Add workstation lab playbook

add dl role
add wireguard role
2022-08-30 07:52:01 -05:00 · 2022-08-30 07:51:55 -05:00 · 2022-08-30 07:51:47 -05:00 · 2022-08-30 07:51:35 -05:00 · 2022-08-30 07:51:26 -05:00 · 2022-08-30 07:51:17 -05:00
205 changed files with 5264 additions and 0 deletions
--- a/roles/alertmanager/defaults/main.yaml
+++ b/roles/alertmanager/defaults/main.yaml
@ -0,0 +1,52 @@
+---
+alertmanager_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+alertmanager_go_arch: "{{ alertmanager_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+alertmanager_service_name: alertmanager.service
+alertmanager_service_enabled: true
+alertmanager_service_state: started
+
+alertmanager_version_regex: ^alertmanager, version ([\d.]+)
+
+alertmanager_github_project_url: https://github.com/prometheus/alertmanager
+alertmanager_release_file: "alertmanager-{{ alertmanager_version }}.{{ ansible_system | lower }}-{{ alertmanager_go_arch }}.tar.gz"
+alertmanager_release_url: "{{ alertmanager_github_project_url }}/releases/download/v{{ alertmanager_version }}/{{ alertmanager_release_file }}"
+alertmanager_checksum_url: "{{ alertmanager_github_project_url }}/releases/download/v{{ alertmanager_version }}/sha256sums.txt"
+alertmanager_download_path: "/tmp/{{ alertmanager_release_file }}"
+alertmanager_unarchive_dest_path: /tmp
+alertmanager_extracted_path: "{{ alertmanager_download_path | replace('.tar.gz', '') }}"
+
+alertmanager_user: alertmanager
+alertmanager_user_state: present
+alertmanager_user_shell: /usr/sbin/nologin
+
+alertmanager_group: alertmanager
+alertmanager_group_state: "{{ alertmanager_user_state | default('present') }}"
+
+alertmanager_etc_path: /etc/alertmanager
+alertmanager_etc_owner: root
+alertmanager_etc_group: root
+alertmanager_etc_mode: "0755"
+
+alertmanager_var_path: /var/lib/alertmanager
+alertmanager_var_owner: "{{ alertmanager_user }}"
+alertmanager_var_group: "{{ alertmanager_group }}"
+alertmanager_var_mode: "0755"
+
+alertmanager_bin_path: /usr/local/bin
+
+alertmanager_web_listen_address: 0.0.0.0:9093
+alertmanager_port: "{{ alertmanager_web_listen_address.split(':')[1] }}"
+alertmanager_web_external_url:
+alertmanager_web_route_prefix:
+alertmanager_cluster_advertise_address: 0.0.0.0:9093
+
+alertmanager_config:
+  route:
+    routes:
+      receiver: dummy
+  receivers:
+    - name: dummy
--- a/roles/alertmanager/handlers/main.yaml
+++ b/roles/alertmanager/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart alertmanager
+  systemd:
+    name: alertmanager.service
+    daemon_reload: true
+    state: restarted
--- a/roles/alertmanager/tasks/configure.yaml
+++ b/roles/alertmanager/tasks/configure.yaml
@ -0,0 +1,56 @@
+---
+- name: create group
+  group:
+    name: "{{ alertmanager_group }}"
+    system: true
+    state: "{{ alertmanager_group_state | default('present') }}"
+
+- name: create user
+  user:
+    name: "{{ alertmanager_user }}"
+    system: true
+    shell: "{{ alertmanager_user_shell }}"
+    group: "{{ alertmanager_group }}"
+    createhome: false
+    home: "{{ alertmanager_var_path }}"
+    state: "{{ alertmanager_user_state | default('present') }}"
+
+- name: create etc path
+  file:
+    path: "{{ alertmanager_etc_path }}"
+    state: directory
+    owner: "{{ alertmanager_etc_owner }}"
+    group: "{{ alertmanager_etc_group }}"
+    mode: "{{ alertmanager_etc_mode }}"
+
+- name: create var path
+  file:
+    path: "{{ alertmanager_var_path }}"
+    state: directory
+    owner: "{{ alertmanager_var_owner }}"
+    group: "{{ alertmanager_var_group }}"
+    mode: "{{ alertmanager_var_mode }}"
+
+- name: configure
+  copy:
+    dest: "{{ alertmanager_etc_path }}/alertmanager.yaml"
+    content: "{{ (alertmanager_config | default({})) | to_nice_yaml }}"
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart alertmanager
+
+- name: configure systemd template
+  template:
+    src: alertmanager.service.j2
+    dest: /etc/systemd/system/alertmanager.service
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart alertmanager
+
+- name: manage service
+  service:
+    name: "{{ alertmanager_service_name }}"
+    enabled: "{{ alertmanager_service_enabled }}"
+    state: "{{ alertmanager_service_state }}"
--- a/roles/alertmanager/tasks/default.yaml
+++ b/roles/alertmanager/tasks/default.yaml
--- a/roles/alertmanager/tasks/install.yaml
+++ b/roles/alertmanager/tasks/install.yaml
@ -0,0 +1,32 @@
+---
+- block:
+  - name: download tar
+    get_url:
+      url: "{{ alertmanager_release_url }}"
+      dest: "{{ alertmanager_download_path }}"
+      checksum: "{{ alertmanager_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract tar
+    unarchive:
+      src: "{{ alertmanager_download_path }}"
+      dest: "{{ alertmanager_unarchive_dest_path }}"
+      creates: "{{ alertmanager_extracted_path }}/alertmanager"
+      remote_src: true
+
+  - name: install binaries
+    copy:
+      src: "{{ alertmanager_extracted_path }}/{{ item }}"
+      dest: "{{ alertmanager_bin_path }}/{{ item }}"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+    loop:
+      - alertmanager
+      - amtool
+    notify: restart alertmanager
+  when: alertmanager_version != alertmanager_local_version
--- a/roles/alertmanager/tasks/main.yaml
+++ b/roles/alertmanager/tasks/main.yaml
@ -0,0 +1,30 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: pre.yaml
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/alertmanager/tasks/pre.yaml
+++ b/roles/alertmanager/tasks/pre.yaml
@ -0,0 +1,50 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ alertmanager_bin_path }}/alertmanager"
+  register: st
+
+- name: set alertmanager_installed
+  set_fact:
+    alertmanager_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: https://api.github.com/repos/prometheus/alertmanager/releases/latest
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set alertmanager_version
+    set_fact:
+      alertmanager_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ alertmanager_bin_path }}/alertmanager --version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set alertmanager_local_version
+    set_fact:
+      alertmanager_local_version: "{{ _installed_version_string.stdout | regex_search(alertmanager_version_regex, '\\1') | first }}"
