loki: flesh out role

mtail: remove dead code
nftables: add more rules
2024-04-14 17:48:46 -05:00 · 2024-04-14 17:47:55 -05:00 · 2024-04-14 17:46:42 -05:00 · 2024-04-14 17:45:59 -05:00 · 2024-04-14 17:45:16 -05:00 · 2024-04-14 17:34:54 -05:00
51 changed files with 29081 additions and 747 deletions
--- a/group_vars/all/vault.yaml
+++ b/group_vars/all/vault.yaml
--- a/host_vars/nal-hutta.yaml
+++ b/host_vars/nal-hutta.yaml
@ -1,22 +0,0 @@
---
-#network_interfaces:
-#  - name: eth0
-#    address:
-#      - 45.56.123.101/24
-#      - 2600:3c00::f03c:91ff:fed5:eeec/64
-#    gateway:
-#      - 45.56.123.1
-#      - fe80::1
-
-firewall_allowed_tcp_ports:
-  v4:
-    - 443
-    - 80
-    - 8186
-  v6:
-    - 443
-    - 80
-    - 8186
-
-postfix_sasl_passwd_map:
-  "[smtp.fastmail.com]:465": "foo:bar"
--- a/host_vars/rmq1.yaml
+++ b/host_vars/rmq1.yaml
@ -1,17 +0,0 @@
---
-keepalived_vrrp_instances:
-  VI_1:
-    state: MASTER
-    interface: eth0
-    virtual_router_id: 51
-    priority: 254
-    authentication:
-      auth_type: PASS
-      auth_pass: asdf
-    unicast_peer: |
-      {{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
-    virtual_ipaddress:
-      - 10.100.100.20/24
-    track_script:
-      - chk_rabbitmq
-      - chk_amqp_port
--- a/host_vars/rmq2.yaml
+++ b/host_vars/rmq2.yaml
@ -1,17 +0,0 @@
---
-keepalived_vrrp_instances:
-  VI_1:
-    state: BACKUP
-    interface: eth0
-    virtual_router_id: 51
-    priority: 253
-    authentication:
-      auth_type: PASS
-      auth_pass: asdf
-    unicast_peer: |
-      {{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
-    virtual_ipaddress:
-      - 10.100.100.20/24
-    track_script:
-      - chk_rabbitmq
-      - chk_amqp_port
--- a/host_vars/rmq3.yaml
+++ b/host_vars/rmq3.yaml
@ -1,17 +0,0 @@
---
-keepalived_vrrp_instances:
-  VI_1:
-    state: BACKUP
-    interface: eth0
-    virtual_router_id: 51
-    priority: 252
-    authentication:
-      auth_type: PASS
-      auth_pass: asdf
-    unicast_peer: |
-      {{ groups['rabbitmq_servers'] | map('extract', hostvars, ['ansible_eth0', 'ipv4', 'address']) | difference([ansible_default_ipv4.address])| list }}
-    virtual_ipaddress:
-      - 10.100.100.20/24
-    track_script:
-      - chk_rabbitmq
-      - chk_amqp_port
--- a/host_vars/ubuntu.yaml
+++ b/host_vars/ubuntu.yaml
@ -1,7 +0,0 @@
---
-#network_interfaces:
-#  - name: enp1s0
-#    address:
-#      - 192.168.124.124/24
-#    gateway4: 192.168.124.1
-#
--- a/playbook.yaml
+++ b/playbook.yaml
@ -3,25 +3,59 @@
  become: true
  roles:
    - common
-    - network
+    - role: network
+      tags:
+        - network
+        - netplan
    - util
    - sudo
    - hostsfile
    - certs
-    - rsyslog
+    - role: rsyslog
+      tags:
+        - rsyslog
+        - syslog
+        - logging
    - users
    - dns
-    - firewall
+    - role: firewall
+      tags:
+        - firewall
+        - iptables
    - openssh
-    - wireguard
+    - role: wireguard
+      tags:
+        - wireguard
+        - vpn
    - chrony
    - unattended-upgrades
    - postfix
    - restic
-    - node_exporter
-    - blackbox_exporter
-    - mtail
+    - role: node_exporter
+      tags:
+        - prometheus
+        - monitoring
+    - role: blackbox_exporter
+      tags:
+        - prometheus
+        - monitoring
+    - role: mtail
+      tags:
+        - prometheus
+        - monitoring
    - supervisor
+    # - vector
+    - role: promtail
+      tags:
+        - promtail
+        - loki
+        - logging
+    - role: cloudflared
+      tags:
+        - cloudflared
+        - zerotrust
+        - access
+        - vpn
 - hosts: minecraft_servers
  become: true
  roles:
@ -34,35 +68,98 @@
 - hosts: git_servers
  become: true
  roles:
-    - nginx
-    - certbot
-    - gitea
+    - role: certbot
+      tags:
+        - tls
+    - role: nginx
+      tags:
+        - nginx
+    - role: gitea
+      tags:
+        - gitea
+        - git
 - hosts: stats_servers
  become: true
  roles:
-    - nginx
-    - certbot
-    - grafana
+    - role: certbot
+      tags:
+        - tls
+    - role: nginx
+      tags:
+        - nginx
+    - role: grafana
+      tags:
+        - grafana
+        - monitoring
+        - o11y
 - hosts: monitor_servers
  become: true
  roles:
-    - nginx
+    - certbot
+    - role: nginx
+      tags:
+        - nginx
    - role: prometheus
      tags:
        - prometheus
        - monitoring
-    - alertmanager
-    - blackbox_exporter
-    - pushgateway
+    - role: alertmanager
+      tags:
+        - prometheus
+        - monitoring
+    - role: blackbox_exporter
+      tags:
+        - prometheus
+        - monitoring
+    - role: pushgateway
+      tags:
+        - prometheus
+        - monitoring
    - role: karma
      tags:
+        - prometheus
        - monitoring
    - role: kthxbye
      tags:
+        - prometheus
        - monitoring
    - role: thanos
      tags:
+        - prometheus
        - thanos
        - monitoring
+    - role: loki
+      tags:
+        - loki
+        - logging
+    - role: logcli
+      tags:
+        - logcli
+        - loki
+        - logging
+    - role: smokeping_prober
+      tags:
+        - prometheus
+        - monitoring
+        - smokeping
+    - role: mimir
+      tags:
+        - prometheus
+        - mimir
+        - monitoring
+    - role: snmp_exporter
+      tags:
+        - prometheus
+        - snmp_exporter
+        - monitoring
+    - role: lego
+      tags:
+        - acme
+        - certificates
+        - lego
+        - letsencrypt
+        - pki
+        - tls
+

 # vim:ft=yaml.ansible:
--- a/roles/certbot/defaults/main.yaml
+++ b/roles/certbot/defaults/main.yaml
@ -1,22 +1,35 @@
 ---
 certbot_package_name: certbot
-certbot_package_state: present
+certbot_package_state: latest
+
+certbot_plugins:
+  - certbot-dns-cloudflare
+  - certbot-dns-digitalocean
+  - certbot-dns-dnsimple
+  - certbot-dns-dnsmadeeasy
+  - certbot-dns-gehirn
+  - certbot-dns-google
+  - certbot-dns-linode
+  - certbot-dns-luadns
+  - certbot-dns-nsone
+  - certbot-dns-ovh
+  - certbot-dns-rfc2136
+  - certbot-dns-route53
+  - certbot-dns-sakuracloud

 certbot_service_name: certbot.service

+certbot_bin_path: /usr/local/bin
+certbot_path: "{{ certbot_bin_path }}/certbot"
+
 certbot_timer_name: certbot.timer
 certbot_timer_state: started
-certbot_timer_enabled: yes
+certbot_timer_enabled: true

