Update to 2021-12-01 19:13

roles/graylog/tasks/archive_post.yml

@@ -0,0 +1,7 @@
+---
+
+- import_tasks: ../includes/webapps_compress_archive.yml
+  vars:
+    - root_dir: "{{ graylog_root_dir }}"
+    - version: "{{ graylog_current_version }}"
+  tags: graylog

roles/graylog/tasks/archive_pre.yml

@@ -0,0 +1,27 @@
+---
+
+- name: Create archive dir
+  file: path={{ graylog_root_dir }}/archives/{{ graylog_current_version }}/mongo state=directory
+  tags: graylog
+
+- name: Archive current version
+  synchronize:
+    src: "{{ graylog_root_dir }}/app"
+    dest: "{{ graylog_root_dir }}/archives/{{ graylog_current_version }}/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  tags: graylog
+
+- name: Archive mongo database
+  shell: |
+    mongodump --quiet \
+      --out {{ graylog_root_dir }}/archives/{{ graylog_current_version }}/mongo \
+      --uri \
+      {% if  graylog_mongo_pass is defined and graylog_mongo_pass != False and graylog_mongo_url | length == 1 %}
+      {% set url = graylog_mongo_url[0] %}
+      {{ url | urlsplit('scheme') }}://{{ graylog_mongo_user }}:{{ graylog_mongo_pass | urlencode | regex_replace('/','%2F') }}@{{ url | urlsplit('hostname') }}{% if url | urlsplit('port') %}:{{ url | urlsplit('port') }}{% endif %}{{ url | urlsplit('path') }}?{{ url | urlsplit('query') }}
+      {% else %}
+      {{ graylog_mongo_url[0] }}
+      {% endif %}
+  tags: graylog

roles/graylog/tasks/cleanup.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Remove temp files
+  file: path={{ item }} state=absent
+  loop:
+    - "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}.tgz"
+    - "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}"
+  tags: graylog

roles/graylog/tasks/conf.yml

@@ -0,0 +1,33 @@
+---
+
+- name: Deploy configuration
+  template: src={{ item }}.j2 dest={{ graylog_root_dir }}/etc/{{ item }} group=graylog mode=640
+  loop:
+    - server.conf
+    - log4j2.xml
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Create the mongodb user
+  mongodb_user:
+    database: "{{ item | urlsplit('path') | regex_replace('^\\/', '') }}"
+    name: "{{ graylog_mongo_user }}"
+    password: "{{ graylog_mongo_pass }}"
+    login_database: admin
+    login_host: "{{ item | urlsplit('hostname') }}"
+    login_port: "{{ item | urlsplit('port') | ternary(item | urlsplit('port'),omit) }}"
+    login_user: mongoadmin
+    login_password: "{{ mongo_admin_pass }}"
+    roles:
+      - readWrite
+  loop: "{{ graylog_mongo_url }}"
+  changed_when: False # the module is buggy and indicates a change even if there were none
+  when:
+    - graylog_mongo_url | length == 1
+    - graylog_mongo_pass is defined
+    - graylog_mongo_pass != False
+  tags: graylog
+
+- name: Deploy logrotate configuration
+  template: src=logrotate.conf.j2 dest=/etc/logrotate.d/graylog
+  tags: graylog

roles/graylog/tasks/directories.yml

@@ -0,0 +1,39 @@
+---
+
+- name: Create dir
+  file:
+    path: "{{ graylog_root_dir }}/{{ item.dir }}"
+    state: directory
+    owner: "{{ item.owner | default(omit) }}"
+    group: "{{ item.group | default(omit) }}"
+    mode: "{{ item.mode | default(omit) }}"
+  loop:
+    - dir: /
+    - dir: etc
+      owner: root
+      group: graylog
+      mode: 750
+    - dir: app
+    - dir: state
+      owner: graylog
+      group: graylog
+    - dir: data/journal
+      owner: graylog
+      group: graylog
+      mode: 700
+    - dir: meta
+      mode: 700
+    - dir: ssl
+      owner: root
+      group: graylog
+      mode: 750
+    - dir: archives
+      mode: 700
+    - dir: tmp
+    - dir: logs
+      owner: graylog
+      group: graylog
+      mode: 700
+    - dir: backup
+      mode: 700
+  tags: graylog