+  when: alertmanager_installed
+
+- name: set alertmanager_local_version to 0
+  set_fact:
+    alertmanager_local_version: "0"
+  when: not alertmanager_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', alertmanager_checksum_url, wantlist=True) }}"
+
+  - name: set alertmanager_checksum
+    set_fact:
+      alertmanager_checksum: "sha256:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "alertmanager_release_file in item"
--- a/roles/alertmanager/templates/alertmanager.service.j2
+++ b/roles/alertmanager/templates/alertmanager.service.j2
@ -0,0 +1,26 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Alertmanager
+After=network-online.target
+
+[Service]
+Type=simple
+User={{ alertmanager_user }}
+Group={{ alertmanager_group }}
+ExecStart={{ alertmanager_bin_path }}/alertmanager \
+  --config.file={{ alertmanager_etc_path }}/alertmanager.yaml \
+  --storage.path={{ alertmanager_var_path }} \
+  --cluster.advertise-address={{ alertmanager_cluster_advertise_address }} \
+{% if alertmanager_web_external_url %}
+  --web.external-url={{ alertmanager_web_external_url }} \
+{% endif %}
+{% if alertmanager_web_route_prefix %}
+  --web.route-prefix={{ alertmanager_web_route_prefix }} \
+{% endif %}
+{% if alertmanager_web_listen_address %}
+  --web.listen-address={{ alertmanager_web_listen_address }} \
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/alertmanager/vars/default.yaml
+++ b/roles/alertmanager/vars/default.yaml
--- a/roles/blackbox_exporter/defaults/main.yaml
+++ b/roles/blackbox_exporter/defaults/main.yaml
@ -0,0 +1,39 @@
+blackbox_exporter_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+blackbox_exporter_go_arch: "{{ blackbox_exporter_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+blackbox_exporter_service_name: blackbox_exporter.service
+blackbox_exporter_service_enabled: true
+blackbox_exporter_service_state: started
+
+blackbox_exporter_version_regex: ^blackbox_exporter, version ([\d.]+)
+
+blackbox_exporter_release_file: "blackbox_exporter-{{ blackbox_exporter_version }}.{{ ansible_system | lower }}-{{ blackbox_exporter_go_arch }}.tar.gz"
+blackbox_exporter_release_url: "https://github.com/prometheus/blackbox_exporter/releases/download/v{{ blackbox_exporter_version }}/{{ blackbox_exporter_release_file }}"
+blackbox_exporter_checksum_url: "https://github.com/prometheus/blackbox_exporter/releases/download/v{{ blackbox_exporter_version }}/sha256sums.txt"
+blackbox_exporter_download_path: "/tmp/{{ blackbox_exporter_release_file }}"
+blackbox_exporter_unarchive_dest_path: /tmp
+blackbox_exporter_extracted_path: "{{ blackbox_exporter_download_path | replace('.tar.gz', '') }}"
+
+blackbox_exporter_user: blackbox_exporter
+blackbox_exporter_user_state: present
+blackbox_exporter_user_shell: /usr/sbin/nologin
+
+blackbox_exporter_group: blackbox_exporter
+blackbox_exporter_group_state: "{{ blackbox_exporter_user_state | default('present') }}"
+
+blackbox_exporter_etc_path: /etc/blackbox_exporter
+blackbox_exporter_etc_owner: root
+blackbox_exporter_etc_group: root
+blackbox_exporter_etc_mode: "0755"
+
+blackbox_exporter_var_path: /var/lib/blackbox_exporter
+blackbox_exporter_var_owner: "{{ blackbox_exporter_user }}"
+blackbox_exporter_var_group: "{{ blackbox_exporter_group }}"
+blackbox_exporter_var_mode: "0755"
+
+blackbox_exporter_bin_path: /usr/local/bin
+
+blackbox_exporter_config: {}
--- a/roles/blackbox_exporter/handlers/main.yaml
+++ b/roles/blackbox_exporter/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart blackbox_exporter
+  systemd:
+    name: blackbox_exporter.service
+    daemon_reload: true
+    state: restarted
--- a/roles/blackbox_exporter/tasks/configure.yaml
+++ b/roles/blackbox_exporter/tasks/configure.yaml
@ -0,0 +1,48 @@
+---
+- name: create group
+  group:
+    name: "{{ blackbox_exporter_group }}"
+    system: true
+    state: "{{ blackbox_exporter_group_state | default('present') }}"
+
+- name: create user
+  user:
+    name: "{{ blackbox_exporter_user }}"
+    system: true
+    shell: "{{ blackbox_exporter_user_shell }}"
+    group: "{{ blackbox_exporter_group }}"
+    createhome: false
+    home: "{{ blackbox_exporter_var_path }}"
+    state: "{{ blackbox_exporter_user_state | default('present') }}"
+
+- name: create etc path
+  file:
+    path: "{{ blackbox_exporter_etc_path }}"
+    state: directory
+    owner: "{{ blackbox_exporter_etc_owner }}"
+    group: "{{ blackbox_exporter_etc_group }}"
+    mode: "{{ blackbox_exporter_etc_mode }}"
+
+- name: configure
+  copy:
+    dest: "{{ blackbox_exporter_etc_path }}/config.yaml"
+    content: "{{ (blackbox_exporter_config | default({})) | to_nice_yaml }}"
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart blackbox_exporter
+
+- name: configure systemd template
+  template:
+    src: blackbox_exporter.service.j2
+    dest: /etc/systemd/system/blackbox_exporter.service
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart blackbox_exporter
+
+- name: manage service
+  service:
+    name: "{{ blackbox_exporter_service_name }}"
+    enabled: "{{ blackbox_exporter_service_enabled }}"
+    state: "{{ blackbox_exporter_service_state }}"
--- a/roles/blackbox_exporter/tasks/default.yaml
+++ b/roles/blackbox_exporter/tasks/default.yaml
--- a/roles/blackbox_exporter/tasks/install.yaml
+++ b/roles/blackbox_exporter/tasks/install.yaml
@ -0,0 +1,31 @@
+---
+- block:
+  - name: download tar
+    get_url:
+      url: "{{ blackbox_exporter_release_url }}"
+      dest: "{{ blackbox_exporter_download_path }}"
+      checksum: "{{ blackbox_exporter_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract tar
+    unarchive:
+      src: "{{ blackbox_exporter_download_path }}"
+      dest: "{{ blackbox_exporter_unarchive_dest_path }}"
+      creates: "{{ blackbox_exporter_extracted_path }}/blackbox_exporter"
+      remote_src: true
+
+  - name: install binaries
+    copy:
+      src: "{{ blackbox_exporter_extracted_path }}/{{ item }}"
+      dest: "{{ blackbox_exporter_bin_path }}/{{ item }}"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+    loop:
+      - blackbox_exporter
+    notify: restart blackbox_exporter
+  when: blackbox_exporter_version != blackbox_exporter_local_version