-certbot_cron_state: present
-certbot_cron_user: root
-certbot_cron_file_path: /etc/cron.d/certbot
-certbot_cron_env:
-  path: /usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
-  shell: /bin/sh
-certbot_cron_command: test -x /usr/bin/certbot -a \! -d /run/systemd/system && perl -e 'sleep int(rand(43200))' && certbot -q renew
-certbot_cron_hour: "*/12"
-certbot_cron_minute: "0"
+certbot_etc_path: /etc/letsencrypt
+certbot_live_path: "{{ certbot_etc_path }}/live"

 certbot_system_timer_on_calender: "*-*-* 00,12:00:00"
 certbot_system_timer_randomized_delay_sec: 43200
+
+certbot_credential_path: /root/.secrets/certbot
--- a/roles/certbot/handlers/main.yaml
+++ b/roles/certbot/handlers/main.yaml
@ -1,6 +1,4 @@
 ---
 - name: systemd daemon-reload
-  systemd:
-    name: "{{ certbot_service_name }}"
-    daemon_reload: yes
-    state: restarted
+  ansible.builtin.systemd:
+    daemon_reload: true
--- a/roles/certbot/tasks/configure-linode.yaml
+++ b/roles/certbot/tasks/configure-linode.yaml
@ -0,0 +1,23 @@
+---
+- name: configure linode credentials
+  ansible.builtin.copy:
+    dest: "{{ certbot_credential_path }}/linode.ini"
+    owner: root
+    group: root
+    mode: 0600
+    content: "{{ certbot_dns_linode_credentials }}"
+  no_log: true
+
+- name: certbot (linode)
+  ansible.builtin.shell: >
+    certbot certonly \
+      --dns-linode \
+      --dns-linode-credentials "{{ certbot_credential_path }}/linode.ini" \
+      --quiet \
+      --agree-tos \
+      --noninteractive \
+      --email "{{ item.email }}" \
+      --domain "{{ item.domains | join(',') }}"
+  args:
+    creates: "{{ certbot_live_path }}/{{ item.domains | first }}/cert.pem"
+  loop: "{{ certbot_certificates | default([]) }}"
--- a/roles/certbot/tasks/default.yaml
+++ b/roles/certbot/tasks/default.yaml
--- a/roles/certbot/tasks/issue.yaml
+++ b/roles/certbot/tasks/issue.yaml
@ -1,9 +1 @@
 ---
- name: "determine if certificate for {{ item.domains | join(', ') }}" 
-  stat:
-    path: "/etc/letsencrypt/live/{{ item.domains | first }}/cert.pem"
-  register: st
-
- name: "request certificate for {{ item.domains | join(', ') }}"
-  command: "certbot certonly -q --webroot -w {{ certbot_challenge_webroot_path }} --agree-tos --noninteractive --email {{ item.email }} -d {{ item.domains | join(',') }}"
-  when: not st.stat.exists
--- a/roles/certbot/tasks/main.yaml
+++ b/roles/certbot/tasks/main.yaml
@ -23,65 +23,51 @@
      paths:
        - tasks

- name: install certbot modules
-  package:
+- name: install certbot
+  ansible.builtin.pip:
    name: "{{ certbot_package_name }}"
    state: "{{ certbot_package_state }}"

- name: configure challenge webroot
-  file:
-    path: "{{ certbot_challenge_webroot_path }}"
-    state: "directory"
+- name: install certbot plugins
+  ansible.builtin.pip:
+    name: "{{ certbot_plugins }}"
+    state: latest
+
+- name: create credential path
+  ansible.builtin.file:
+    path: "{{ certbot_credential_path }}"
    owner: root
    group: root
-    mode: 0755
+    mode: 0700
+    state: directory

 - name: request certificates
  ansible.builtin.include_tasks: "issue.yaml"
  loop: "{{ certbot_certificates }}"

- name: configure systemd timer
-  block:
-    - name: create systemd timer override directory
-      file:
-        path: "/etc/systemd/system/{{ certbot_timer_name }}.d"
-        owner: root
-        group: root
-        mode: 0755
-        state: directory
+- name: include linode tasks
+  ansible.builtin.include_tasks: configure-linode.yaml

-    - name: configure systemd timer options
-      template:
-        src: certbot.timer.j2
-        dest: "/etc/systemd/system/{{ certbot_timer_name }}.d/override.conf"
-        owner: root
-        group: root
-        mode: 0644
-      notify: systemd daemon-reload
-    - name: enable the timer
-      systemd:
-        name: "{{ certbot_timer_name }}"
-        state: "{{ certbot_timer_state }}"
-        enabled: "{{ certbot_timer_enabled }}"
-  when: ansible_service_mgr == "systemd"
+- name: configure renewal service
+  ansible.builtin.template:
+    src: certbot.service.j2
+    dest: "/etc/systemd/system/certbot.service"
+    owner: root
+    group: root
+    mode: 0644
+  notify: systemd daemon-reload

- name: configure cron job
-  block:
-    - name: configure env
-      cron:
-        name: "{{ item.key | upper }}"
-        env: yes
-        job: "{{ item.value }}"
-        user: "{{ certbot_cron_user }}"
-        cron_file: "{{ certbot_cron_file_path }}"
-        state: "{{ certbot_cron_state }}"
-      loop: "{{ certbot_cron_env | dict2items }}"
-    - name: create job
-      cron:
-        name: certbot
-        user: "{{ certbot_cron_user }}"
-        hour: "{{ certbot_cron_hour }}"
-        minute: "{{ certbot_cron_minute }}"
-        cron_file: "{{ certbot_cron_file_path }}"
-        job: "{{ certbot_cron_command }}"
-        state: "{{ certbot_cron_state }}"
+- name: configure renewal timer
+  ansible.builtin.template:
+    src: certbot.timer.j2
+    dest: "/etc/systemd/system/certbot.timer"
+    owner: root
+    group: root
+    mode: 0644
+  notify: systemd daemon-reload
+
+- name: manage timer
+  ansible.builtin.systemd:
+    name: "{{ certbot_timer_name }}"
+    enabled: "{{ certbot_timer_enabled }}"
+    state: "{{ certbot_timer_state }}"
--- a/roles/certbot/templates/certbot.service.j2
+++ b/roles/certbot/templates/certbot.service.j2
@ -0,0 +1,14 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=Certbot renewal
+After=network-online.target
+Wants=network-online.target
+Wants={{ certbot_timer_name }}
+
+[Service]
+Type=oneshot
+ExecStart={{ certbot_path }} --quiet renew
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/certbot/templates/certbot.timer.j2
+++ b/roles/certbot/templates/certbot.timer.j2
@ -1,5 +1,12 @@
 # {{ ansible_managed }}

+[Unit]
+Description=Certbot renewal
+Requires={{ certbot_service_name }}
+
 [Timer]
 OnCalendar={{ certbot_system_timer_on_calender }} 
 RandomizedDelaySec={{ certbot_system_timer_randomized_delay_sec }}
+
+[Install]
+WantedBy=timers.target
--- a/roles/dl/templates/nginx.conf.j2
+++ b/roles/dl/templates/nginx.conf.j2
@ -26,10 +26,13 @@ server {
 {% if dl_ssl_enabled is defined and
      dl_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
    server_name {{ dl_server_name }};
    access_log {{ dl_access_log }} main;
    error_log {{ dl_error_log }} warn;
@ -46,6 +49,10 @@ server {
    ssl_dhparam {{ dl_ssl_dhparam }};
 {% endif %}