roles/graylog/tasks/facts.yml

@@ -0,0 +1,82 @@
+---
+
+# Detect if already installed, and if an upgrade is needed
+- import_tasks: ../includes/webapps_set_install_mode.yml
+  vars:
+    - root_dir: "{{ graylog_root_dir }}"
+    - version: "{{ graylog_version }}"
+  tags: graylog
+- set_fact: graylog_install_mode={{ (install_mode == 'upgrade' and not graylog_manage_upgrade) | ternary('none',install_mode) }}
+  tags: graylog
+- set_fact: graylog_current_version={{ current_version | default('') }}
+  tags: graylog
+
+# Try to read mongo admin pass
+- name: Check if mongo pass file exists
+  stat: path=/root/.mongo.pw
+  register: graylog_mongo_pw
+  tags: graylog
+- when: graylog_mongo_pw.stat.exists and mongo_admin_pass is not defined
+  block:
+    - slurp: src=/root/.mongo.pw
+      register: graylog_mongo_admin_pass
+    - set_fact: mongo_admin_pass={{ graylog_mongo_admin_pass.content | b64decode | trim }}
+  tags: graylog
+- fail: msg='mongo_admin_pass must be provided'
+  when: not graylog_mongo_pw.stat.exists and mongo_admin_pass is not defined
+  tags: graylog
+
+- name: Remove randomly generated admin password
+  file: path={{ graylog_root_dir }}/meta/admin_pass state=absent
+  when: graylog_admin_pass is defined
+  tags: graylog
+
+- name: Remove randomly generated password secret
+  file: path={{ graylog_root_dir }}/meta/pass_secret state=absent
+  when: graylog_pass_secret is defined
+  tags: graylog
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ graylog_root_dir }}/meta/pass_secret"
+  when: graylog_pass_secret is not defined
+  tags: graylog
+- set_fact: graylog_pass_secret={{ rand_pass }}
+  when: graylog_pass_secret is not defined
+  tags: graylog
+
+- import_tasks: ../includes/get_rand_pass.yml
+  vars:
+    - pass_file: "{{ graylog_root_dir }}/meta/admin_pass"
+  when: graylog_admin_pass is not defined
+  tags: graylog
+- set_fact: graylog_admin_pass={{ rand_pass }}
+  when: graylog_admin_pass is not defined
+  tags: graylog
+
+# If only one mongo url is given and graylog_mongo_pass is not defined,
+# parse the password from the url, or generate one
+- debug:
+    msg: |
+      graylog_mongo_url is '{{ graylog_mongo_url }}'
+      parsed pass is "{{ graylog_mongo_url[0] | urlsplit('password') }}"
+  tags: graylog
+
+- name: Parse password from the first mongo URL
+  set_fact: graylog_mongo_pass={{ graylog_mongo_url[0] | urlsplit('password') | urldecode }}
+  when:
+    - graylog_mongo_url | length == 1
+    - graylog_mongo_pass is not defined
+    - graylog_mongo_url[0] | urlsplit('password') is string
+  tags: mongo
+
+# Create a random password for mongo
+- block:
+    - import_tasks: ../includes/get_rand_pass.yml
+      vars:
+        - pass_file: "{{ graylog_root_dir }}/meta/mongo_pass"
+    - set_fact: graylog_mongo_pass={{ rand_pass }}
+  when:
+    - graylog_mongo_url | length == 1
+    - graylog_mongo_pass is not defined
+  tags: graylog

roles/graylog/tasks/filebeat.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Deploy filebeat configuration
+  template: src=filebeat.yml.j2 dest=/etc/filebeat/ansible_inputs.d/graylog.yml
+  tags: graylog,log