--- a/roles/blackbox_exporter/tasks/main.yaml
+++ b/roles/blackbox_exporter/tasks/main.yaml
@ -0,0 +1,30 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: pre.yaml
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/blackbox_exporter/tasks/pre.yaml
+++ b/roles/blackbox_exporter/tasks/pre.yaml
@ -0,0 +1,50 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ blackbox_exporter_bin_path }}/blackbox_exporter"
+  register: st
+
+- name: set blackbox_exporter_installed
+  set_fact:
+    blackbox_exporter_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: https://api.github.com/repos/prometheus/blackbox_exporter/releases/latest
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set blackbox_exporter_version
+    set_fact:
+      blackbox_exporter_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ blackbox_exporter_bin_path }}/blackbox_exporter --version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set blackbox_exporter_local_version
+    set_fact:
+      blackbox_exporter_local_version: "{{ _installed_version_string.stdout | regex_search(blackbox_exporter_version_regex, '\\1') | first }}"
+  when: blackbox_exporter_installed
+
+- name: set blackbox_exporter_local_version to 0
+  set_fact:
+    blackbox_exporter_local_version: "0"
+  when: not blackbox_exporter_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', blackbox_exporter_checksum_url, wantlist=True) }}"
+
+  - name: set blackbox_exporter_checksum
+    set_fact:
+      blackbox_exporter_checksum: "sha256:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "blackbox_exporter_release_file in item"
--- a/roles/blackbox_exporter/templates/blackbox_exporter.service.j2
+++ b/roles/blackbox_exporter/templates/blackbox_exporter.service.j2
@ -0,0 +1,11 @@
+[Unit]
+Description=Blackbox Exporter
+
+[Service]
+User=blackbox_exporter
+ExecStart={{ blackbox_exporter_bin_path }}/blackbox_exporter \
+  --config.file={{ blackbox_exporter_etc_path }}/config.yaml
+AmbientCapabilities=CAP_NET_RAW
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/blackbox_exporter/vars/default.yaml
+++ b/roles/blackbox_exporter/vars/default.yaml
--- a/roles/consul/defaults/main.yaml
+++ b/roles/consul/defaults/main.yaml
@ -0,0 +1,21 @@
+---
+consul_package_name: consul
+consul_package_state: present
+consul_service_name: consul
+consul_service_state: started
+consul_service_enabled: true
+consul_etc_path: /etc/consul.d
+consul_config_path: "{{ consul_etc_path }}/consul.hcl"
+consul_config_template: consul.hcl.j2
+consul_user: consul
+consul_group: consul
+consul_config_owner: "{{ consul_user }}"
+consul_config_group: "{{ consul_group }}"
+consul_config_mode: 0644
+consul_data_dir: /opt/consul
+consul_bind_addr: "{{ ansible_default_ipv4.address }}"
+consul_server: false
+consul_bootstrap_expect: 1
+consul_ui_config_enabled: true
+consul_client_addr: 0.0.0.0
+consul_unbound_enabled: false
--- a/roles/consul/files/unbound-consul.conf
+++ b/roles/consul/files/unbound-consul.conf
@ -0,0 +1,9 @@
+# Ansible managed
+
+server:
+  do-not-query-localhost: no
+  domain-insecure: "consul"
+
+stub-zone:
+  name: "consul"
+  stub-addr: 127.0.0.1@8600
--- a/roles/consul/handlers/main.yaml
+++ b/roles/consul/handlers/main.yaml
@ -0,0 +1,12 @@
+---
+- name: reload consul
+  service:
+    name: "{{ consul_service_name }}"
+    state: reloaded
+  when: consul_service_enabled
+
+- name: restart consul
+  service:
+    name: "{{ consul_service_name }}"
+    state: restarted
+  when: consul_service_enabled
--- a/roles/consul/tasks/RedHat.yaml
+++ b/roles/consul/tasks/RedHat.yaml
@ -0,0 +1,18 @@
+---
+- name: install Hashicorp yum repo
+  yum_repository:
+    name: hashicorp
+    description: Hashicorp Stable - $basearch
+    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/stable
+    enabled: 1
+    gpgcheck: 1
+    gpgkey: https://rpm.releases.hashicorp.com/gpg
+
+- name: install Hashicorp (test) yum repo
+  yum_repository:
+    name: hashicorp-test
+    description: Hashicorp Test - $basearch
+    baseurl: https://rpm.releases.hashicorp.com/RHEL/$releasever/$basearch/test
+    enabled: 0
+    gpgcheck: 1
+    gpgkey: https://rpm.releases.hashicorp.com/gpg
--- a/roles/consul/tasks/forward-unbound.yaml
+++ b/roles/consul/tasks/forward-unbound.yaml
@ -0,0 +1,9 @@
+---
+- name: configure unbound forwarder
+  copy:
+    src: unbound-consul.conf
+    dest: "{{ unbound_conf_d_path }}/consul.conf"
+    owner: root
+    group: root
+    mode: "0644"
+  notify: reload unbound
--- a/roles/consul/tasks/main.yaml
+++ b/roles/consul/tasks/main.yaml
@ -0,0 +1,47 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- name: install
+  package:
+    name: "{{ consul_package_name | default('consul') }}"
+    state: "{{ consul_package_state | default('present') }}"
+
+- name: configure
+  template:
+    src: "{{ consul_config_template }}"
+    dest: "{{ consul_config_path }}"
+    owner: "{{ consul_config_owner }}"
+    group: "{{ consul_config_group }}"
+    mode: "{{ consul_config_mode }}"
+  notify: restart consul
+
+- name: service
+  service:
+    name: "{{ consul_service_name | default('consul') }}"
+    state: "{{ consul_service_state | default('started') }}"
+    enabled: "{{ consul_service_enabled | default(true) }}"
+
+- include: forward-unbound.yaml
+  when: consul_unbound_enabled
--- a/roles/consul/templates/consul.hcl.j2
+++ b/roles/consul/templates/consul.hcl.j2
@ -0,0 +1,41 @@
+// {{ ansible_managed }}
+
+data_dir = "{{ consul_data_dir }}"
+
+{% if consul_server is defined %}
+server = {{ (consul_server | lower) | default(false) }}
+{% endif %}
+
+{% if consul_bind_addr is defined %}
+bind_addr = "{{ (consul_bind_addr | lower) | default("0.0.0.0") }}"
+{% endif %}
+
+{% if consul_server is true and consul_bootstrap_expect is defined %}
+bootstrap_expect = {{ consul_bootstrap_expect }}
+{% endif %}
+
+{% if consul_retry_join is defined %}
+retry_join = [
+{%- set comma = joiner(",") -%}
+{%- for x in consul_retry_join | default([]) -%}
+{{ comma() }}"{{ x }}"
+{%- endfor -%} ]
+{% endif %}
+
+{% if consul_server_addresses is defined %}
+server_addresses = [
+{%- set comma = joiner(",") -%}
+{%- for x in consul_server_addresses | default([]) -%}
+{{ comma() }}"{{ x }}"