+    location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
+    }
+
    location ~ ^\/~(.+?)(\/.*)?$ {
        alias /home/$1/public_html$2;
        index index.html index.htm;
--- a/roles/firewall/templates/ip6tables.j2
+++ b/roles/firewall/templates/ip6tables.j2
@ -130,6 +130,9 @@
 {% endif %}
 {% if firewall_ipset_syslog is defined %}
 -A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/tcp6" -j LOG_ACCEPT
+-A INPUT -p udp -m udp --dport 514 -m set --match-set syslog6 src -m comment --comment "accept syslog 514/udp6" -j LOG_ACCEPT
+-A INPUT -p tcp -m tcp --dport 1514 -m set --match-set syslog6 src -m comment --comment "accept syslog 1514/tcp6" -j LOG_ACCEPT
+-A INPUT -p udp -m udp --dport 1514 -m set --match-set syslog6 src -m comment --comment "accept syslog 1514/udp6" -j LOG_ACCEPT
 {% endif %}
 {% if firewall_ipset_influxdb is defined %}
 -A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb6 src -m comment --comment "accept influxdb 8086/tcp6" -j LOG_ACCEPT
--- a/roles/firewall/templates/iptables.j2
+++ b/roles/firewall/templates/iptables.j2
@ -117,6 +117,8 @@
 {% if firewall_ipset_syslog is defined %}
 -A INPUT -p tcp -m tcp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/tcp" -j LOG_ACCEPT
 -A INPUT -p udp -m udp --dport 514 -m set --match-set syslog4 src -m comment --comment "accept syslog 514/udp" -j LOG_ACCEPT
+-A INPUT -p tcp -m tcp --dport 1514 -m set --match-set syslog4 src -m comment --comment "accept syslog 1514/tcp" -j LOG_ACCEPT
+-A INPUT -p udp -m udp --dport 1514 -m set --match-set syslog4 src -m comment --comment "accept syslog 1514/udp" -j LOG_ACCEPT
 {% endif %}
 {% if firewall_ipset_influxdb is defined %}
 -A INPUT -p tcp -m tcp --dport 8086 -m set --match-set influxdb4 src -m comment --comment "accept influxdb 8086/tcp" -j LOG_ACCEPT
--- a/roles/gitea/templates/nginx.conf.j2
+++ b/roles/gitea/templates/nginx.conf.j2
@ -37,10 +37,13 @@ server {
 {% if gitea_ssl_enabled is defined and
      gitea_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
    server_name {{ gitea_domain }};

    access_log /var/log/nginx/gitea.access.log main;
@ -62,6 +65,7 @@ server {
    }

    location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
        limit_req zone=req_bad_actors burst=10 nodelay;
        proxy_pass http://gitea_backend;
    }
--- a/roles/grafana/templates/nginx.conf.j2
+++ b/roles/grafana/templates/nginx.conf.j2
@ -6,6 +6,11 @@ upstream grafana_backend {
    server 127.0.0.1:{{ grafana_port }};
 }

+map $http_upgrade $connection_upgrade {
+    default upgrade;
+    ''      close;
+}
+
 server {
    listen 80;
 {% if ansible_all_ipv6_addresses | length %}
@ -32,10 +37,13 @@ server {
 {% if grafana_ssl_enabled is defined and
      grafana_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
    server_name {{ grafana_domain }};

    access_log /var/log/nginx/grafana.access.log main;
@ -59,7 +67,12 @@ server {
    }

    location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
        limit_req zone=req_bad_actors burst=10 nodelay;
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_set_header Host $http_host;
        proxy_pass http://grafana_backend;
    }
 }
--- a/roles/loki/defaults/main.yaml
+++ b/roles/loki/defaults/main.yaml
@ -26,12 +26,17 @@ loki_user_shell: /usr/sbin/nologin
 loki_group: loki
 loki_group_state: "{{ loki_user_state | default('present') }}"

-loki_config_path: /etc/loki.yaml
-
 loki_var_path: /var/lib/loki
 loki_var_owner: "{{ loki_user }}"
 loki_var_group: "{{ loki_group }}"
-loki_var_mode: "0755"
+loki_var_mode: "0700"
+
+loki_etc_path: /etc/loki
+loki_etc_owner: "{{ loki_user }}"
+loki_etc_group: "{{ loki_group }}"
+loki_etc_mode: "0755"
+
+loki_config_path: "{{ loki_etc_path }}/config.yaml"

 loki_bin_path: /usr/local/bin

@ -39,36 +44,51 @@ loki_auth_enabled: false

 loki_server:
  http_listen_port: 3100
+  grpc_listen_port: 9096

-loki_ingester:
-  lifecycler:
-    address: 127.0.0.1
-    ring:
-      kvstore:
-        store: inmemory
-      replication_factor: 1
-    final_sleep: 0s
-  chunk_idle_period: 5m
-  chunk_retain_period: 30s
+loki_common:
+  instance_addr: 127.0.0.1
+  path_prefix: "{{ loki_var_path }}"
+  storage:
+    filesystem:
+      chunks_directory: "{{ loki_var_path }}/chunks"
+      rules_directory: "{{ loki_var_path }}/rules"
+  replication_factor: 1
+  ring:
+    kvstore:
+      store: inmemory
+
+loki_query_range:
+  results_cache:
+    cache:
+      embedded_cache:
+        enabled: true
+        max_size_mb: 100
+
+# loki_storage_config:
+#   {}

 loki_schema_config:
  configs:
-  - from: 2020-05-15
-    store: boltdb
-    object_store: filesystem
+  - from: 2020-10-24
+    store: boltdb-shipper
+    object_store: gcs
    schema: v11
    index:
      prefix: index_
-      period: 168h
+      period: 24h

-loki_storage_config:
-  boltdb:
-    directory: "{{ loki_var_path }}/index"
-  filesystem:
-    directory: "{{ loki_var_path }}/chunks"
+loki_ruler:
+  alertmanager_url: http://localhost:9093
+
+# loki_query_scheduler:
+#   {}
+
+# loki_querier:
+#   {}
+
+# loki_compactor:
+#   {}

 loki_limits_config:
-  enforce_metric_name: false
-  reject_old_samples: true
-  reject_old_samples_max_age: 168h
-  ingestion_burst_size_mb: 16
+  retention_period: 744h
--- a/roles/loki/tasks/configure.yaml
+++ b/roles/loki/tasks/configure.yaml
@ -15,14 +15,13 @@
    home: "{{ loki_var_path }}"
    state: "{{ loki_user_state | default('present') }}"

- name: configure
-  template:
-    src: loki.yaml.j2
-    dest: "{{ loki_config_path }}"
-    owner: root
-    group: root
-    mode: 0444
-  notify: restart loki
+- name: create etc path
+  file:
+    path: "{{ loki_etc_path }}"
+    state: directory
+    owner: "{{ loki_etc_owner }}"
+    group: "{{ loki_etc_group }}"
+    mode: "{{ loki_etc_mode }}"

 - name: create var path
  file:
@ -32,6 +31,15 @@
    group: "{{ loki_var_group }}"
    mode: "{{ loki_var_mode }}"

+- name: configure
+  template:
+    src: config.yaml.j2
+    dest: "{{ loki_config_path }}"
+    owner: "{{ loki_user }}"
+    group: "{{ loki_group }}"
+    mode: 0400
+  notify: restart loki
+
 - name: configure systemd template
  template:
    src: "{{ loki_service_name }}.j2"
--- a/roles/loki/templates/config.yaml.j2
+++ b/roles/loki/templates/config.yaml.j2
@ -0,0 +1,55 @@
+{{ ansible_managed | comment }}
+---
+{% if loki_auth_enabled is defined %}
+auth_enabled: {{ loki_auth_enabled | bool | lower }}
+{% endif %}
+
+{% if loki_server is defined %}
+server:
+  {{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_common is defined %}
+common:
+  {{ loki_common | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_query_range is defined %}
+query_range:
+  {{ loki_query_range | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_storage_config is defined %}
+storage_config:
+  {{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_schema_config is defined %}
+schema_config:
+  {{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_ruler is defined %}
+ruler:
+  {{ loki_ruler | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_query_scheduler is defined %}
+query_scheduler:
+  {{ loki_query_scheduler | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_querier is defined %}
+querier:
+  {{ loki_querier | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_compactor is defined %}
+compactor:
+  {{ loki_compactor | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_limits_config is defined %}
+limits_config:
+  {{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
--- a/roles/loki/templates/loki.service.j2
+++ b/roles/loki/templates/loki.service.j2
@ -1,19 +1,19 @@
 {{ ansible_managed | comment }}

 [Unit]
-Description=Loki
-After=network-online.target
+Description=Loki service
+After=network.target

 [Service]
 Type=simple
 User={{ loki_user }}
-Group={{ loki_group }}
 ExecStart={{ loki_bin_path }}/loki \
  -config.file {{ loki_config_path }}
-WorkingDirectory={{ loki_var_path }}

-Restart=always
-RestartSec=1
+WorkingDirectory={{ loki_var_path }}
+TimeoutSec = 120
+Restart = on-failure
+RestartSec = 2

