manage lewis with nix

move docker swarm ansible to this repo move thecloud ansible to this repo support data disks in terraform
2023-12-25 19:22:22 +01:00 · 2023-12-25 19:22:22 +01:00 · 111bf68a0a
commit 111bf68a0a
parent d7ef46b642
92 changed files with 2730 additions and 26 deletions
--- a/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/docker-stack.yml.j2
@ -0,0 +1,132 @@
+# vi: ft=yaml
+version: "3.8"
+
+networks:
+  traefik:
+    external: true
+  grafana:
+
+configs:
+  esdatasource:
+    external: true
+    name: "{{ esdatasource.config_name }}"
+  fluentconf:
+    external: true
+    name: "{{ fluentconf.config_name }}"
+
+volumes:
+  escerts:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.30.10,nolock,soft,rw"
+      device: ":/mnt/data/elasticsearch/certs"
+  esdata:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.30.10,nolock,soft,rw"
+      device: ":/mnt/data/elasticsearch/data"
+  grafanadata:
+    driver_opts:
+      type: "nfs"
+      o: "addr=192.168.30.10,nolock,soft,rw"
+      device: ":/mnt/data/grafana/data"
+
+services:
+  elasticsearch:
+    image: docker.elastic.co/elasticsearch/elasticsearch:8.8.1
+    volumes:
+      - type: volume
+        source: escerts
+        target: /usr/share/elasticsearch/config/certs
+        volume:
+          nocopy: true
+      - type: volume
+        source: esdata
+        target: /usr/share/elasticsearch/data
+        volume:
+          nocopy: true
+    ports:
+      - {{ elasticsearch_port }}:9200
+    environment:
+      - node.name=es01
+      - cluster.name=shoarma
+      - discovery.type=single-node
+      - bootstrap.memory_lock=true
+      - xpack.security.enabled=false
+      - xpack.security.http.ssl.enabled=false
+      - xpack.security.http.ssl.key=certs/es01/es01.key
+      - xpack.security.http.ssl.certificate=certs/es01/es01.crt
+      - xpack.security.http.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.enabled=false
+      - xpack.security.transport.ssl.key=certs/es01/es01.key
+      - xpack.security.transport.ssl.certificate=certs/es01/es01.crt
+      - xpack.security.transport.ssl.certificate_authorities=certs/ca/ca.crt
+      - xpack.security.transport.ssl.verification_mode=certificate
+      - xpack.license.self_generated.type=basic
+    ulimits:
+      memlock:
+        soft: -1
+        hard: -1
+    healthcheck:
+      test:
+        [
+          "CMD-SHELL",
+          "curl http://localhost:9200 | grep -q 'You Know, for Search'",
+        ]
+      interval: 10s
+      timeout: 10s
+      retries: 120
+
+  grafana:
+    image: grafana/grafana-oss
+    depends_on:
+      - elasticsearch
+    networks:
+      - traefik
+      - grafana
+    deploy:
+      labels:
+        - traefik.enable=true
+        - traefik.http.routers.grafana.entrypoints=localsecure
+        - traefik.http.routers.grafana.rule=Host(`grafana.kun.is`)
+        - traefik.http.routers.grafana.tls=true
+        - traefik.http.routers.grafana.tls.certresolver=letsencrypt
+        - traefik.http.routers.grafana.service=grafana
+        - traefik.http.services.grafana.loadbalancer.server.port=3000
+        - traefik.docker.network=traefik
+    volumes:
+      - type: volume
+        source: grafanadata
+        target: /var/lib/grafana
+        volume:
+          nocopy: true
+    configs:
+      - source: esdatasource
+        target: /etc/grafana/provisioning/datasources/elasticsearch.yaml
+
+  grafana-ntfy:
+    image: kittyandrew/grafana-to-ntfy:master
+    depends_on:
+      - grafana
+    ports:
+      - 8080:8080
+    networks:
+      grafana:
+        aliases:
