-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
10 changed files
with
350 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,39 @@ | ||
| # loki | ||
| __Tags - `loki`__ | ||
|
|
||
| Deploys loki | ||
|
|
||
| ### Usage | ||
| ```yaml | ||
| - alesharik.baseinfra.loko | ||
| ``` | ||
| ```yaml | ||
| loki: | ||
| host: 0.0.0.0 # external IP | ||
| ``` | ||
| ### Vars | ||
| ```yaml | ||
| loki: | ||
| image: grafana/loki | ||
| version: 2.7.4 | ||
| tls_hostname: loki.infra.local # server hostname for DNS SAN in TLS cert | ||
| clients: # generate TLS creds for: | ||
| - grafana | ||
| ``` | ||
| ### Effects | ||
| - creates and manages `{{ dir.ansible }}/loki` | ||
| - creates `{{ dir.data }}/loki` | ||
| - creates `{{ playbook_dir }}/certs/loki_ca.key`, `{{ playbook_dir }}/certs/loki_server.key`, `{{ playbook_dir }}/certs/loki_grafana.key` to manage keys | ||
| - deploys docker compose project `loki` | ||
|
|
||
| ### Networking | ||
| - exposes 3100 port on `{{ loki.host }}` | ||
|
|
||
| ### Handlers | ||
| - `restart loki` - restarts loki | ||
|
|
||
| ### Dependencies | ||
| - `bootstrap` | ||
| - `docker` |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,7 @@ | ||
| --- | ||
| loki: | ||
| image: grafana/loki | ||
| version: 2.7.4 | ||
| tls_hostname: loki.infra.local | ||
| clients: | ||
| - grafana |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,6 @@ | ||
| --- | ||
| - name: restart loki | ||
| community.docker.docker_compose_v2: | ||
| project_src: "{{ dir.ansible }}/loki" | ||
| state: restarted | ||
| tags: loki |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,4 @@ | ||
| --- | ||
| dependencies: | ||
| - role: alesharik.baseinfra.bootstrap | ||
| - role: alesharik.baseinfra.docker |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,37 @@ | ||
| --- | ||
| - name: Create CA private key | ||
| community.crypto.openssl_privatekey: | ||
| path: "{{ playbook_dir }}/certs/loki_ca.key" | ||
| delegate_to: 127.0.0.1 | ||
| become: no | ||
| tags: loki | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| - name: Create certificate signing request (CSR) for CA certificate | ||
| community.crypto.openssl_csr_pipe: | ||
| privatekey_path: "{{ playbook_dir }}/certs/loki_ca.key" | ||
| common_name: Loki CA | ||
| use_common_name_for_san: false # since we do not specify SANs, don't use CN as a SAN | ||
| basic_constraints: | ||
| - 'CA:TRUE' | ||
| basic_constraints_critical: true | ||
| key_usage: | ||
| - keyCertSign | ||
| key_usage_critical: true | ||
| delegate_to: 127.0.0.1 | ||
| tags: loki | ||
| become: no | ||
| register: ca_csr | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| - name: Create self-signed CA certificate from CSR | ||
| community.crypto.x509_certificate: | ||
| path: "{{ playbook_dir }}/certs/loki_ca.pem" | ||
| csr_content: "{{ ca_csr.csr }}" | ||
| privatekey_path: "{{ playbook_dir }}/certs/loki_ca.key" | ||
| provider: selfsigned | ||
| delegate_to: 127.0.0.1 | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,42 @@ | ||
| - name: 'Create {{ item }} private key' | ||
| delegate_to: 127.0.0.1 | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_privatekey: | ||
| path: "{{ playbook_dir }}/certs/loki_{{ item }}.key" | ||
| - name: Create certificate signing request (CSR) for new certificate | ||
| delegate_to: 127.0.0.1 | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_csr_pipe: | ||