+{%- endfor -%} ]
+{% endif %}
+
+ui_config {
+{% if consul_ui_config_enabled is defined %}
+    enabled = {{ (consul_ui_config_enabled | lower) | default(false) }}
+{% endif %}
+}
+
+{% if consul_client_addr is defined %}
+client_addr = "{{ (consul_client_addr | lower) | default("0.0.0.0") }}"
+{% endif %}
--- a/roles/consul/vars/default.yaml
+++ b/roles/consul/vars/default.yaml
--- a/roles/crio/defaults/main.yaml
+++ b/roles/crio/defaults/main.yaml
@ -0,0 +1,2 @@
+---
+crio_version: 1.23
--- a/roles/crio/tasks/default.yaml
+++ b/roles/crio/tasks/default.yaml
--- a/roles/crio/tasks/main.yaml
+++ b/roles/crio/tasks/main.yaml
@ -0,0 +1,53 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- name: yum repo (devel:kubic:libcontainers:stable)
+  yum_repository:
+    name: devel:kubic:libcontainers:stable
+    description: "Stable Releases of Upstream github.com/containers packages ({{ crio_os }}) type=rpm-md"
+    baseurl: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_os }}/"
+    gpgcheck: yes
+    gpgkey: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable/{{ crio_os }}/repodata/repomd.xml.key"
+    enabled: yes
+
+- name: "yum repo (devel:kubic:libcontainers:stable:cri-o:{{ crio_version }})"
+  yum_repository:
+    name: "devel_kubic_libcontainers_stable_cri-o_{{ crio_version }}"
+    description: "devel:kubic:libcontainers:stable:cri-o:{{ crio_version }} ({{ crio_os }})"
+    baseurl: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/{{ crio_os }}/"
+    gpgcheck: yes
+    gpgkey: "https://download.opensuse.org/repositories/devel:/kubic:/libcontainers:/stable:/cri-o:/{{ crio_version }}/{{ crio_os }}/repodata/repomd.xml.key"
+    enabled: yes
+
+- name: install
+  package:
+    name: "{{ crio_package_name | default('cri-o') }}"
+    state: "{{ crio_package_state | default('present') }}"
+
+- name: manage service
+  service:
+    name: "{{ crio_service_name | default('crio') }}"
+    state: "{{ crio_service_state | default('started') }}"
+    enabled: "{{ crio_service_enabled | default(true) }}"
--- a/roles/crio/vars/Rocky.yaml
+++ b/roles/crio/vars/Rocky.yaml
@ -0,0 +1 @@
+crio_os: "CentOS_{{ ansible_distribution_major_version }}"
--- a/roles/dl/defaults/main.yaml
+++ b/roles/dl/defaults/main.yaml
@ -0,0 +1,8 @@
+---
+dl_server_name: dl.kill0.net
+dl_server_root: /var/www/dl
+dl_access_log: /var/log/nginx/dl.access.log
+dl_error_log: /var/log/nginx/dl.error.log
+dl_ssl_enabled: false
+dl_ssl_certificate: "/etc/letsencrypt/live/{{ dl_server_name }}/fullchain.pem"
+dl_ssl_certificate_key: "/etc/letsencrypt/live/{{ dl_server_name }}/privkey.pem"
--- a/roles/dl/handlers/main.yaml
+++ b/roles/dl/handlers/main.yaml
@ -0,0 +1,5 @@
+---
+- name: reload nginx
+  service:
+    name: nginx
+    state: reloaded
--- a/roles/dl/tasks/main.yaml
+++ b/roles/dl/tasks/main.yaml
@ -0,0 +1,31 @@
+---
+- name: check if SSL key exists
+  stat:
+    path: "{{ dl_ssl_certificate_key }}"
+  register: key_st
+
+- name: check if SSL certificate exists
+  stat:
+    path: "{{ dl_ssl_certificate }}"
+  register: crt_st
+
+- name: ssl enabled
+  set_fact:
+    dl_ssl_enabled: true
+  when:
+    - key_st.stat.exists
+    - crt_st.stat.exists
+
+- name: configure nginx
+  template:
+    src: nginx.conf.j2
+    dest: "/etc/nginx/conf.d/dl.conf"
+    owner: root
+    group: root
+    mode: 0644
+  notify: reload nginx
+
+- name: create web root
+  file:
+    path: "{{ dl_server_root }}"
+    state: directory
--- a/roles/dl/templates/nginx.conf.j2
+++ b/roles/dl/templates/nginx.conf.j2
@ -0,0 +1,63 @@
+# {{ ansible_managed }}
+
+server {
+    listen 80;
+{% if ansible_all_ipv6_addresses | length %}
+    listen [::]:80;
+{% endif %}
+    server_name {{ dl_server_name }};
+
+    access_log {{ dl_access_log }} main;
+    error_log {{ dl_error_log }} warn;
+
+    location /.well-known/acme-challenge/ {
+        root /var/www/html;
+        try_files $uri =404;
+    }
+
+{% if dl_ssl_enabled is defined and
+      dl_ssl_enabled %}
+    location / {
+        return 301 https://$server_name$request_uri;
+    }
+{% endif %}
+}
+
+{% if dl_ssl_enabled is defined and
+      dl_ssl_enabled %}
+server {
+    listen 443 ssl http2;
+{% if ansible_all_ipv6_addresses | length %}
+    listen [::]:443 ssl http2;
+{% endif %}
+    server_name {{ dl_server_name }};
+    access_log {{ dl_access_log }} main;
+    error_log {{ dl_error_log }} warn;
+
+    root {{ dl_server_root }};
+
+{% if dl_ssl_certificate is defined %}
+    ssl_certificate {{ dl_ssl_certificate }};
+{% endif %}
+{% if dl_ssl_certificate_key is defined %}
+    ssl_certificate_key {{ dl_ssl_certificate_key }};
+{% endif %}
+{% if dl_ssl_dhparam is defined %}
+    ssl_dhparam {{ dl_ssl_dhparam }};
+{% endif %}
+
+    location ~ ^\/~(.+?)(\/.*)?$ {
+        alias /home/$1/public_html$2;
+        index index.html index.htm;
+        autoindex on;
+        auth_basic "Files";
+        auth_basic_user_file /home/$1/.htpasswd;
+    }
+
+    location /repo/ {
+        root /var/www/html;
+        autoindex on;
+        try_files $uri $uri/ =404;
+    }
+}
+{% endif %}
--- a/roles/docker/defaults/main.yaml
+++ b/roles/docker/defaults/main.yaml
@ -0,0 +1,11 @@
+---
+docker_package_name:
+  - docker-ce
+  - docker-ce-cli
+  - containerd.io
+  - docker-compose-plugin
+docker_package_state: present
+
+docker_service_name: docker.service
+docker_service_state: started
+docker_service_enabled: true
--- a/roles/docker/tasks/Debian.yaml
+++ b/roles/docker/tasks/Debian.yaml
@ -0,0 +1,13 @@
+---
+- name: install apt key
+  apt_key:
+    url: "https://download.docker.com/linux/{{ ansible_lsb.id | lower }}/gpg"
+    state: present
+
+- name: install apt repo
+  apt_repository:
+    repo: >
+      deb [arch=amd64] https://download.docker.com/linux/{{ ansible_lsb.id | lower }}
+      {{ ansible_lsb.codename }}
+      stable
+    filename: docker
--- a/roles/docker/tasks/RedHat.yaml
+++ b/roles/docker/tasks/RedHat.yaml
@ -0,0 +1,9 @@
+---
+- name: install Docker CE yum repo
+  yum_repository:
+    name: docker-ce
+    description: Docker CE Stable - $basearch
+    baseurl: https://download.docker.com/linux/centos/$releasever/$basearch/stable
+    enabled: 1
+    gpgcheck: 1
+    gpgkey: https://download.docker.com/linux/centos/gpg