 [Install]
 WantedBy=multi-user.target
--- a/roles/loki/templates/loki.yaml.j2
+++ b/roles/loki/templates/loki.yaml.j2
@ -1,30 +0,0 @@
-{{ ansible_managed | comment }}
---
-{% if loki_auth_enabled is defined %}
-auth_enabled: {{ loki_auth_enabled | bool | lower }}
-{% endif %}
-
-{% if loki_server is defined %}
-server:
-  {{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
-{% endif -%}
-
-{% if loki_ingester is defined %}
-ingester:
-  {{ loki_ingester | to_nice_yaml(indent=2) | indent(2, False) }}
-{% endif -%}
-
-{% if loki_schema_config is defined %}
-schema_config:
-  {{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
-{% endif -%}
-
-{% if loki_storage_config is defined %}
-storage_config:
-  {{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
-{% endif -%}
-
-{% if loki_limits_config is defined %}
-limits_config:
-  {{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
-{% endif -%}
--- a/roles/mtail/defaults/main.yaml
+++ b/roles/mtail/defaults/main.yaml
@ -12,7 +12,7 @@ mtail_service_enabled: yes
 mtail_version_regex: ^mtail version (\S+)

 mtail_github_project_url: https://github.com/google/mtail
-mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | capitalize }}_{{ ansible_architecture }}.tar.gz"
+mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | lower }}_{{ mtail_go_arch }}.tar.gz"
 mtail_release_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/{{ mtail_release_file }}"
 mtail_download_path: "/tmp/{{ mtail_release_file }}"
 mtail_checksum_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/checksums.txt"
--- a/roles/mtail/tasks/pre.yaml
+++ b/roles/mtail/tasks/pre.yaml
@ -1,42 +1,4 @@
 ---
-#- name: determine if installed
-#  stat:
-#    path: "{{ mtail_bin_path }}/mtail"
-#  register: st
-#
-#- name: set mtail_installed
-#  set_fact:
-#    mtail_installed: "{{ st.stat.exists | bool }}"
-#
-#- block:
-#  - name: determine latest version
-#    uri:
-#      url: https://api.github.com/repos/google/mtail/releases/latest
-#      return_content: true
-#      body_format: json
-#    register: _latest_version
-#    until: _latest_version.status == 200
-#    retries: 3
-#
-#  - name: set mtail_version
-#    set_fact:
-#      mtail_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
-#
-#- block:
-#  - name: determine installed version
-#    command: "{{ mtail_bin_path }}/mtail --version"
-#    register: _installed_version_string
-#    changed_when: false
-#
-#  - name: set mtail_local_version
-#    set_fact:
-#      mtail_local_version: "{{ _installed_version_string.stdout | regex_search(mtail_version_regex, '\\1') | first }}"
-#  when: mtail_installed
-#
-#- name: set mtail_local_version to 0
-#  set_fact:
-#    mtail_local_version: "0"
-#  when: not mtail_installed
 - name: determine if installed
  stat:
    path: "{{ mtail_bin_path }}/mtail"
--- a/roles/network/defaults/main.yml
+++ b/roles/network/defaults/main.yml
@ -6,6 +6,23 @@ network_netplan_config_path: "{{ network_netplan_etc_path }}/ansible.yaml"
 network_netplan_default_config_path: "{{ network_netplan_etc_path }}/01-netcfg.yaml"
 # network_netplan_default_config_state: absent

+network_netplan:
+  network:
+    version: 2
+    ethernets:
+      eth0:
+        dhcp4: false
+        dhcp6: false
+        accept-ra: true
+        addresses:
+          - "{{ ansible_default_ipv4.address }}/{{ (ansible_default_ipv4.network + '/' + ansible_default_ipv4.netmask) | ansible.utils.ipaddr('prefix') }}"
+          - "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}"
+        routes:
+          - to: default
+            via: "{{ ansible_default_ipv4.gateway }}"
+        nameservers:
+          addresses: "{{ network_dns_nameservers }}"
+
 network_interfaces:
  - name: eth0
    inet4:
@ -15,6 +32,7 @@ network_interfaces:
      gateway: "{{ ansible_default_ipv4.gateway }}"
    inet6:
      dhcp: false
+      accept_ra: true
      address:
        - "{{ ansible_default_ipv6.address }}/{{ ansible_default_ipv6.prefix }}"
      gateway: "{{ ansible_default_ipv6.gateway }}"
--- a/roles/network/tasks/netplan.yml
+++ b/roles/network/tasks/netplan.yml
@ -5,14 +5,14 @@
    state: "{{ network_netplan_default_config_state | default('absent') }}"
    owner: root
    group: root
-    mode: 0644
+    mode: '0400'
  notify: netplan apply

 - name: Configure netplan
-  ansible.builtin.template:
+  ansible.builtin.copy:
    dest: "{{ network_netplan_config_path }}"
-    src: netplan.yaml.j2
+    content: "{{ network_netplan | to_nice_yaml }}"
    owner: root
    group: root
-    mode: '0644'
+    mode: '0400'
  notify: netplan apply
--- a/roles/network/templates/netplan.yaml.j2
+++ b/roles/network/templates/netplan.yaml.j2
@ -1,16 +1,19 @@
 ---
 network:
-  version: "{{ network_netplan_version | default(2) }}"
-  renderer: "{{ network_netplan_renderer | default("networkd") }}"
+  version: {{ network_netplan_version | default(2) }}
+  renderer: {{ network_netplan_renderer | default('networkd') }}
 {% if network_interfaces is defined and network_interfaces | length %}
  ethernets:
 {%   for iface in network_interfaces %}
    {{ iface['name'] }}:
 {%     if iface['inet4']['dhcp'] is defined %}
-      dhcp4: "{{ iface['inet4']['dhcp'] | ternary('yes', 'no') }}"
+      dhcp4: {{ iface['inet4']['dhcp'] | ternary('true', 'false') }}
 {%     endif %}
 {%     if iface['inet4']['dhcp'] is defined %}
-      dhcp6: "{{ iface['inet6']['dhcp'] | ternary('yes', 'no') }}"
+      dhcp6: {{ iface['inet6']['dhcp'] | ternary('true', 'false') }}
+{%     endif %}
+{%     if iface['inet6']['accept_ra'] is defined %}
+      accept-ra: {{ iface['inet6']['accept_ra'] | ternary('true', 'false') }}
 {%     endif %}
 {%     if iface['inet4']['address'] is defined or iface['inet6']['address'] is defined %}
      addresses:
@ -22,10 +25,10 @@ network:
 {%       endfor %}
 {%     endif %}
 {%     if iface['inet4']['gateway'] is defined %}
-      gateway4: "{{ iface['inet4']['gateway'] }}"
+      gateway4: {{ iface['inet4']['gateway'] }}
 {%     endif %}
 {%     if iface['inet6']['gateway'] is defined %}
-      gateway6: "{{ iface['inet6']['gateway'] }}"
+      gateway6: {{ iface['inet6']['gateway'] }}
 {%     endif %}
 {%     if network_dns_nameservers is defined %}
      nameservers:
--- a/roles/nftables/defaults/main.yaml
+++ b/roles/nftables/defaults/main.yaml
@ -36,35 +36,54 @@ nftables_builtin_sets:
    - flags interval

 nftables_input_builtin_rules:
-  - type filter hook input priority filter; policy drop;
-  - ip saddr @blackhole4 drop
-  - ip6 saddr @blackhole6 drop
-  - ct state established,related accept
-  - ct state invalid drop
-  - iifname "lo" accept
-  - icmpv6 type $REQUIRED_ICMPV6_TYPES accept
-  - icmpv6 type echo-request accept
-  - icmp type echo-request accept
-  - tcp dport @tcp_input_accept accept
-  - udp dport @udp_input_accept accept
-  # this should be last because these ports could be allowed
-  - udp dport $TRACEROUTE_UDP_PORTS reject
+  '000 policy':
+    - type filter hook input priority filter; policy drop;
+  '010 blackhole':
+    - ip saddr @blackhole4 drop
+    - ip6 saddr @blackhole6 drop
+  '020 related established':
+    - ct state established,related accept
+    - ct state invalid drop
+  '030 loopback':
+    - iifname "lo" accept
+  '040 icmp':
+    - icmpv6 type $REQUIRED_ICMPV6_TYPES accept
+    - icmpv6 type echo-request accept
+    - icmp type echo-request accept
+  '050 tcp accept':
+    - tcp dport @tcp_input_accept accept
+  '060 udp accept':
+    - udp dport @udp_input_accept accept
+  '999 traceroute':
+    # this should be last because these ports could be allowed
+    - udp dport $TRACEROUTE_UDP_PORTS reject

 nftables_forward_builtin_rules:
-  - type filter hook forward priority filter; policy drop;
-  - ct state { established, related } accept
+  '000 policy':
+    - type filter hook forward priority filter; policy drop;
+  '010 related established':
+    - ct state { established, related } accept

 nftables_output_builtin_rules:
-  - type filter hook output priority filter; policy accept;
-  - ip daddr @blackhole4 drop
-  - ip6 daddr @blackhole6 drop
-  - ct state { established, related } accept
+  '000 policy':
+    - type filter hook output priority filter; policy accept;
+  '010 blackhole':
+    - ip daddr @blackhole4 drop
+    - ip6 daddr @blackhole6 drop
+  '020 related established':
+    - ct state { established, related } accept

