# warning diff:true should not be enabled on CI/CD because it would show clear-text passwords # TODO maybe try show diff with debug and regex filter - name: setup fluent-bit for logs and metrics gather_facts: yes hosts: servers become: "{{become}}" vars: # TODO avoid gathering facts auth_log_file: "{{ 'auth.log' if ansible_facts['os_family'] == 'Debian' else 'secure' }}" tasks: # # host-specific checks - run BEFORE base config template # - name: check whether systemd is available ansible.builtin.shell: executable: /bin/bash cmd: "[[ -x `which systemctl` && -x /lib/systemd/systemd ]]" register: systemd_there ignore_errors: true changed_when: false # # deploy base configs # # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/template_module.html - name: base config templates ansible.builtin.template: src: "{{ item }}" dest: /etc/fluent-bit/{{ item | basename | regex_replace('\.j2$', '') }} mode: 0600 #with_items: "{{ 'flb/*.conf.j2' | fileglob }}" with_fileglob: "flb/*.conf.j2" notify: restart fluent-bit diff: true #no_log: true # https://docs.ansible.com/ansible/latest/collections/ansible/builtin/copy_module.html - name: base config files ansible.builtin.copy: src: "{{ item }}" dest: /etc/fluent-bit/ mode: 0600 #with_items: "{{ 'flb/*.conf' | fileglob }}" with_fileglob: "flb/*.conf" notify: restart fluent-bit diff: true # # eventually deploy non-systemd scripts # - name: non-systemd init script ansible.builtin.copy: src: flb/RESTART-FLUENTBIT dest: /etc/fluent-bit/ mode: 0755 when: systemd_there is failed notify: restart fluent-bit diff: true # # setup fluent-bit addon configs for metrics and logs # # https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_loops.html#iterating-over-a-simple-list - name: addon config template ansible.builtin.template: src: "flb-addons/flb_{{item}}.conf.j2" dest: "/etc/fluent-bit/flb_{{item}}.conf" mode: 0600 loop: "{{addons}}" notify: restart fluent-bit diff: true #no_log: true - name: addon config file ansible.builtin.copy: src: "flb-addons/custom_parsers_{{item}}.conf" dest: /etc/fluent-bit/ mode: 0600 loop: "{{addons}}" notify: restart fluent-bit diff: true failed_when: false # TODO try to use fileglob + loop without include_tasks - don't want yet another yaml file - name: netbird audit-peers script ansible.builtin.copy: src: flb-addons/netbird-peers.bash dest: /root/ mode: 0700 when: "'nbpeers' in addons" diff: true - name: wireguard audit-peers script ansible.builtin.copy: src: flb-addons/wireguard-peers.bash dest: /root/ mode: 0700 when: "'wgpeers' in addons" diff: true - name: netbird audit-peers cron job ansible.builtin.cron: name: "audit netbird peers" # assuming two connected gateways in the mesh hence double the delay minute: "*/10" job: "/root/netbird-peers.bash > /var/log/netbird-peers.json" when: "'nbpeers' in addons" - name: wireguard audit-peers cron job ansible.builtin.cron: name: "audit wireguard peers" minute: "*/5" job: "/root/wireguard-peers.bash > /var/log/wireguard-peers.json" when: "'wgpeers' in addons" - name: define MAILFROM in cron ansible.builtin.cron: name: MAILFROM env: yes job: root@{{inventory_hostname}} when: > "'nbpeers' in addons" or "'wgpeers' in addons" handlers: # reload possible but full restart doesn't hurt much # and surely works even on heavy config changes - name: restart fluent-bit ansible.builtin.shell: executable: /bin/bash # use custom wrapper in case of non-systemd init cmd: "[[ -x /lib/systemd/systemd ]] && systemctl restart fluent-bit.service || /etc/fluent-bit/RESTART-FLUENTBIT"