--- a/roles/docker/tasks/configure.yaml
+++ b/roles/docker/tasks/configure.yaml
@ -0,0 +1,6 @@
+---
+- name: manage service
+  service:
+    name: "{{ docker_service_name }}"
+    state: "{{ docker_service_state }}"
+    enabled: "{{ docker_service_enabled }}"
--- a/roles/docker/tasks/install.yaml
+++ b/roles/docker/tasks/install.yaml
@ -0,0 +1,6 @@
+---
+- name: install docker
+  package:
+    name: "{{ item }}"
+    state: "{{ docker_package_state }}"
+  loop: "{{ docker_package_name }}"
--- a/roles/docker/tasks/main.yaml
+++ b/roles/docker/tasks/main.yaml
@ -0,0 +1,28 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/docker/vars/RedHat.yaml
+++ b/roles/docker/vars/RedHat.yaml
--- a/roles/docker/vars/default.yaml
+++ b/roles/docker/vars/default.yaml
--- a/roles/karma/defaults/main.yaml
+++ b/roles/karma/defaults/main.yaml
@ -0,0 +1,45 @@
+---
+karma_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+karma_go_arch: "{{ karma_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+karma_service_name: karma.service
+karma_service_enabled: true
+karma_service_state: started
+
+karma_version_regex: ^(.+)
+
+karma_github_project_url: https://github.com/prymitive/karma
+karma_release_file: "karma-{{ ansible_system | lower }}-{{ karma_go_arch }}.tar.gz"
+karma_release_url: "{{ karma_github_project_url }}/releases/download/v{{ karma_version }}/{{ karma_release_file }}"
+karma_checksum_url: "{{ karma_github_project_url }}/releases/download/v{{ karma_version }}/sha512sum.txt"
+karma_download_path: "/tmp/{{ karma_release_file }}"
+karma_unarchive_dest_path: /tmp
+karma_extracted_path: "{{ karma_download_path | replace('.tar.gz', '') }}"
+
+karma_user: karma
+karma_user_state: present
+karma_user_shell: /usr/sbin/nologin
+
+karma_group: karma
+karma_group_state: "{{ karma_user_state | default('present') }}"
+
+karma_etc_path: /etc/karma
+karma_etc_owner: root
+karma_etc_group: root
+karma_etc_mode: "0755"
+
+karma_config_path: "{{ karma_etc_path }}/karma.yml"
+
+karma_var_path: /var/lib/karma
+karma_var_owner: "{{ karma_user }}"
+karma_var_group: "{{ karma_group }}"
+karma_var_mode: "0755"
+
+karma_bin_path: /usr/local/bin
+
+karma_port: 8080
+
+karma_config: {}
--- a/roles/karma/handlers/main.yaml
+++ b/roles/karma/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart karma
+  systemd:
+    name: karma.service
+    daemon_reload: true
+    state: restarted
--- a/roles/karma/tasks/configure.yaml
+++ b/roles/karma/tasks/configure.yaml
@ -0,0 +1,56 @@
+---
+- name: create group
+  group:
+    name: "{{ karma_group }}"
+    system: true
+    state: "{{ karma_group_state | default('present') }}"
+
+- name: create user
+  user:
+    name: "{{ karma_user }}"
+    system: true
+    shell: "{{ karma_user_shell }}"
+    group: "{{ karma_group }}"
+    createhome: false
+    home: "{{ karma_var_path }}"
+    state: "{{ karma_user_state | default('present') }}"
+
+- name: create etc path
+  file:
+    path: "{{ karma_etc_path }}"
+    state: directory
+    owner: "{{ karma_etc_owner }}"
+    group: "{{ karma_etc_group }}"
+    mode: "{{ karma_etc_mode }}"
+
+- name: create var path
+  file:
+    path: "{{ karma_var_path }}"
+    state: directory
+    owner: "{{ karma_var_owner }}"
+    group: "{{ karma_var_group }}"
+    mode: "{{ karma_var_mode }}"
+
+- name: configure
+  copy:
+    dest: "{{ karma_config_path }}"
+    content: "{{ (karma_config | default({})) | to_nice_yaml }}"
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart karma
+
+- name: configure systemd template
+  template:
+    src: karma.service.j2
+    dest: /etc/systemd/system/karma.service
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart karma
+
+- name: manage service
+  service:
+    name: "{{ karma_service_name }}"
+    enabled: "{{ karma_service_enabled }}"
+    state: "{{ karma_service_state }}"
--- a/roles/karma/tasks/default.yaml
+++ b/roles/karma/tasks/default.yaml
--- a/roles/karma/tasks/install.yaml
+++ b/roles/karma/tasks/install.yaml
@ -0,0 +1,29 @@
+---
+- block:
+  - name: download tar
+    get_url:
+      url: "{{ karma_release_url }}"
+      dest: "{{ karma_download_path }}"
+      checksum: "{{ karma_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract tar
+    unarchive:
+      src: "{{ karma_download_path }}"
+      dest: "{{ karma_unarchive_dest_path }}"
+      creates: "{{ karma_extracted_path }}"
+      remote_src: true
+
+  - name: install binaries
+    copy:
+      src: "{{ karma_extracted_path }}"
+      dest: "{{ karma_bin_path }}/karma"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+    notify: restart karma
+  when: karma_version != karma_local_version
--- a/roles/karma/tasks/main.yaml
+++ b/roles/karma/tasks/main.yaml
@ -0,0 +1,30 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: pre.yaml
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/karma/tasks/pre.yaml
+++ b/roles/karma/tasks/pre.yaml
@ -0,0 +1,50 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ karma_bin_path }}/karma"
+  register: st
+
+- name: set karma_installed
+  set_fact:
+    karma_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: https://api.github.com/repos/prymitive/karma/releases/latest
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set karma_version
+    set_fact:
+      karma_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ karma_bin_path }}/karma --version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set karma_local_version
+    set_fact:
+      karma_local_version: "{{ _installed_version_string.stdout | regex_search(karma_version_regex, '\\1') | first }}"
+  when: karma_installed
+
+- name: set karma_local_version to 0
+  set_fact:
+    karma_local_version: "0"
+  when: not karma_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', karma_checksum_url, wantlist=True) }}"
+
+  - name: set karma_checksum
+    set_fact:
+      karma_checksum: "sha512:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "karma_release_file in item"
--- a/roles/karma/templates/karma.service.j2
+++ b/roles/karma/templates/karma.service.j2
@ -0,0 +1,18 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Karma Alertmanager dashboard
+Wants=network-online.target
+After=network-online.target