-# nftables_sets:
-#   {}
-#
-# nftables_input_rules:
-#   []
-#
-# nftables_output_rules:
-#   []
+nftables_defines:
+  {} 
+
+nftables_sets:
+  {}
+
+nftables_input_rules:
+  {}
+
+nftables_forward_rules:
+  {}
+
+nftables_output_rules:
+  {}
--- a/roles/nftables/templates/nftables.conf.j2
+++ b/roles/nftables/templates/nftables.conf.j2
@ -1,82 +1,53 @@
+{% set combined_defines = [ nftables_builtin_defines, nftables_defines ] | combine %}
+{% set combined_sets = [ nftables_builtin_sets, nftables_sets ] | combine %}
+{% set combined_input_rules = [ nftables_input_builtin_rules, nftables_input_rules ] | combine %}
+{% set combined_forward_rules = [ nftables_forward_builtin_rules, nftables_forward_rules ] | combine %}
+{% set combined_output_rules = [ nftables_output_builtin_rules, nftables_output_rules ] | combine %}
 table inet filter {
-{% if nftables_builtin_defines is mapping %}
-{%   for name, cfg in nftables_builtin_defines.items() %}
-{%     if cfg is string %}
+{% for name, cfg in combined_defines.items() %}
+{%   if cfg is string or cfg is number %}
  define {{ name }} = {{ cfg }}
-{%     elif cfg is sequence %} 
+{%  elif cfg is sequence %} 
  define {{ name }} = {
-{%     for elem in cfg %}
+{%   for elem in cfg %}
    {{ elem }},
-{%     endfor %}
-  }
-{%     endif %}
 {%   endfor %}
-{% endif %}
-{% if nftables_defines is mapping %}
-{%   for name, cfg in nftables_defines.items() %}
-  define {{ name }} = {
-{%     for elem in cfg %}
-    {{ elem }},
-{%     endfor %}
  }
-{%   endfor %}
-{% endif %}
+{%   endif %}
+{% endfor %}

-{% if nftables_builtin_sets is mapping %}
-{%   for name, cfg in nftables_builtin_sets.items() %}
+{% for name, cfg in combined_sets.items() %}
  set {{ name }} { 
-{%     for elem in cfg %}
+{%   for elem in cfg %}
    {{ elem }}
-{%     endfor %}
-  }
 {%   endfor %}
-{% endif %}
-{% if nftables_sets is mapping %}
-{%   for name, cfg in nftables_sets.items() %}
-  set {{ name }} { 
-{%     for elem in cfg %}
-    {{ elem }}
-{%     endfor %}
  }
-{%   endfor %}
-{% endif %}
+{% endfor %}

  chain input {
-{% if nftables_input_builtin_rules is sequence %}
-{%   for rule in nftables_input_builtin_rules %}
+{% for comment, rules in combined_input_rules.items() %}
+    # {{ comment }}
+{%   for rule in rules %}
    {{ rule }}
 {%   endfor %}
-{% endif %}
-{% if nftables_input_rules is sequence %}
-{%   for rule in nftables_input_rules %}
-    {{ rule }}
-{%   endfor %}
-{% endif %}
+{% endfor %}
  }

  chain forward {
-{% if nftables_forward_builtin_rules is sequence %}
-{%   for rule in nftables_forward_builtin_rules %}
+{% for comment, rules in combined_forward_rules.items() %}
+    # {{ comment }}
+{%   for rule in rules %}
    {{ rule }}
 {%   endfor %}
-{% endif %}
-{% if nftables_forward_rules is sequence %}
-{%   for rule in nftables_forward_rules %}
-    {{ rule }}
-{%   endfor %}
-{% endif %}
+{% endfor %}
  }

  chain output {
-{% if nftables_output_builtin_rules is sequence %}
-{%   for rule in nftables_output_builtin_rules %}
+{% for comment, rules in combined_output_rules.items() %}
+    # {{ comment }}
+{%   for rule in rules %}
    {{ rule }}
 {%   endfor %}
-{% endif %}
-{% if nftables_output_rules is sequence %}
-{%   for rule in nftables_output_rules %}
-    {{ rule }}
-{%   endfor %}
-{% endif %}
+{% endfor %}
  }
 }
--- a/roles/prometheus/templates/nginx.conf.j2
+++ b/roles/prometheus/templates/nginx.conf.j2
@ -38,10 +38,13 @@ server {
 {% if prometheus_ssl_enabled is defined and
      prometheus_ssl_enabled %}
 server {
-    listen 443 ssl http2;
+    listen 443 ssl;
 {% if ansible_all_ipv6_addresses | length %}
-    listen [::]:443 ssl http2;
+    listen [::]:443 ssl;
 {% endif %}
+
+    http2 on;
+
    server_name {{ prometheus_hostname }};

    auth_basic           "Prometheus";
@ -73,6 +76,7 @@ server {
    }

    location / {
+        add_header Alt-Svc 'h3=":$server_port"; ma=86400';
        return 301 /prometheus/;
    }
 }
--- a/roles/promtail/templates/promtail.service.j2
+++ b/roles/promtail/templates/promtail.service.j2
@ -1,19 +1,19 @@
 {{ ansible_managed | comment }}

 [Unit]
-Description=Loki
-After=network-online.target
+Description=Promtail service
+After=network.target

 [Service]
 Type=simple
 User={{ promtail_user }}
-Group={{ promtail_group }}
 ExecStart={{ promtail_bin_path }}/promtail \
-  -config.file {{ promtail_config_path }}
+  -config.file {{ promtail_config_path }} \
+  -client.external-labels=host=%l
 WorkingDirectory={{ promtail_var_path }}
-
-Restart=always
-RestartSec=1
+TimeoutSec = 60
+Restart=on-failure
+RestartSec=2

 [Install]
 WantedBy=multi-user.target
--- a/roles/restic/defaults/main.yaml
+++ b/roles/restic/defaults/main.yaml
@ -1,12 +1,34 @@
 ---
-restic_service_name: restic.service
-restic_service_state: started
-restic_service_enabled: yes
+restic_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+
+restic_go_arch: "{{ restic_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+restic_version_regex: ^restic ([\d.]+)
+
+restic_checksum_algo: sha256
+restic_github_rel_path: restic/restic
+restic_github_project_url: "https://github.com/{{ restic_github_rel_path }}"
+restic_release_file: "restic_{{ restic_version }}_{{ ansible_system | lower }}_{{ restic_go_arch }}.bz2"
+restic_release_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_release_file }}"
+restic_checksum_url: "{{ restic_github_project_url }}/releases/download/v{{ restic_version }}/{{ restic_checksum_algo | upper }}SUMS"
+restic_download_path: "/tmp/{{ restic_release_file }}"
+restic_unarchive_dest_path: /tmp
+restic_extracted_path: "{{ restic_download_path | replace('.bz2', '') }}"
+restic_binaries:
+ - restic
+
+# restic_arch: amd64
+# restic_version: 0.15.2
+# restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
+# restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
+# restic_bin_path: /usr/local/bin
+# restic_etc_path: /etc/restic
+# restic_path: "{{ restic_bin_path }}/restic"
+# restic_self_update: true