roles/graylog/tasks/install.yml

@@ -0,0 +1,100 @@
+---
+
+- name: Uninstall RPM
+  yum:
+    name:
+      - graylog-server
+    state: absent
+  tags: graylog
+
+- name: Install packages
+  yum:
+    name:
+      - java-1.8.0-openjdk
+      - mongodb-org-tools
+  tags: graylog
+
+- name: Download graylog archive
+  get_url:
+    url: "{{ graylog_archive_url }}"
+    dest: "{{ graylog_root_dir }}/tmp/"
+    checksum: sha1:{{ graylog_archive_sha1 }}
+  when: graylog_install_mode != 'none'
+  tags: graylog
+
+- name: Extract graylog archive
+  unarchive:
+    src: "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}.tgz"
+    dest: "{{ graylog_root_dir }}/tmp"
+    remote_src: True
+  when: graylog_install_mode != 'none'
+  tags: graylog
+
+- name: Deploy graylog app
+  synchronize:
+    src: "{{ graylog_root_dir }}/tmp/graylog-{{ graylog_version }}/"
+    dest: "{{ graylog_root_dir }}/app/"
+    recursive: True
+    delete: True
+  delegate_to: "{{ inventory_hostname }}"
+  when: graylog_install_mode != 'none'
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Install plugins
+  get_url:
+    url: "{{ graylog_plugins[item].url }}"
+    dest: "{{ graylog_root_dir }}/app/plugin"
+    checksum: sha1:{{ graylog_plugins[item].sha1 }}
+  when: item in graylog_plugins_to_install
+  loop: "{{ graylog_plugins.keys() | list }}"
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Remove old plugins
+  shell: find {{ graylog_root_dir }}/app/plugin -name graylog-plugin-{{ item }}\* -a \! -name \*{{ graylog_plugins[item].version }}.jar -exec rm -f "{}" \;
+  when: graylog_plugins[item] is defined
+  changed_when: False
+  loop: "{{ graylog_plugins_to_install }}"
+  tags: graylog
+
+- name: List installed plugins
+  shell: find {{ graylog_root_dir }}/app/plugin/ -type f -name graylog-plugin-\*.jar
+  register: graylog_plugins_installed
+  changed_when: False
+  tags: graylog
+
+- name: Remove unwanted plugins
+  file: path={{ item }} state=absent
+  when: item | basename | regex_replace('graylog\-plugin\-(.+)\-\d(\.\d+)+\.jar','\\1') not in graylog_plugins_core + graylog_plugins_to_install
+  notify: restart graylog-server
+  loop: "{{ graylog_plugins_installed.stdout_lines }}"
+  tags: graylog
+
+- name: Deploy systemd service unit
+  template: src=graylog-server.service.j2 dest=/etc/systemd/system/graylog-server.service
+  register: graylog_unit
+  notify: restart graylog-server
+  tags: graylog
+
+- name: Reload systemd
+  systemd: daemon_reload=True
+  when: graylog_unit.changed
+  tags: graylog
+
+- name: Deploy pre/post backup scripts
+  template: src={{ item }}-backup.j2 dest=/etc/backup/{{ item }}.d/graylog mode=750
+  loop:
+    - pre
+    - post
+  tags: graylog
+
+- name: Deploy dehydrated hook
+  template: src=dehydrated_deploy_hook.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/graylog mode=755
+  when: graylog_letsencrypt_cert is defined
+  tags: graylog
+
+- name: Remove dehydrated hook
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/graylog state=absent
+  when: graylog_letsencrypt_cert is not defined
+  tags: graylog

roles/graylog/tasks/iptables.yml

@@ -0,0 +1,20 @@
+---
+
+- name: Handle graylog ports
+  iptables_raw:
+    name: "{{ item.name }}"
+    state: "{{ (item.src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p {{ item.proto | default('tcp') }} -m multiport --dports {{ item.port }} -s {{ item.src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  loop:
+    - port: "{{ graylog_http_ports | join(',') }}"
+      name: graylog_http_ports
+      src_ip: "{{ graylog_http_src_ip }}"
+    - port: "{{ graylog_listeners_tcp_ports | join(',') }}"
+      name: graylog_listeners_tcp_ports
+      src_ip: "{{ graylog_listeners_src_ip }}"
+    - port: "{{ graylog_listeners_udp_ports | join(',') }}"
+      proto: udp
+      name: graylog_listeners_udp_ports
+      src_ip: "{{ graylog_listeners_src_ip }}"
+  tags: firewall,graylog

roles/graylog/tasks/main.yml

@@ -0,0 +1,16 @@
+---
+
+- include: facts.yml
+- include: user.yml
+- include: directories.yml
+- include: archive_pre.yml
+  when: graylog_install_mode == 'upgrade'
+- include: install.yml
+- include: conf.yml
+- include: iptables.yml
+- include: service.yml
+- include: write_version.yml
+- include: cleanup.yml
+- include: archive_post.yml
+  when: graylog_install_mode == 'upgrade'
+- include: filebeat.yml

roles/graylog/tasks/service.yml

@@ -0,0 +1,6 @@
+---
+
+- name: Start and enable the service
+  service: name=graylog-server state=started enabled=True
+  register: graylog_started
+  tags: graylog

roles/graylog/tasks/user.yml

@@ -0,0 +1,9 @@
+---
+
+- name: Create a system account to run graylog
+  user:
+    name: graylog
+    comment: "Graylog system account"
+    system: True
+    shell: /sbin/nologin
+  tags: graylog

roles/graylog/tasks/write_version.yml

@@ -0,0 +1,5 @@
+---
+
+- name: Write version
+  copy: content={{ graylog_version }} dest={{ graylog_root_dir }}/meta/ansible_version
+  tags: graylog