+After=alertmanager.service
+ 
+[Service]
+Type=simple
+User={{ karma_user }}
+Group={{ karma_group }}
+WorkingDirectory={{ karma_etc_path }}
+ExecStart={{ karma_bin_path }}/karma \
+    --config.file={{ karma_config_path }}
+ 
+[Install]
+WantedBy=multi-user.target
--- a/roles/karma/vars/default.yaml
+++ b/roles/karma/vars/default.yaml
--- a/roles/keepalived/defaults/main.yaml
+++ b/roles/keepalived/defaults/main.yaml
@ -0,0 +1,14 @@
+---
+keepalived_package_name: keepalived
+keepalived_package_state: present
+
+keepalived_service_name: keepalived
+keepalived_service_state: started
+keepalived_service_enabled: true
+
+keepalived_etc_path: /etc/keepalived
+
+keepalived_config_path: "{{ keepalived_etc_path }}/keepalived.conf"
+keepalived_config_owner: root
+keepalived_config_group: root
+keepalived_config_mode: "0600"
--- a/roles/keepalived/handlers/main.yaml
+++ b/roles/keepalived/handlers/main.yaml
@ -0,0 +1,12 @@
+---
+- name: reload keepalived
+  service:
+    name: "{{ keepalived_service_name }}"
+    state: reloaded
+  when: keepalived_service_enabled
+
+- name: restart keepalived
+  service:
+    name: "{{ keepalived_service_name }}"
+    state: restarted
+  when: keepalived_service_enabled
--- a/roles/keepalived/tasks/main.yaml
+++ b/roles/keepalived/tasks/main.yaml
@ -0,0 +1,20 @@
+---
+- name: install
+  package:
+    name: "{{ keepalived_package_name }}"
+    state: "{{ keepalived_package_state }}"
+
+- name: configure
+  template:
+    src: keepalived.conf.j2
+    dest: "{{ keepalived_config_path }}"
+    owner: "{{ keepalived_config_owner }}"
+    group: "{{ keepalived_config_group }}"
+    mode: "{{ keepalived_config_mode }}"
+  notify: reload keepalived
+
+- name: service
+  service:
+    name: "{{ keepalived_service_name }}"
+    state: "{{ keepalived_service_state }}"
+    enabled: "{{ keepalived_service_enabled }}"
--- a/roles/keepalived/templates/keepalived.conf.j2
+++ b/roles/keepalived/templates/keepalived.conf.j2
@ -0,0 +1,78 @@
+{{ ansible_managed | comment }}
+
+{% if keepalived_global_defs is defined %}
+global_defs {
+{% for k in keepalived_global_defs %}
+{{ k }} {{ v }}
+{% endfor %}
+}
+{% endif %}
+
+{% if keepalived_vrrp_scripts is defined %}
+{% for name, conf in keepalived_vrrp_scripts.items() %}
+vrrp_script {{ name }} {
+{% if conf.script is defined %}
+    script "{{ conf.script }}"
+{% endif %}
+{% if conf.interval is defined %}
+    interval {{ conf.interval | default(1) }}
+{% endif %}
+{% if conf.weight is defined %}
+    weight {{ conf.weight }}
+{% endif %}
+}
+{% endfor %}
+{% endif %}
+
+{% if keepalived_vrrp_instances is defined %}
+{% for name, conf in keepalived_vrrp_instances.items() %}
+vrrp_instance {{ name }} {
+{% if conf.state is defined %}
+    state {{ conf.state | default("MASTER") }}
+{% endif %}
+{% if conf.interface is defined %}
+    interface {{ conf.interface | default("eth0") }}
+{% endif %}
+{% if conf.virtual_router_id is defined %}
+    virtual_router_id {{ conf.virtual_router_id }}
+{% endif %}
+{% if conf.priority is defined %}
+    priority {{ conf.priority }}
+{% endif %}
+{% if conf.advert_int is defined %}
+    advert_int {{ conf.advert_int }}
+{% endif %}
+{% if conf.authentication is defined %}
+    authentication {
+{% if conf.authentication.auth_type is defined %}
+        auth_type {{ conf.authentication.auth_type }}
+{% endif %}
+{% if conf.authentication.auth_pass is defined %}
+        auth_pass {{ conf.authentication.auth_pass }}
+{% endif %}
+    }
+{% if conf.unicast_peer is defined %}
+    unicast_peer {
+{% for x in conf.unicast_peer %}
+        {{ x }}
+{% endfor %}
+    }
+{% endif %}
+{% if conf.virtual_ipaddress is defined %}
+    virtual_ipaddress {
+{% for x in conf.virtual_ipaddress %}
+        {{ x }}
+{% endfor %}
+    }
+{% endif %}
+{% if conf.track_script is defined %}
+    track_script {
+{% for x in conf.track_script %}
+        {{ x }}
+{% endfor %}
+    }
+{% endif %}
+{% endif %}
+}
+{% endfor %}
+{% endif %}
--- a/roles/kthxbye/defaults/main.yaml
+++ b/roles/kthxbye/defaults/main.yaml
@ -0,0 +1,47 @@
+---
+kthxbye_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+kthxbye_go_arch: "{{ kthxbye_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+kthxbye_sidecar_service_name: kthxbye-sidecar.service
+kthxbye_sidecar_service_enabled: true
+kthxbye_sidecar_service_state: started
+
+kthxbye_service_name: kthxbye.service
+kthxbye_service_enabled: true
+kthxbye_service_state: started
+
+kthxbye_version_regex: (.+)
+
+kthxbye_checksum_algo: sha512
+kthxbye_github_rel_path: prymitive/kthxbye
+kthxbye_github_project_url: "https://github.com/{{ kthxbye_github_rel_path }}"
+kthxbye_release_file: "kthxbye-{{ ansible_system | lower }}-{{ kthxbye_go_arch }}.tar.gz"
+kthxbye_release_url: "{{ kthxbye_github_project_url }}/releases/download/v{{ kthxbye_version }}/{{ kthxbye_release_file }}"
+kthxbye_checksum_url: "{{ kthxbye_github_project_url }}/releases/download/v{{ kthxbye_version }}/{{ kthxbye_checksum_algo }}sum.txt"
+kthxbye_download_path: "/tmp/{{ kthxbye_release_file }}"
+kthxbye_unarchive_dest_path: /tmp
+kthxbye_extracted_path: "{{ kthxbye_download_path | replace('.tar.gz', '') }}"
+kthxbye_binaries:
+ - kthxbye
+
+kthxbye_user: kthxbye
+kthxbye_user_state: present
+kthxbye_user_shell: /usr/sbin/nologin
+
+kthxbye_group: kthxbye
+kthxbye_group_state: "{{ kthxbye_user_state | default('present') }}"
+
+kthxbye_etc_path: /etc/kthxbye
+kthxbye_etc_owner: root
+kthxbye_etc_group: root
+kthxbye_etc_mode: "0755"
+
+kthxbye_var_path: /var/lib/kthxbye
+kthxbye_var_owner: "{{ kthxbye_user }}"
+kthxbye_var_group: "{{ kthxbye_group }}"
+kthxbye_var_mode: "0755"
+
+kthxbye_bin_path: /usr/local/bin
--- a/roles/kthxbye/handlers/main.yaml
+++ b/roles/kthxbye/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart kthxbye
+  systemd:
+    name: kthxbye.service
+    daemon_reload: true
+    state: restarted
--- a/roles/kthxbye/tasks/configure.yaml
+++ b/roles/kthxbye/tasks/configure.yaml
@ -0,0 +1,47 @@
+---
+- name: create group
+  group:
+    name: "{{ kthxbye_group }}"
+    system: true
+    state: "{{ kthxbye_group_state | default('present') }}"
+
+- name: create user
+  user:
+    name: "{{ kthxbye_user }}"
+    system: true