-restic_arch: amd64
-restic_version: 0.14.0
-restic_url: "https://github.com/restic/restic/releases/download/v{{ restic_version }}/restic_{{ restic_version }}_linux_{{ restic_arch }}.bz2"
-restic_checksum: sha256:c8da7350dc334cd5eaf13b2c9d6e689d51e7377ba1784cc6d65977bd44ee1165
 restic_bin_path: /usr/local/bin
 restic_etc_path: /etc/restic
 restic_path: "{{ restic_bin_path }}/restic"
--- a/roles/restic/files/hooks/gitea.sh
+++ b/roles/restic/files/hooks/gitea.sh
@ -9,7 +9,7 @@ GITEA_CONFIG=${GITEA_CONFIG:-/etc/gitea/app.ini}
 GITEA_WORK_PATH=${GITEA_WORK_PATH:-/var/lib/gitea}
 GITEA_CUSTOM_PATH=${GITEA_CUSTOM_PATH:-$GITEA_WORK_PATH/custom}
 GITEA_BACKUP_PATH=${GITEA_BACKUP_PATH:-$GITEA_WORK_PATH/backup}
-GITEA_KEEP_DAYS=${GITEA_KEEP_DAYS:-2}
+GITEA_KEEP_HOURS=${GITEA_KEEP_HOURS:-12}

 prereq() {
    if ! systemctl list-units --full --all | grep -Fq "gitea.service"; then
@ -41,7 +41,7 @@ main() {
        find "$GITEA_BACKUP_PATH" \
            -type f \
            -name '*.zip' \
-            -mtime "+$GITEA_KEEP_DAYS" \
+            -mmin +$((GITEA_KEEP_HOURS * 60)) \
            -delete
    fi
 }
--- a/roles/restic/files/restic-job.sh
+++ b/roles/restic/files/restic-job.sh
@ -73,6 +73,10 @@ fi

 START="$(date +%s)"

+if [[ -n "$($RESTIC_PATH list locks -q)" ]]; then
+    error_exit "repo is locked"
+fi
+
 if [ -f "$LOCK" ]; then
    pid=$(cat "$LOCK")
    if ! kill -0 "$pid" 2> /dev/null; then
--- a/roles/restic/tasks/install.yaml
+++ b/roles/restic/tasks/install.yaml
@ -0,0 +1,25 @@
+---
+- block:
+  - name: download
+    get_url:
+      url: "{{ restic_release_url }}"
+      dest: "{{ restic_download_path }}"
+      checksum: "{{ restic_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract
+    command:
+      cmd: "bunzip2 -f -k {{ restic_download_path }}"
+
+  - name: install binaries
+    copy:
+      src: "{{ restic_extracted_path }}"
+      dest: "{{ restic_path }}"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+  when: restic_version != restic_local_version
--- a/roles/restic/tasks/main.yaml
+++ b/roles/restic/tasks/main.yaml
@ -23,35 +23,10 @@
      paths:
        - tasks

- name: "download restic {{ restic_version }}"
-  get_url:
-    url: "{{ restic_url }}"
-    checksum: "{{ restic_checksum }}"
-    dest: "{{ restic_path }}.bz2"
-    owner: root
-    group: root
-    mode: 0400
-  register: dl
+- ansible.builtin.include_tasks: pre.yaml

- name: determine if restic exists
-  stat:
-    path: "{{ restic_path }}"
-  register: st
+- ansible.builtin.include_tasks: install.yaml

- name: decompress restic
-  command:
-    cmd: "bunzip2 -k {{ restic_path }}.bz2"
-    creates: "{{ restic_path }}"
-  when: dl.changed or not st.stat.exists
-  #notify:
-  #  - restart restic
-
- name: manage restic attributes
-  file:
-    path: "{{ restic_path }}"
-    owner: root
-    group: root
-    mode:  0755

