-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
332 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| # loki | ||
| __Tags - `mimir`__ | ||
|
|
||
| Deploys mimir | ||
|
|
||
| ### Usage | ||
| ```yaml | ||
| - alesharik.baseinfra.mimir | ||
| ``` | ||
| ```yaml | ||
| mimir: | ||
| host: 0.0.0.0 # external IP | ||
| ``` | ||
| ### Vars | ||
| ```yaml | ||
| mimir: | ||
| image: grafana/mimir | ||
| version: 2.13.0 | ||
| tls_hostname: loki.infra.local # server hostname for DNS SAN in TLS cert | ||
| clients: # generate TLS creds for: | ||
| - grafana | ||
| log_format: json | ||
| compactor_blocks_retention_period: 4w | ||
| ``` | ||
| ### Effects | ||
| - creates and manages `{{ dir.ansible }}/mimir` | ||
| - creates `{{ dir.data }}/mimir` | ||
| - creates `{{ playbook_dir }}/certs/mimir_ca.key`, `{{ playbook_dir }}/certs/mimir_server.key`, `{{ playbook_dir }}/certs/mimir_{{ client }}.key` to manage keys | ||
| - deploys docker compose project `mimir` | ||
|
|
||
| ### Networking | ||
| - exposes 9009 port on `{{ loki.host }}` | ||
|
|
||
| ### Handlers | ||
| - `restart mimir` - restarts mimir | ||
|
|
||
| ### Dependencies | ||
| - `bootstrap` | ||
| - `docker` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,9 @@ | ||
| --- | ||
| mimir: | ||
| image: grafana/mimir | ||
| version: 2.13.0 | ||
| tls_hostname: loki.infra.local | ||
| clients: | ||
| - grafana | ||
| log_format: json | ||
| compactor_blocks_retention_period: 4w |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
| - name: restart mimir | ||
| community.docker.docker_compose_v2: | ||
| project_src: "{{ dir.ansible }}/mimir" | ||
| state: restarted | ||
| tags: mimir |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| dependencies: | ||
| - role: alesharik.baseinfra.bootstrap | ||
| - role: alesharik.baseinfra.docker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| - name: Create CA private key | ||
| community.crypto.openssl_privatekey: | ||
| path: "{{ playbook_dir }}/certs/mimir_ca.key" | ||
| delegate_to: 127.0.0.1 | ||
| become: no | ||
| tags: mimir | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| - name: Create certificate signing request (CSR) for CA certificate | ||
| community.crypto.openssl_csr_pipe: | ||
| privatekey_path: "{{ playbook_dir }}/certs/mimir_ca.key" | ||
| common_name: Mimir CA | ||
| use_common_name_for_san: false # since we do not specify SANs, don't use CN as a SAN | ||
| basic_constraints: | ||
| - 'CA:TRUE' | ||
| basic_constraints_critical: true | ||
| key_usage: | ||
| - keyCertSign | ||
| key_usage_critical: true | ||
| delegate_to: 127.0.0.1 | ||
| tags: mimir | ||
| become: no | ||
| register: ca_csr | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| - name: Create self-signed CA certificate from CSR | ||
| community.crypto.x509_certificate: | ||
| path: "{{ playbook_dir }}/certs/mimir_ca.pem" | ||
| csr_content: "{{ ca_csr.csr }}" | ||
| privatekey_path: "{{ playbook_dir }}/certs/mimir_ca.key" | ||
| provider: selfsigned | ||
| delegate_to: 127.0.0.1 | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| - name: 'Create {{ item }} private key' | ||
| delegate_to: 127.0.0.1 | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_privatekey: | ||
| path: "{{ playbook_dir }}/certs/mimir_{{ item }}.key" | ||
| - name: Create certificate signing request (CSR) for new certificate | ||
| delegate_to: 127.0.0.1 | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_csr_pipe: | ||
| privatekey_path: "{{ playbook_dir }}/certs/mimir_{{ item }}.key" | ||
| run_once: true | ||
| register: 'csr' | ||
| - name: Sign certificate with our CA | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.x509_certificate_pipe: | ||
| csr_content: "{{ csr.csr }}" | ||
| provider: ownca | ||
| ownca_path: "{{ playbook_dir }}/certs/mimir_ca.pem" | ||
| ownca_privatekey_path: "{{ playbook_dir }}/certs/mimir_ca.key" | ||
| ownca_not_after: +365d # valid for one year | ||
| ownca_not_before: "-1d" # valid since yesterday | ||
| delegate_to: 127.0.0.1 | ||
| run_once: true | ||
| register: cert | ||
| - name: 'Write {{ item }} certificate' | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| copy: | ||
| dest: "{{ playbook_dir }}/certs/mimir_{{ item }}.cet" | ||
| content: "{{ cert.certificate }}" | ||
| tags: mimir | ||
| delegate_to: 127.0.0.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| - name: Create server private key | ||
| delegate_to: 127.0.0.1 | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_privatekey: | ||
| path: "{{ playbook_dir }}/certs/mimir_server.key" | ||
| - name: Create certificate signing request (CSR) for new certificate | ||
| delegate_to: 127.0.0.1 | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_csr_pipe: | ||
| privatekey_path: "{{ playbook_dir }}/certs/mimir_server.key" | ||
| subject_alt_name: | ||