| privatekey_path: "{{ playbook_dir }}/certs/loki_{{ item }}.key" | ||
| run_once: true | ||
| register: 'csr' | ||
| - name: Sign certificate with our CA | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.x509_certificate_pipe: | ||
| csr_content: "{{ csr.csr }}" | ||
| provider: ownca | ||
| ownca_path: "{{ playbook_dir }}/certs/loki_ca.pem" | ||
| ownca_privatekey_path: "{{ playbook_dir }}/certs/loki_ca.key" | ||
| ownca_not_after: +365d # valid for one year | ||
| ownca_not_before: "-1d" # valid since yesterday | ||
| delegate_to: 127.0.0.1 | ||
| run_once: true | ||
| register: cert | ||
| - name: 'Write {{ item }} certificate' | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| copy: | ||
| dest: "{{ playbook_dir }}/certs/loki_{{ item }}.cet" | ||
| content: "{{ cert.certificate }}" | ||
| tags: loki | ||
| delegate_to: 127.0.0.1 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,35 @@ | ||
| - name: Create server private key | ||
| delegate_to: 127.0.0.1 | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_privatekey: | ||
| path: "{{ playbook_dir }}/certs/loki_server.key" | ||
| - name: Create certificate signing request (CSR) for new certificate | ||
| delegate_to: 127.0.0.1 | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.openssl_csr_pipe: | ||
| privatekey_path: "{{ playbook_dir }}/certs/loki_server.key" | ||
| subject_alt_name: | ||
| - "DNS:{{ loki.tls_hostname }}" | ||
| run_once: true | ||
| register: csr | ||
| - name: Sign certificate with our CA | ||
| tags: loki | ||
| become: no | ||
| vars: | ||
| ansible_remote_tmp: "{{ playbook_dir }}/tmp" | ||
| community.crypto.x509_certificate_pipe: | ||
| csr_content: "{{ csr.csr }}" | ||
| provider: ownca | ||
| ownca_path: "{{ playbook_dir }}/certs/loki_ca.pem" | ||
| ownca_privatekey_path: "{{ playbook_dir }}/certs/loki_ca.key" | ||
| ownca_not_after: +365d # valid for one year | ||
| ownca_not_before: "-1d" # valid since yesterday | ||
| delegate_to: 127.0.0.1 | ||
| run_once: true | ||
| register: certificate |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| --- | ||
| - name: Create compose dir | ||
| ansible.builtin.file: | ||
| path: "{{ dir.ansible }}/loki" | ||
| state: directory | ||
| mode: 0755 | ||
| tags: loki | ||
| - name: Create data dir | ||
| ansible.builtin.file: | ||
| path: "{{ dir.data }}/loki" | ||
| state: directory | ||
| mode: 0755 | ||
| owner: '10001' | ||
| tags: loki | ||
| - name: Move compose files | ||
| ansible.builtin.template: | ||
| src: docker-compose.yml | ||
| dest: "{{ dir.ansible }}/loki/docker-compose.yml" | ||
| mode: 0755 | ||
| tags: loki | ||
| notify: | ||
| - restart loki | ||
| - name: Make config folder | ||
| ansible.builtin.file: | ||
| path: "{{ dir.ansible }}/loki/config" | ||
| state: directory | ||
| mode: 0755 | ||
| tags: loki | ||
| - name: Move config | ||
| ansible.builtin.template: | ||
| src: config.yaml | ||
| dest: "{{ dir.ansible }}/loki/config/config.yaml" | ||
| mode: 0755 | ||
| tags: loki | ||
| notify: | ||
| - restart loki | ||
|
|
||
| - name: Generate CA | ||
| ansible.builtin.include_tasks: | ||
| file: gen-ca.yaml | ||
| apply: | ||
| tags: | ||
| - loki | ||
| tags: loki | ||
|
|
||
| - name: Generate server keys | ||
| ansible.builtin.include_tasks: | ||
| file: gen-server.yaml | ||
| apply: | ||
| tags: | ||
| - loki | ||
