diff --git a/roles/loki/defaults/main.yml b/roles/loki/defaults/main.yml
index e8b17f135b3c67b7c5e9b1e0d0b4719c4ba00735..0534d2e19a87ace6cbc429aec7bd9538960cbda6 100644
--- a/roles/loki/defaults/main.yml
+++ b/roles/loki/defaults/main.yml
@@ -1,2 +1 @@
-logging_domain: logging.archlinux.org
loki_nginx_htpasswd: /etc/nginx/auth/loki
diff --git a/roles/loki/tasks/main.yml b/roles/loki/tasks/main.yml
index e303a2b1d474fcb1cc5cc86291c0d41e1f531933..bd9c4cdf36a9accf4c7df5aee333377cec345d8f 100644
--- a/roles/loki/tasks/main.yml
+++ b/roles/loki/tasks/main.yml
@@ -1,10 +1,4 @@
---
-- name: create ssl cert
- include_role:
- name: certificate
- vars:
- domains: ["{{ logging_domain }}"]
-
- name: install loki and logcli
pacman: name=loki,logcli state=present
@@ -25,12 +19,15 @@
mode: 0640
- name: make nginx log dir
- file: path=/var/log/nginx/{{ logging_domain }} state=directory owner=root group=root mode=0755
+ file: path=/var/log/nginx/loki state=directory owner=root group=root mode=0755
- name: set up nginx
template: src=nginx.d.conf.j2 dest="/etc/nginx/nginx.d/logging.conf" owner=root group=root mode=644
notify: reload nginx
tags: ['nginx']
+- name: open firewall hole
+ ansible.posix.firewalld: service=http zone=wireguard permanent=true state=enabled immediate=yes
+
- name: start and enable loki
systemd: name=loki.service enabled=yes daemon_reload=yes state=started
diff --git a/roles/loki/templates/nginx.d.conf.j2 b/roles/loki/templates/nginx.d.conf.j2
index 164279dd1e4ae6d8598f81797977a5a8d401f1f2..a3f90fffc03060293a66f57bc061a6eab0de426d 100644
--- a/roles/loki/templates/nginx.d.conf.j2
+++ b/roles/loki/templates/nginx.d.conf.j2
@@ -1,39 +1,15 @@
-server {
- listen 80;
- listen [::]:80;
- server_name {{ logging_domain }};
-
- access_log /var/log/nginx/{{ logging_domain }}/access.log main;
- access_log /var/log/nginx/{{ logging_domain }}/access.log.json json_main;
- error_log /var/log/nginx/{{ logging_domain }}/error.log;
-
- include snippets/letsencrypt.conf;
-
- location / {
- access_log off;
- return 301 https://$server_name$request_uri;
- }
-}
-
# We don't want to log (/loki/api/v1/push) request from yourself as it would cause a infinite loop
map $remote_addr $loggable {
- {{ ansible_default_ipv4.address }} 0;
- {{ ansible_default_ipv6.address }} 0;
+ {{ wireguard_address }} 0;
default 1;
}
server {
- listen 443 ssl http2;
- listen [::]:443 ssl http2;
- server_name {{ logging_domain }};
-
- access_log /var/log/nginx/{{ logging_domain }}/access.log main;
- access_log /var/log/nginx/{{ logging_domain }}/access.log.json json_main if=$loggable;
- error_log /var/log/nginx/{{ logging_domain }}/error.log;
+ listen {{ wireguard_address }}:80;
- ssl_certificate /etc/letsencrypt/live/{{ logging_domain }}/fullchain.pem;
- ssl_certificate_key /etc/letsencrypt/live/{{ logging_domain }}/privkey.pem;
- ssl_trusted_certificate /etc/letsencrypt/live/{{ logging_domain }}/chain.pem;
+ access_log /var/log/nginx/loki/access.log main;
+ access_log /var/log/nginx/loki/access.log.json json_main if=$loggable;
+ error_log /var/log/nginx/loki/error.log;
location = /loki/api/v1/push {
auth_basic "Loki :)";
diff --git a/roles/prometheus/defaults/main.yml b/roles/prometheus/defaults/main.yml
index 2e8bde8664ca2d328b39734b8d8f2623886ca40a..e630bd84ea378c2cd9194d71f1c51c4b8d7988a9 100644
--- a/roles/prometheus/defaults/main.yml
+++ b/roles/prometheus/defaults/main.yml
@@ -7,6 +7,7 @@ prometheus_receive_only: false