+    shell: "{{ kthxbye_user_shell }}"
+    group: "{{ kthxbye_group }}"
+    createhome: false
+    home: "{{ kthxbye_var_path }}"
+    state: "{{ kthxbye_user_state | default('present') }}"
+
+- name: create etc path
+  file:
+    path: "{{ kthxbye_etc_path }}"
+    state: directory
+    owner: "{{ kthxbye_etc_owner }}"
+    group: "{{ kthxbye_etc_group }}"
+    mode: "{{ kthxbye_etc_mode }}"
+
+- name: create var path
+  file:
+    path: "{{ kthxbye_var_path }}"
+    state: directory
+    owner: "{{ kthxbye_var_owner }}"
+    group: "{{ kthxbye_var_group }}"
+    mode: "{{ kthxbye_var_mode }}"
+
+- name: configure systemd template
+  template:
+    src: kthxbye.service.j2
+    dest: /etc/systemd/system/kthxbye.service
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart kthxbye
+
+- name: manage service
+  service:
+    name: "{{ kthxbye_service_name }}"
+    enabled: "{{ kthxbye_service_enabled }}"
+    state: "{{ kthxbye_service_state }}"
--- a/roles/kthxbye/tasks/default.yaml
+++ b/roles/kthxbye/tasks/default.yaml
--- a/roles/kthxbye/tasks/install.yaml
+++ b/roles/kthxbye/tasks/install.yaml
@ -0,0 +1,30 @@
+---
+- block:
+  - name: download tar
+    get_url:
+      url: "{{ kthxbye_release_url }}"
+      dest: "{{ kthxbye_download_path }}"
+      checksum: "{{ kthxbye_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract tar
+    unarchive:
+      src: "{{ kthxbye_download_path }}"
+      dest: "{{ kthxbye_unarchive_dest_path }}"
+      creates: "{{ kthxbye_extracted_path }}"
+      remote_src: true
+
+  - name: install binaries
+    copy:
+      src: "{{ kthxbye_extracted_path }}"
+      dest: "{{ kthxbye_bin_path }}/{{ item }}"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+    loop: "{{ kthxbye_binaries }}"
+    notify: restart kthxbye
+  when: kthxbye_version != kthxbye_local_version
--- a/roles/kthxbye/tasks/main.yaml
+++ b/roles/kthxbye/tasks/main.yaml
@ -0,0 +1,30 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: pre.yaml
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/kthxbye/tasks/pre.yaml
+++ b/roles/kthxbye/tasks/pre.yaml
@ -0,0 +1,54 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ kthxbye_bin_path }}/kthxbye"
+  register: st
+
+- name: set kthxbye_installed
+  set_fact:
+    kthxbye_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: "https://api.github.com/repos/{{ kthxbye_github_rel_path }}/releases/latest"
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set kthxbye_version
+    set_fact:
+      kthxbye_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ kthxbye_bin_path }}/kthxbye --version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set kthxbye_local_version
+    set_fact:
+      kthxbye_local_version: "{{ _installed_version_string.stdout | regex_search(kthxbye_version_regex, '\\1') | first }}"
+  rescue:
+  - name: set kthxbye_local_version
+    set_fact:
+      kthxbye_local_version: "{{ _installed_version_string.stderr | regex_search(kthxbye_version_regex, '\\1') | first }}"
+  when: kthxbye_installed
+
+- name: set kthxbye_local_version to 0
+  set_fact:
+    kthxbye_local_version: "0"
+  when: not kthxbye_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', kthxbye_checksum_url, wantlist=True) }}"
+
+  - name: set kthxbye_checksum
+    set_fact:
+      kthxbye_checksum: "sha512:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "kthxbye_release_file in item"
--- a/roles/kthxbye/templates/kthxbye.service.j2
+++ b/roles/kthxbye/templates/kthxbye.service.j2
@ -0,0 +1,20 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Kthxbye
+Wants=network-online.target
+After=network-online.target
+After=alertmanager.service
+ 
+[Service]
+Type=simple
+User={{ kthxbye_user }}
+Group={{ kthxbye_group }}
+WorkingDirectory={{ kthxbye_etc_path }}
+ExecStart={{ kthxbye_bin_path }}/kthxbye \
+{% if kthxbye_listen %}
+  -listen={{ kthxbye_listen }}
+{% endif %}
+ 
+[Install]
+WantedBy=multi-user.target
--- a/roles/kthxbye/vars/default.yaml
+++ b/roles/kthxbye/vars/default.yaml
--- a/roles/loki/defaults/main.yaml
+++ b/roles/loki/defaults/main.yaml
@ -0,0 +1,74 @@
+---
+loki_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+loki_go_arch: "{{ loki_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+loki_service_name: loki.service
+loki_service_enabled: true
+loki_service_state: started
+
+loki_version_regex: ^loki, version ([\d.]+)
+
+loki_github_project_url: https://github.com/grafana/loki
+loki_release_file: "loki-{{ ansible_system | lower }}-{{ loki_go_arch }}.zip"
+loki_release_url: "{{ loki_github_project_url }}/releases/download/v{{ loki_version }}/{{ loki_release_file }}"
+loki_checksum_url: "{{ loki_github_project_url }}/releases/download/v{{ loki_version }}/SHA256SUMS"
+loki_download_path: "/tmp/{{ loki_release_file }}"
+loki_unarchive_dest_path: /tmp
+loki_extracted_path: "{{ loki_download_path | replace('.zip', '') }}"
+
+loki_user: loki
+loki_user_state: present
+loki_user_shell: /usr/sbin/nologin
+
+loki_group: loki
+loki_group_state: "{{ loki_user_state | default('present') }}"
+
+loki_config_path: /etc/loki.yaml
+
+loki_var_path: /var/lib/loki
+loki_var_owner: "{{ loki_user }}"
+loki_var_group: "{{ loki_group }}"
+loki_var_mode: "0755"
+
+loki_bin_path: /usr/local/bin
+
+loki_auth_enabled: false
+
+loki_server:
+  http_listen_port: 3100
+
+loki_ingester:
+  lifecycler:
+    address: 127.0.0.1
+    ring:
+      kvstore:
+        store: inmemory
+      replication_factor: 1
+    final_sleep: 0s
+  chunk_idle_period: 5m
+  chunk_retain_period: 30s
+
+loki_schema_config:
+  configs:
+  - from: 2020-05-15
+    store: boltdb
+    object_store: filesystem
+    schema: v11
+    index:
+      prefix: index_
+      period: 168h
+
+loki_storage_config:
+  boltdb:
+    directory: "{{ loki_var_path }}/index"
+  filesystem:
+    directory: "{{ loki_var_path }}/chunks"
+
+loki_limits_config:
+  enforce_metric_name: false
+  reject_old_samples: true
+  reject_old_samples_max_age: 168h
+  ingestion_burst_size_mb: 16
--- a/roles/loki/handlers/main.yaml
+++ b/roles/loki/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart loki
+  systemd:
+    name: loki.service
+    daemon_reload: true
+    state: restarted
--- a/roles/loki/tasks/configure.yaml