| - "DNS:{{ mimir.tls_hostname }}" | ||
| run_once: true | ||
| register: csr | ||
| - name: Sign certificate with our CA | ||
| tags: mimir | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.x509_certificate_pipe: | ||
| csr_content: "{{ csr.csr }}" | ||
| provider: ownca | ||
| ownca_path: "{{ playbook_dir }}/certs/mimir_ca.pem" | ||
| ownca_privatekey_path: "{{ playbook_dir }}/certs/mimir_ca.key" | ||
| ownca_not_after: +365d # valid for one year | ||
| ownca_not_before: "-1d" # valid since yesterday | ||
| delegate_to: 127.0.0.1 | ||
| run_once: true | ||
| register: certificate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,93 @@ | ||
| --- | ||
| - name: Create compose dir | ||
| ansible.builtin.file: | ||
| path: "{{ dir.ansible }}/mimir" | ||
| state: directory | ||
| mode: 0755 | ||
| tags: mimir | ||
| - name: Create data dir | ||
| ansible.builtin.file: | ||
| path: "{{ dir.data }}/mimir" | ||
| state: directory | ||
| mode: 0755 | ||
| owner: '10001' | ||
| tags: mimir | ||
| - name: Move compose files | ||
| ansible.builtin.template: | ||
| src: docker-compose.yml | ||
| dest: "{{ dir.ansible }}/mimir/docker-compose.yml" | ||
| mode: 0755 | ||
| tags: mimir | ||
| notify: | ||
| - restart mimir | ||
| - name: Make config folder | ||
| ansible.builtin.file: | ||
| path: "{{ dir.ansible }}/mimir/config" | ||
| state: directory | ||
| mode: 0755 | ||
| tags: mimir | ||
| - name: Move config | ||
| ansible.builtin.template: | ||
| src: config.yaml | ||
| dest: "{{ dir.ansible }}/mimir/config/config.yaml" | ||
| mode: 0755 | ||
| tags: mimir | ||
| notify: | ||
| - restart mimir | ||
|
|
||
| - name: Generate CA | ||
| ansible.builtin.include_tasks: | ||
| file: gen-ca.yaml | ||
| apply: | ||
| tags: | ||
| - mimir | ||
| tags: mimir | ||
|
|
||
| - name: Generate server keys | ||
| ansible.builtin.include_tasks: | ||
| file: gen-server.yaml | ||
| apply: | ||
| tags: | ||
| - mimir | ||
| tags: mimir | ||
|
|
||
| - name: Generate client keys | ||
| tags: mimir | ||
| loop: "{{ mimir.clients }}" | ||
| ansible.builtin.include_tasks: | ||
| file: gen-client.yaml | ||
| apply: | ||
| tags: | ||
| - mimir | ||
|
|
||
| - name: Write certificate | ||
| copy: | ||
| dest: "{{ dir.ansible }}/mimir/config/server.cer" | ||
| content: "{{ certificate.certificate }}" | ||
| owner: '10001' | ||
| mode: 0500 | ||
| tags: mimir | ||
| notify: | ||
| - restart mimir | ||
| - name: Write key | ||
| copy: | ||
| src: "{{ playbook_dir }}/certs/mimir_server.key" | ||
| dest: "{{ dir.ansible }}/mimir/config/server.key" | ||
| owner: '10001' | ||
| mode: 0500 | ||
| tags: mimir | ||
| notify: | ||
| - restart mimir | ||
| - name: Write CA | ||
| copy: | ||
| src: "{{ playbook_dir }}/certs/mimir_ca.pem" | ||
| dest: "{{ dir.ansible }}/mimir/config/ca.pem" | ||
| owner: '10001' | ||
| mode: 0500 | ||
| tags: mimir | ||
| notify: | ||
| - restart mimir | ||
|
|
||
| - name: Make sure handlers are flushed immediately | ||
| ansible.builtin.meta: flush_handlers | ||
| tags: mimir |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,54 @@ | ||
| multitenancy_enabled: false | ||
|
|
||
| blocks_storage: | ||
| backend: filesystem | ||
| bucket_store: | ||
| sync_dir: /var/lib/mimir/tsdb-sync | ||
| filesystem: | ||
| dir: /var/lib/mimir/data/tsdb | ||
| tsdb: | ||
| dir: /var/lib/mimir/tsdb | ||
|
|
||
| compactor: | ||
| data_dir: /var/lib/mimir/compactor | ||
| sharding_ring: | ||
| kvstore: | ||
| store: memberlist | ||
|
|
||
| distributor: | ||
| ring: | ||
| instance_addr: 127.0.0.1 | ||
| kvstore: | ||
| store: memberlist | ||
|
|
||
| ingester: | ||
| ring: | ||
| instance_addr: 127.0.0.1 | ||
| kvstore: | ||
| store: memberlist | ||
| replication_factor: 1 | ||
|
|
||
| ruler_storage: | ||
| backend: filesystem | ||
| filesystem: | ||
| dir: /var/lib/mimir/rules | ||
|
|
||
| server: | ||
| http_listen_port: 9009 | ||
| log_level: warn | ||
| log_format: {{ mimir.log_format }} | ||
| http_tls_config: | ||
| cert_file: /etc/mimir/server.cer | ||
| key_file: /etc/mimir/server.key | ||
| client_auth_type: RequireAndVerifyClientCert | ||
| client_ca_file: /etc/mimir/ca.pem | ||
|
|
||
| limits: | ||
| # Delete from storage metrics data older than 1 year. | ||
| compactor_blocks_retention_period: {{ mimir.compactor_blocks_retention_period }} | ||
|
|
||
| store_gateway: | ||
| sharding_ring: | ||
| replication_factor: 1 | ||
| usage_stats: | ||
| enabled: false |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| version: '3.9' | ||
| services: | ||
| mimir: | ||
| image: "{{ mimir.image }}:{{ mimir.version }}" | ||
| restart: always | ||
| command: -config.file=/etc/mimir/config.yaml -target=all | ||
| ports: | ||
| - "{{ mimir.host }}:9009:9009" | ||
| volumes: | ||
| - "{{ dir.data }}/mimir:/var/lib/mimir" | ||
| - "{{ dir.ansible }}/mimir/config:/etc/mimir" |