 - name: create etc tree
  file:
--- a/roles/restic/tasks/pre.yaml
+++ b/roles/restic/tasks/pre.yaml
@ -0,0 +1,59 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ restic_bin_path }}/restic"
+  register: st
+
+- name: set restic_installed
+  set_fact:
+    restic_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: "https://api.github.com/repos/{{ restic_github_rel_path }}/releases/latest"
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set restic_version
+    set_fact:
+      restic_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ restic_bin_path }}/restic version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set restic_local_version
+    set_fact:
+      restic_local_version: "{{ _installed_version_string.stdout | regex_search(restic_version_regex, '\\1') | first }}"
+  rescue:
+  - name: set restic_local_version
+    set_fact:
+      restic_local_version: "{{ _installed_version_string.stderr | regex_search(restic_version_regex, '\\1') | first }}"
+  when: restic_installed
+
+- name: set restic_local_version to 0
+  set_fact:
+    restic_local_version: "0"
+  when: not restic_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', restic_checksum_url, wantlist=True) }}"
+
+  - name: debug
+    debug:
+      msg: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+
+  - name: set restic_checksum
+    set_fact:
+      restic_checksum: "{{ restic_checksum_algo }}:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "restic_release_file in item"
--- a/roles/snmp_exporter/defaults/main.yaml
+++ b/roles/snmp_exporter/defaults/main.yaml
@ -0,0 +1,102 @@
+---
+snmp_exporter_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+snmp_exporter_go_arch: "{{ snmp_exporter_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+snmp_exporter_version: 0.25.0
+snmp_exporter_checksums:
+  snmp_exporter-0.25.0.aix-ppc64.tar.gz: sha256:457524708e136a1c559567eb5170352b25591d33646ad85940f4692b13de8208
+  snmp_exporter-0.25.0.darwin-amd64.tar.gz: sha256:83f820691ec4013614c5e8771c37741ba7732a41f01ac4675428a95cf50785db
+  snmp_exporter-0.25.0.darwin-arm64.tar.gz: sha256:2de16c8ab56c96721ba71ce7b16cdcfaced50f0f7e78fc7ded1747017717a953
+  snmp_exporter-0.25.0.dragonfly-amd64.tar.gz: sha256:a17a8277a134d0f3f5913fdb89b3218e308c01c0749e4b1fe6eff860216c3f06
+  snmp_exporter-0.25.0.freebsd-386.tar.gz: sha256:dc5bb9943ce5abfc4610eb51b98d21754333828acd17e1058f4979dec83ec4bd
+  snmp_exporter-0.25.0.freebsd-amd64.tar.gz: sha256:65c527a32426b781968ee2b1ed9b13542f3333b2f60941ed7261c578d3a19515
+  snmp_exporter-0.25.0.freebsd-arm64.tar.gz: sha256:3ce5dd7c205e148eceef20d4a7f6042b49874d37b2f84cea1ad2b41a7adf27cc
+  snmp_exporter-0.25.0.freebsd-armv6.tar.gz: sha256:fecd7b648de5818f445ee3543b3a0e16090419b83481cb9268f1b070515f4719
+  snmp_exporter-0.25.0.freebsd-armv7.tar.gz: sha256:2750f4d469145a4e9bcf3ae2cf47c3a379581359c224fa3860d88a7671208fe0
+  snmp_exporter-0.25.0.illumos-amd64.tar.gz: sha256:71fbd5973d2b9e06e63728490e820fe5e33f27333a54dcb6b42d152d3cf36d2f
+  snmp_exporter-0.25.0.linux-386.tar.gz: sha256:a78577d5651557a67973363a87db3755170e61a79c8d698f14bc72cde3205e1a
+  snmp_exporter-0.25.0.linux-amd64.tar.gz: sha256:de206a27466656e8b4948ef66dd57cc80c5511ccd285b231fde4e044534db625
+  snmp_exporter-0.25.0.linux-arm64.tar.gz: sha256:d61a38544598921067b546cbdca2cce0165fede0414b2dd769e11b09037164ca
+  snmp_exporter-0.25.0.linux-armv5.tar.gz: sha256:a86cae97116524fc2479bbef211931ca375d78479a276f1c99e4a2ee033d54aa
+  snmp_exporter-0.25.0.linux-armv6.tar.gz: sha256:fed73deb4b2864b9793f07679308117e2b9568e08cf993c640b9fd9a534f2508
+  snmp_exporter-0.25.0.linux-armv7.tar.gz: sha256:ff4ce9ac6f8f489d40d2319ea07428cb58bc6b49ad5cc0054d7475a71b1a68bb
+  snmp_exporter-0.25.0.linux-mips.tar.gz: sha256:616f7d9a798425864852bf8acef1d1fde38e6c85cbc2b6fd176f5bad5aa2ce79
+  snmp_exporter-0.25.0.linux-mips64.tar.gz: sha256:4d7cf894079593e4ae4eba9c10f740514d3defe0ebc362953ffa6ba2ccb93127
+  snmp_exporter-0.25.0.linux-mips64le.tar.gz: sha256:ea3e346a702729daa2a4acb9389cc2fe95549afd6aa5806c173ae0b21340ea0c
+  snmp_exporter-0.25.0.linux-mipsle.tar.gz: sha256:b6fedb56c0ac64b87ec808448ef113bb3a44049d41a70c35004e0e05204a9ba7
+  snmp_exporter-0.25.0.linux-ppc64.tar.gz: sha256:6b6c67ba8e49e1e3e247799f151b74bf1cb6cb65d9e4efcf8c6d0eefa6467dbe
+  snmp_exporter-0.25.0.linux-ppc64le.tar.gz: sha256:b345a5b6808627ca119267f53b4d4835fc831cdbe25922359637b8068b6d2722
+  snmp_exporter-0.25.0.linux-riscv64.tar.gz: sha256:6f3659115b78f05349ce1cc61d17c03e7dbb5830d6a4f13433028efe198e4a66
+  snmp_exporter-0.25.0.linux-s390x.tar.gz: sha256:8a428c63081efee2d15df508c7da5588cc6582a3254561c2ddbd9898520d247e
+  snmp_exporter-0.25.0.netbsd-386.tar.gz: sha256:3b56b8feba1119737fe167db47afb2d53179f03fd1ed2c97a02745486cf78e9d
+  snmp_exporter-0.25.0.netbsd-amd64.tar.gz: sha256:e1e2f82047ec726be64434d45e4d18cff45bf739c8ac7ffcd39d2680148be4f6
+  snmp_exporter-0.25.0.netbsd-arm64.tar.gz: sha256:f1be651984a8aa9fb2793358545da1351cb66c0f94abfa67d97003276aeb64cb
+  snmp_exporter-0.25.0.netbsd-armv6.tar.gz: sha256:d250a3cdd4d6fb572ed740c7f800f2aaa11350294d9275e4054c39bcfed86710
+  snmp_exporter-0.25.0.netbsd-armv7.tar.gz: sha256:0ecc87cc94c6e4f9444e5a508bb3f848753eae551f38715d90531626a09eb21b
+  snmp_exporter-0.25.0.openbsd-386.tar.gz: sha256:93f600e3c8e51c9e4fe2888a6fcac28b6bf4128ff90cf833938c25fcd607d731
+  snmp_exporter-0.25.0.openbsd-amd64.tar.gz: sha256:68b5b7bf8903e02636ea1145a313bad6316950116c7dbcb8e62214acafb76a64
+  snmp_exporter-0.25.0.openbsd-arm64.tar.gz: sha256:ca0ff15972207d7efb0ec08ca3c74ab1940dd780430ebe409214ca6261b4a521
+  snmp_exporter-0.25.0.openbsd-armv7.tar.gz: sha256:094072fcc645e170fbcf617f86f41f35781f6eff83c2a5f3a4327b55c3aae6ba
+  snmp_exporter-0.25.0.windows-386.tar.gz: sha256:feb0eae7fdbff7d96eb489a61e7d4cb6f9065d84e80c5e0f6331893dd3c5e37a
+  snmp_exporter-0.25.0.windows-386.zip: sha256:10cb099383f990303ba293343a98377aabb0575f5d87b8702cd366bd787293b9
+  snmp_exporter-0.25.0.windows-amd64.tar.gz: sha256:78398d2553548f21eaf8920daf86df15865e7c4a93351be01abb10cc2508cc8c
+  snmp_exporter-0.25.0.windows-amd64.zip: sha256:b0872fc2d2cebc60244220c3412185a45b72ac56f2cb36f1e4f35d42e830de2d
+  snmp_exporter-0.25.0.windows-arm64.tar.gz: sha256:e3122f902b714b908884fb10fff61e93960c1ce1a1491d21d7be736ac6c9f833
+  snmp_exporter-0.25.0.windows-arm64.zip: sha256:f3465c09e7a28ced47b15da368074b7df6d610e4c82ea6ae647d916abb541dc8
+
+snmp_exporter_github_rel_path: prometheus/snmp_exporter
+snmp_exporter_github_project_url: "https://github.com/{{ snmp_exporter_github_rel_path }}"
+snmp_exporter_release_file: "snmp_exporter-{{ snmp_exporter_version }}.{{ ansible_system | lower }}-{{ snmp_exporter_go_arch }}.tar.gz"
+snmp_exporter_release_url: "{{ snmp_exporter_github_project_url }}/releases/download/v{{ snmp_exporter_version }}/{{ snmp_exporter_release_file }}"
+snmp_exporter_download_path: "/tmp/{{ snmp_exporter_release_file }}"
+
+snmp_exporter_opt_dir_path: "/opt/snmp_exporter-{{ snmp_exporter_version }}"
+
+snmp_exporter_unarchive_dest_path: /tmp/
+snmp_exporter_extracted_path: "/tmp/{{ snmp_exporter_release_file | replace('.tar.gz', '') }}"
+snmp_exporter_binaries:
+ - snmp_exporter
+
+snmp_exporter_user_name: snmp_exporter
+snmp_exporter_user_shell: /usr/sbin/nologin
+snmp_exporter_user_home: "{{ snmp_exporter_var_dir_path }}"
+snmp_exporter_group_name: snmp_exporter
+
+snmp_exporter_bin_dir_path: /usr/local/bin
+snmp_exporter_bin_path: "{{ snmp_exporter_bin_dir_path }}/snmp_exporter"
+
+snmp_exporter_etc_dir_path: /etc/snmp_exporter
+snmp_exporter_etc_dir_path_owner: "{{ snmp_exporter_user_name }}"
+snmp_exporter_etc_dir_path_group: "{{ snmp_exporter_group_name }}"
+snmp_exporter_etc_dir_path_mode: 0500
+snmp_exporter_etc_dir_path_state: directory
+