+          - grafana-ntfy
+    environment:
+      - NTFY_URL=https://ntfy.kun.is/alerts
+      - NTFY_BAUTH_USER=pim
+      - NTFY_BAUTH_PASS={{ ntfy_password }}
+      - BAUTH_USER=admin
+      - BAUTH_PASS=test
+
+  fluentd:
+    image: git.kun.is/pim/fluentd:1.0.3
+    depends_on:
+      - elasticsearch
+    ports:
+      - {{ fluent_forward_port }}:24224
+    configs:
+      - source: fluentconf
+        target: /fluentd/etc/fluent.conf
--- a/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/elasticsearch.yml.j2
@ -0,0 +1,35 @@
+# vi: ft=yaml
+apiVersion: 1
+
+datasources:
+  - name: cpu
+    type: elasticsearch
+    access: proxy
+    url: http://maestro.dmz:{{ elasticsearch_port }}
+    jsonData:
+      index: 'fluentd.cpu-*'
+      timeField: '@timestamp'
+
+  - name: memory
+    type: elasticsearch
+    access: proxy
+    url: http://maestro.dmz:{{ elasticsearch_port }}
+    jsonData:
+      index: 'fluentd.memory-*'
+      timeField: '@timestamp'
+
+  - name: diskfree
+    type: elasticsearch
+    access: proxy
+    url: http://maestro.dmz:{{ elasticsearch_port }}
+    jsonData:
+      index: 'fluentd.diskfree-*'
+      timeField: '@timestamp'
+
+  - name: traefik_access
+    type: elasticsearch
+    access: proxy
+    url: http://maestro.dmz:{{ elasticsearch_port }}
+    jsonData:
+      index: 'fluentd.access.traefik-*'
+      timeField: '@timestamp'
--- a/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/fluent.conf.j2
@ -0,0 +1,35 @@
+# vi: ft=yaml
+# Receive events from 24224/tcp
+# This is used by log forwarding and the fluent-cat command
+<source>
+  @type forward
+  port {{ fluent_forward_port }}
+</source>
+
+<filter access.**>
+  @type geoip
+  geoip_lookup_keys  host
+  backend_library geoip2_c
+  <record>
+    latitude        ${location.latitude["host"]}
+    longitude       ${location.longitude["host"]}
+  </record>
+  skip_adding_null_record  true
+</filter>
+
+<match cpu memory diskfree access.**>
+  @type elasticsearch
+  host maestro.dmz
+  port {{ elasticsearch_port }}
+  include_timestamp true
+  logstash_format true
+  logstash_prefix fluentd.${tag}
+</match>
+
+<match **>
+  @type null
+</match>
+
+<system>
+  log_level info
+</system>
--- a/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/tasks/main.yml
@ -0,0 +1,21 @@
+- name: Create fluentd config
+  docker_config:
+    name: fluentconf
+    data: "{{ lookup('template', '{{ role_path }}/fluent.conf.j2') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: fluentconf
+
+- name: Create elasticsearch data source config
+  docker_config:
+    name: esdatasource
+    data: "{{ lookup('template', '{{ role_path }}/elasticsearch.yml.j2') }}"
+    use_ssh_client: true
+    rolling_versions: true
+  register: esdatasource
+
+- name: Deploy Docker stack
+  docker_stack:
+    name: monitoring
+    compose:
+      - "{{ lookup('template', '{{ role_path }}/docker-stack.yml.j2') | from_yaml }}"
--- a/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml
+++ b/legacy/projects/docker_swarm/ansible/roles/monitoring/vars/main.yml
@ -0,0 +1,8 @@
+ntfy_password: !vault |
+  $ANSIBLE_VAULT;1.1;AES256
+  36333232393635383732336630626463633038353862333430396437333733376239343531663339
+  6364643930636566326463393963316263323061613032350a383930376537373437633333623639
+  66613439636531393761366534333134383231303637643063633537393535356536636530666665
+  6537653731666130610a346135373562333931646237396233613065353165623336373935386137
+  36313830623931313238333430346238626562353661616465333736346230396162386137363435
+  3362636565336639643832626165613236643466633537633236