3100 ssl http2;
listen 172.31.17.145:3100 ssl http2;
server_name loki.hamburg.ccc.de;
ssl_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/loki.hamburg.ccc.de/privkey.pem;
# verify chain of trust of OCSP response using Root CA and Intermediate certs
ssl_trusted_certificate /etc/letsencrypt/live/loki.hamburg.ccc.de/chain.pem;
# HSTS (ngx_http_headers_module is required) (63072000 seconds)
add_header Strict-Transport-Security "max-age=63072000" always;
auth_basic "loki";
auth_basic_user_file loki.htpasswd;
location / {
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Port 3100;
# This is https in any case.
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Scope-OrgID $remote_user;
proxy_pass http://127.0.0.1:13100;
}
}

1
resources/chaosknoten/grafana/nginx/loki.htpasswd.j2 Normal file
View file

@ -0,0 +1 @@
chaos:{{ lookup("community.general.passwordstore", "noc/vm-secrets/chaosknoten/grafana/loki_chaos_basic_auth", create=false, missing="error") }}

14
resources/chaosknoten/grafana/nginx/redirect.conf Normal file
View file

@ -0,0 +1,14 @@
# partly generated 2022-01-08, Mozilla Guideline v5.6, nginx 1.17.7, OpenSSL 1.1.1k, intermediate configuration
# https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1k&guideline=5.6
server {
listen 80 default_server;
listen [::]:80 default_server;
location / {
return 301 https://$host$request_uri;
}
location /.well-known/acme-challenge/ {
proxy_pass http://127.0.0.1:31820/.well-known/acme-challenge/;
}
}

16
roles/nginx/meta/argument_specs.yaml
View file

@ -34,3 +34,19 @@ argument_specs:
type: str type: str
required: false required: false
default: "" default: ""
nginx__deploy_htpasswds:
type: bool
required: false
default: false
nginx__htpasswds:
type: list
elements: dict
required: false
default: [ ]
options:
name:
type: str
required: true
content:
type: str
required: true

14
roles/nginx/tasks/main/04_config_deploy.yaml
View file

@ -131,6 +131,20 @@
label: "{{ item.name }}" label: "{{ item.name }}"
notify: Restart nginx notify: Restart nginx
- name: Ensure all given htpasswd files are deployed
when: nginx__deploy_htpasswds
ansible.builtin.copy:
content: "{{ item.content }}"
dest: "/etc/nginx/{{ item.name }}.htpasswd"
mode: "0644"
owner: root
group: root
become: true
loop: "{{ nginx__htpasswds }}"
loop_control:
label: "{{ item.name }}"
notify: Restart nginx
- name: Add names with suffixes from `nginx__configurations` to `nginx__config_files_to_exist` fact - name: Add names with suffixes from `nginx__configurations` to `nginx__config_files_to_exist` fact
ansible.builtin.set_fact: ansible.builtin.set_fact:
nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}" # noqa: jinja[spacing] nginx__config_files_to_exist: "{{ nginx__config_files_to_exist + [ item.name + '.conf' ] }}" # noqa: jinja[spacing]