| tags: loki | ||
|
|
||
| - name: Generate client keys | ||
| tags: loki | ||
| loop: "{{ loki.clients }}" | ||
| ansible.builtin.include_tasks: | ||
| file: gen-client.yaml | ||
| apply: | ||
| tags: | ||
| - loki | ||
|
|
||
| - name: Write certificate | ||
| copy: | ||
| dest: "{{ dir.ansible }}/loki/config/server.cer" | ||
| content: "{{ certificate.certificate }}" | ||
| owner: '10001' | ||
| mode: 0500 | ||
| tags: loki | ||
| notify: | ||
| - restart loki | ||
| - name: Write key | ||
| copy: | ||
| src: "{{ playbook_dir }}/certs/loki_server.key" | ||
| dest: "{{ dir.ansible }}/loki/config/server.key" | ||
| owner: '10001' | ||
| mode: 0500 | ||
| tags: loki | ||
| notify: | ||
| - restart loki | ||
| - name: Write CA | ||
| copy: | ||
| src: "{{ playbook_dir }}/certs/loki_ca.pem" | ||
| dest: "{{ dir.ansible }}/loki/config/ca.pem" | ||
| owner: '10001' | ||
| mode: 0500 | ||
| tags: loki | ||
| notify: | ||
| - restart loki | ||
|
|
||
| - name: Start loki | ||
| community.docker.docker_compose_v2: | ||
| project_src: "{{ dir.ansible }}/loki" | ||
| state: present | ||
| tags: loki | ||
|
|
||
| - name: Make sure handlers are flushed immediately | ||
| ansible.builtin.meta: flush_handlers | ||
| tags: loki |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| auth_enabled: false | ||
|
|
||
| server: | ||
| http_listen_port: 3100 | ||
| grpc_listen_port: 0 | ||
| http_tls_config: | ||
| cert_file: "/etc/loki/server.cer" | ||
| key_file: "/etc/loki/server.key" | ||
| client_auth_type: "RequireAndVerifyClientCert" | ||
| client_ca_file: "/etc/loki/ca.pem" | ||
|
|
||
| common: | ||
| path_prefix: /var/lib/loki | ||
| storage: | ||
| filesystem: | ||
| chunks_directory: /var/lib/loki/chunks | ||
| rules_directory: /var/lib/loki/rules | ||
| replication_factor: 1 | ||
| ring: | ||
| instance_addr: 127.0.0.1 | ||
| kvstore: | ||
| store: inmemory | ||
|
|
||
| query_range: | ||
| results_cache: | ||
| cache: | ||
| embedded_cache: | ||
| enabled: true | ||
| max_size_mb: 100 | ||
|
|
||
| compactor: | ||
| working_directory: /var/lib/loki/compaction | ||
| shared_store: filesystem | ||
| compaction_interval: 10m | ||
| retention_enabled: true | ||
| retention_delete_delay: 2h | ||
| retention_delete_worker_count: 150 | ||
|
|
||
| limits_config: | ||
| retention_period: 30d | ||
| retention_stream: | ||
| - selector: '{container_name="nginx-proxy"}' | ||
| priority: 1 | ||
| period: 24h | ||
|
|
||
| chunk_store_config: | ||
| max_look_back_period: 30d | ||
|
|
||
| table_manager: | ||
| retention_deletes_enabled: true | ||
| retention_period: 30d | ||
|
|
||
| schema_config: | ||
| configs: | ||
| - from: 2020-10-24 | ||
| store: boltdb-shipper | ||
| object_store: filesystem | ||
| schema: v11 | ||
| index: | ||
| prefix: index_ | ||
| period: 24h | ||
|
|
||
| #ruler: | ||
| # alertmanager_url: http://localhost:9093 | ||
|
|
||
| analytics: | ||
| reporting_enabled: false | ||
|
|
||
| ingester: | ||
| chunk_encoding: snappy |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,11 @@ | ||
| version: '3.9' | ||
| services: | ||
| loki: | ||
| image: "{{ loki.image }}:{{ loki.version }}" | ||
| restart: always | ||
| command: -config.file=/etc/loki/config.yaml | ||
| ports: | ||
| - "{{ loki.host }}:3100:3100" | ||
| volumes: | ||
| - "{{ dir.data }}/loki:/var/lib/loki" | ||
| - "{{ dir.ansible }}/loki/config:/etc/loki" |