+snmp_exporter_var_dir_path: /var/lib/snmp_exporter
+snmp_exporter_var_dir_path_owner: "{{ snmp_exporter_user_name }}"
+snmp_exporter_var_dir_path_group: "{{ snmp_exporter_group_name }}"
+snmp_exporter_var_dir_path_mode: 0500
+snmp_exporter_var_dir_path_state: directory
+
+snmp_exporter_config_file_path: "{{ snmp_exporter_etc_dir_path }}/snmp.yml"
+snmp_exporter_config_file_template_src: snmp.yml.j2
+snmp_exporter_config_file_template_dest: "{{ snmp_exporter_config_file_path }}"
+snmp_exporter_config_file_template_owner: "{{ snmp_exporter_user_name }}"
+snmp_exporter_config_file_template_group: "{{ snmp_exporter_group_name }}"
+snmp_exporter_config_file_template_mode: 0400
+
+snmp_exporter_bin_args:
+  - "--config.file={{ snmp_exporter_config_file_path }}"
+  - "--snmp.module-concurrency={{ ansible_processor_vcpus }}"
+
+snmp_exporter_service_name: snmp_exporter.service
+snmp_exporter_service_enabled: true
+snmp_exporter_service_state: started
+
+snmp_exporter_service_template_src: "{{ snmp_exporter_service_name }}.j2"
+snmp_exporter_service_template_dest: "/etc/systemd/system/{{ snmp_exporter_service_name }}"
+snmp_exporter_service_template_owner: root
+snmp_exporter_service_template_group: root
+snmp_exporter_service_template_mode: 0444
--- a/roles/snmp_exporter/handlers/main.yaml
+++ b/roles/snmp_exporter/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart snmp_exporter
+  systemd:
+    name: "{{ snmp_exporter_service_name }}"
+    daemon_reload: true
+    state: restarted
--- a/roles/snmp_exporter/tasks/configure.yaml
+++ b/roles/snmp_exporter/tasks/configure.yaml
@ -0,0 +1,55 @@
+---
+- name: create group
+  ansible.builtin.group:
+    name: "{{ snmp_exporter_group_name }}"
+    system: true
+
+- name: create user
+  ansible.builtin.user:
+    name: "{{ snmp_exporter_user_name }}"
+    shell: "{{ snmp_exporter_user_shell }}"
+    home: "{{ snmp_exporter_user_home }}"
+    system: true
+    group: "{{ snmp_exporter_group_name }}"
+
+- name: create var path
+  ansible.builtin.file:
+    path: "{{ snmp_exporter_var_dir_path }}"
+    owner: "{{ snmp_exporter_var_dir_path_owner }}"
+    group: "{{ snmp_exporter_var_dir_path_group }}"
+    mode: "{{ snmp_exporter_var_dir_path_mode }}"
+    state: "{{ snmp_exporter_var_dir_path_state }}"
+
+- name: create etc path
+  ansible.builtin.file:
+    path: "{{ snmp_exporter_etc_dir_path }}"
+    owner: "{{ snmp_exporter_etc_dir_path_owner }}"
+    group: "{{ snmp_exporter_etc_dir_path_group }}"
+    mode: "{{ snmp_exporter_etc_dir_path_mode }}"
+    state: "{{ snmp_exporter_etc_dir_path_state }}"
+
+- name: configure
+  ansible.builtin.template:
+    src: "{{ snmp_exporter_config_file_template_src }}"
+    dest: "{{ snmp_exporter_config_file_template_dest }}"
+    owner: "{{ snmp_exporter_config_file_template_owner }}"
+    group: "{{ snmp_exporter_config_file_template_group }}"
+    mode: "{{ snmp_exporter_config_file_template_mode }}"
+  notify:
+    - restart snmp_exporter
+
+- name: configure systemd unit
+  ansible.builtin.template:
+    src: "{{ snmp_exporter_service_template_src }}"
+    dest: "{{ snmp_exporter_service_template_dest }}"
+    owner: "{{ snmp_exporter_service_template_owner }}"
+    group: "{{ snmp_exporter_service_template_group }}"
+    mode: "{{ snmp_exporter_service_template_mode }}"
+  notify:
+    - restart snmp_exporter
+
+- name: manage service
+  ansible.builtin.service:
+    name: "{{ snmp_exporter_service_name }}"
+    enabled: "{{ snmp_exporter_service_enabled | default(true) }}"
+    state: "{{ snmp_exporter_service_state | default('started') }}"
--- a/roles/snmp_exporter/tasks/default.yaml
+++ b/roles/snmp_exporter/tasks/default.yaml
--- a/roles/snmp_exporter/tasks/install.yaml
+++ b/roles/snmp_exporter/tasks/install.yaml
@ -0,0 +1,56 @@
+---
+- name: determine install status
+  ansible.builtin.stat:
+    path: "{{ snmp_exporter_opt_dir_path }}/snmp_exporter"
+  register: st
+
+- name: create opt path
+  ansible.builtin.file:
+    path: "{{ snmp_exporter_opt_dir_path }}"
+    owner: root
+    group: root
+    mode: 0755
+    state: directory
+    
+- block:
+  - name: download
+    ansible.builtin.get_url:
+      url: "{{ snmp_exporter_release_url }}"
+      dest: "{{ snmp_exporter_download_path }}"
+      checksum: "{{ snmp_exporter_checksums[snmp_exporter_release_file] }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract
+    ansible.builtin.unarchive:
+      src: "{{ snmp_exporter_download_path }}"
+      dest: "{{ snmp_exporter_unarchive_dest_path }}"
+      remote_src: true
+
+  - name: install
+    ansible.builtin.copy:
+      src: "{{ snmp_exporter_extracted_path }}/{{ item }}"
+      dest: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
+      remote_src: true
+    loop: "{{ snmp_exporter_binaries }}"
+  when: not st.stat.exists
+
+- name: permissions
+  ansible.builtin.file:
+    path: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+  loop: "{{ snmp_exporter_binaries }}"
+
+- name: symlink
+  ansible.builtin.file:
+    src: "{{ snmp_exporter_opt_dir_path }}/{{ item }}"
+    dest: "/usr/local/bin/{{ item }}"
+    owner: root
+    group: root
+    mode: 0755
+    state: link
+  loop: "{{ snmp_exporter_binaries }}"
--- a/roles/snmp_exporter/tasks/main.yaml
+++ b/roles/snmp_exporter/tasks/main.yaml
@ -0,0 +1,28 @@
+---
+- name: gather os specific variables
+  ansible.builtin.include_vars: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  ansible.builtin.include_tasks: "{{ lookup('first_found', params) }}"
+  vars:
+    params:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- ansible.builtin.include_tasks: install.yaml
+
+- ansible.builtin.include_tasks: configure.yaml
--- a/roles/snmp_exporter/templates/snmp.yml.j2
+++ b/roles/snmp_exporter/templates/snmp.yml.j2
--- a/roles/snmp_exporter/templates/snmp_exporter.service.j2
+++ b/roles/snmp_exporter/templates/snmp_exporter.service.j2
@ -0,0 +1,21 @@
+# {{ ansible_managed }}
+
+[Unit]
+Description=SNMP Exporter
+After=network-online.target
+
+[Service]
+User={{ snmp_exporter_user_name }}
+Restart=on-failure
+ExecStart={{ snmp_exporter_bin_path }} \
+{% for arg in snmp_exporter_bin_args %}
+  {{ arg }} {% if not loop.last %}\{{ "\n"}}{% endif %}
+{% if loop.last %}
+
+{% endif %}
+{% endfor %}
+
+WorkingDirectory={{ snmp_exporter_var_dir_path }}
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/snmp_exporter/vars/default.yaml
+++ b/roles/snmp_exporter/vars/default.yaml
--- a/roles/util/defaults/main.yaml
+++ b/roles/util/defaults/main.yaml
@ -42,7 +42,7 @@ util_packages:
    - p7zip
    - p7zip-full
    - pigz
-    - pxz
+    - pixz
    - zstd
    - pbzip2
    - pv
Author	SHA1	Message	Date
Ryan Cavicchioni	05b1e8da07	loki: flesh out role	2024-04-14 17:48:46 -05:00
Ryan Cavicchioni	45ddb507ef	mtail: remove dead code	2024-04-14 17:47:55 -05:00
Ryan Cavicchioni	1cce3fc642	nftables: add more rules	2024-04-14 17:46:42 -05:00
Ryan Cavicchioni	7168a89e53	Fix typos in Promtail systemd unit	2024-04-14 17:45:59 -05:00
Ryan Cavicchioni	4e338917dc	iptables: open ports for promtail syslog	2024-04-14 17:45:16 -05:00
Ryan Cavicchioni	f79cdc1e59	Update http2 syntax	2024-04-14 17:34:54 -05:00
Ryan Cavicchioni	4a7f888994	Refactor certbot role	2024-04-14 17:29:18 -05:00
Ryan Cavicchioni	8b24c9fad9	Fix pixz package name	2024-04-14 17:28:36 -05:00
Ryan Cavicchioni	77ecf4ccbe	Use tags	2024-04-14 17:26:32 -05:00
Ryan Cavicchioni	de53d99b5e	Manager restic updates	2024-04-14 17:25:38 -05:00
Ryan Cavicchioni	907d7a9c63	Add role for snmp_exporter	2024-04-14 17:23:51 -05:00
Ryan Cavicchioni	6108475fbd	Refactor netplan	2024-04-14 17:23:27 -05:00
Ryan Cavicchioni	db8c7f4f63	Secrets	2024-04-14 17:19:01 -05:00
Ryan Cavicchioni	02c1899ee0	Remove unused host_vars	2024-04-14 17:16:43 -05:00