# for d in $(curl -sf "https://crt.sh/?q=archlinux.org&output=json" "https://crt.sh/?q=pkgbuild.com&output=json" | jq -r ".[].name_value" | sort -u); do if curl -o /dev/null -sS "https://$d"; then echo $d; fi; done | grep -v "\@" | sort | sed "s/^/ - https:\/\//"
blackbox_targets:
http_prometheus:
+ - http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}
- https://accounts.archlinux.org
- https://america.archive.pkgbuild.com
- https://america.mirror.pkgbuild.com
@@ -25,7 +26,6 @@ blackbox_targets:
- https://europe.mirror.pkgbuild.com
- https://gitlab.archlinux.org
- https://ipxe.archlinux.org
- - https://logging.archlinux.org
- https://lists.archlinux.org
- https://mailman.archlinux.org
- https://man.archlinux.org
diff --git a/roles/prometheus/templates/prometheus.yml.j2 b/roles/prometheus/templates/prometheus.yml.j2
index 43473ca02b6046f52f17fb514371cd6a7ae593b5..d301b3b8d35dd20dbfa816cc387585809f4732cf 100644
--- a/roles/prometheus/templates/prometheus.yml.j2
+++ b/roles/prometheus/templates/prometheus.yml.j2
@@ -61,7 +61,7 @@ scrape_configs:
static_configs:
{% for host in groups['node_exporters'] %}
- - targets: ['{{ host }}:9080']
+ - targets: ['{{ hostvars[host]['wireguard_address'] }}:9080']
labels:
instance: "{{ host }}"
diff --git a/roles/promtail/defaults/main.yml b/roles/promtail/defaults/main.yml
deleted file mode 100644
index 57bb5d15f6238f66be3b63886ea9d3ea72cb1ff0..0000000000000000000000000000000000000000
--- a/roles/promtail/defaults/main.yml
+++ /dev/null
@@ -1 +0,0 @@
-logging_domain: logging.archlinux.org
diff --git a/roles/promtail/tasks/main.yml b/roles/promtail/tasks/main.yml
index e39281da5ef2e8b8a8c3d6f21a69edb17f84675c..73409778529c9e03f46a19b7c686137096ccdcdb 100644
--- a/roles/promtail/tasks/main.yml
+++ b/roles/promtail/tasks/main.yml
@@ -7,8 +7,8 @@
notify: restart promtail
- name: open promtail ipv4 port for monitoring.archlinux.org
- ansible.posix.firewalld: state=enabled permanent=true immediate=yes
- rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['ipv4_address'] }} port protocol=tcp port=9080 accept"
+ ansible.posix.firewalld: zone=wireguard state=enabled permanent=true immediate=yes
+ rich_rule="rule family=ipv4 source address={{ hostvars['monitoring.archlinux.org']['wireguard_address'] }} port protocol=tcp port=9080 accept"
tags:
- firewall
diff --git a/roles/promtail/templates/promtail.yaml.j2 b/roles/promtail/templates/promtail.yaml.j2
index e485aa93422324c9dff32d15150bc6ffbaedb3d7..23ec2d390f03afbc94e0c6147a2637e417c7a7cc 100644
--- a/roles/promtail/templates/promtail.yaml.j2
+++ b/roles/promtail/templates/promtail.yaml.j2
@@ -1,5 +1,5 @@
server:
- http_listen_address: 0.0.0.0
+ http_listen_address: {{ wireguard_address }}
http_listen_port: 9080
grpc_listen_address: 127.0.0.1
grpc_listen_port: 0 # 0 means random
@@ -8,7 +8,7 @@ positions:
filename: /var/lib/promtail/positions.yaml
clients:
- - url: https://{{ logging_domain }}/loki/api/v1/push
+ - url: http://{{ hostvars['monitoring.archlinux.org']['wireguard_address'] }}/loki/api/v1/push
basic_auth:
username: '{{ vault_loki_nginx_user }}'
password: '{{ vault_loki_nginx_passwd }}'
diff --git a/tf-stage1/archlinux.tf b/tf-stage1/archlinux.tf
index 67c25f5e19a099330018af13b0728c150e20e84f..3baf9bd590a917c69478ef2efc99103fb2974a9b 100644
--- a/tf-stage1/archlinux.tf
+++ b/tf-stage1/archlinux.tf
@@ -285,7 +285,6 @@ locals {
rsync = { value = "gemini" }
sources = { value = "gemini" }
"static.conf" = { value = "redirect" }
- logging = { value = "monitoring" }
status = { value = "stats.uptimerobot.com." }
svn = { value = "gemini" }
coc = { value = "redirect" }