+++ b/roles/loki/tasks/configure.yaml
@ -0,0 +1,48 @@
+---
+- name: create group
+  group:
+    name: "{{ loki_group }}"
+    system: true
+    state: "{{ loki_group_state | default('present') }}"
+
+- name: create user
+  user:
+    name: "{{ loki_user }}"
+    system: true
+    shell: "{{ loki_user_shell }}"
+    group: "{{ loki_group }}"
+    createhome: false
+    home: "{{ loki_var_path }}"
+    state: "{{ loki_user_state | default('present') }}"
+
+- name: configure
+  template:
+    src: loki.yaml.j2
+    dest: "{{ loki_config_path }}"
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart loki
+
+- name: create var path
+  file:
+    path: "{{ loki_var_path }}"
+    state: directory
+    owner: "{{ loki_var_owner }}"
+    group: "{{ loki_var_group }}"
+    mode: "{{ loki_var_mode }}"
+
+- name: configure systemd template
+  template:
+    src: "{{ loki_service_name }}.j2"
+    dest: "/etc/systemd/system/{{ loki_service_name }}"
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart loki
+
+- name: manage service
+  service:
+    name: "{{ loki_service_name }}"
+    enabled: "{{ loki_service_enabled }}"
+    state: "{{ loki_service_state }}"
--- a/roles/loki/tasks/default.yaml
+++ b/roles/loki/tasks/default.yaml
--- a/roles/loki/tasks/install.yaml
+++ b/roles/loki/tasks/install.yaml
@ -0,0 +1,29 @@
+---
+- block:
+  - name: download archive
+    get_url:
+      url: "{{ loki_release_url }}"
+      dest: "{{ loki_download_path }}"
+      checksum: "{{ loki_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract archive
+    unarchive:
+      src: "{{ loki_download_path }}"
+      dest: "{{ loki_unarchive_dest_path }}"
+      creates: "{{ loki_extracted_path }}/loki"
+      remote_src: true
+
+  - name: install binaries
+    copy:
+      src: "{{ loki_extracted_path }}"
+      dest: "{{ loki_bin_path }}/loki"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+    notify: restart loki
+  when: loki_version != loki_local_version
--- a/roles/loki/tasks/main.yaml
+++ b/roles/loki/tasks/main.yaml
@ -0,0 +1,30 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: pre.yaml
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/loki/tasks/pre.yaml
+++ b/roles/loki/tasks/pre.yaml
@ -0,0 +1,50 @@
+---
+- name: determine if installed
+  stat:
+    path: "{{ loki_bin_path }}/loki"
+  register: st
+
+- name: set loki_installed
+  set_fact:
+    loki_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: https://api.github.com/repos/grafana/loki/releases/latest
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set loki_version
+    set_fact:
+      loki_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ loki_bin_path }}/loki --version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set loki_local_version
+    set_fact:
+      loki_local_version: "{{ _installed_version_string.stdout | regex_search(loki_version_regex, '\\1') | first }}"
+  when: loki_installed
+
+- name: set loki_local_version to 0
+  set_fact:
+    loki_local_version: "0"
+  when: not loki_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', loki_checksum_url, wantlist=True) }}"
+
+  - name: set loki_checksum
+    set_fact:
+      loki_checksum: "sha256:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "loki_release_file in item"
--- a/roles/loki/templates/loki.service.j2
+++ b/roles/loki/templates/loki.service.j2
@ -0,0 +1,19 @@
+{{ ansible_managed | comment }}
+
+[Unit]
+Description=Loki
+After=network-online.target
+
+[Service]
+Type=simple
+User={{ loki_user }}
+Group={{ loki_group }}
+ExecStart={{ loki_bin_path }}/loki \
+  -config.file {{ loki_config_path }}
+WorkingDirectory={{ loki_var_path }}
+
+Restart=always
+RestartSec=1
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/loki/templates/loki.yaml.j2
+++ b/roles/loki/templates/loki.yaml.j2
@ -0,0 +1,30 @@
+{{ ansible_managed | comment }}
+---
+{% if loki_auth_enabled is defined %}
+auth_enabled: {{ loki_auth_enabled | bool | lower }}
+{% endif %}
+
+{% if loki_server is defined %}
+server:
+  {{ loki_server | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_ingester is defined %}
+ingester:
+  {{ loki_ingester | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_schema_config is defined %}
+schema_config:
+  {{ loki_schema_config | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_storage_config is defined %}
+storage_config:
+  {{ loki_storage_config | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
+
+{% if loki_limits_config is defined %}
+limits_config:
+  {{ loki_limits_config | to_nice_yaml(indent=2) | indent(2, False) }}
+{% endif -%}
--- a/roles/loki/vars/default.yaml
+++ b/roles/loki/vars/default.yaml
--- a/roles/mtail/defaults/main.yaml
+++ b/roles/mtail/defaults/main.yaml
@ -0,0 +1,50 @@
+---
+mtail_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+mtail_go_arch: "{{ mtail_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+mtail_service_name: mtail.service
+mtail_service_state: started
+mtail_service_enabled: yes
+
+mtail_version_regex: ^mtail version (\S+)
+
+mtail_github_project_url: https://github.com/google/mtail
+mtail_release_file: "mtail_{{ mtail_version }}_{{ ansible_system | capitalize }}_{{ ansible_architecture }}.tar.gz"
+mtail_release_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/{{ mtail_release_file }}"
+mtail_download_path: "/tmp/{{ mtail_release_file }}"
+mtail_checksum_url: "{{ mtail_github_project_url }}/releases/download/v{{ mtail_version }}/checksums.txt"
+mtail_extracted_path: "/tmp"
+mtail_unarchive_dest_path: "/tmp"
+
+mtail_user: mtail
+mtail_user_state: present
+mtail_user_shell: /usr/sbin/nologin
+mtail_append_groups:
+  - adm
+
+mtail_group: mtail
+mtail_group_state: "{{ mtail_user_state | default('present') }}"
+
+mtail_etc_path: /etc/mtail
+mtail_etc_owner: root
+mtail_etc_group: root
+mtail_etc_mode: "0755"
+
+mtail_var_path: /var/lib/mtail
+mtail_var_owner: "{{ mtail_user }}"
+mtail_var_group: "{{ mtail_group }}"
+mtail_var_mode: "0755"
+
+mtail_var_log_path: /var/log/mtail
+mtail_var_log_owner: "{{ mtail_user }}"
+mtail_var_log_group: "{{ mtail_group }}"
+mtail_var_log_mode: "0755"
+
+mtail_bin_path: /usr/local/bin
+
+mtail_arg_logs:
+  - "/var/log/syslog/{{ inventory_hostname_short }}/*/*/*.log"   
+  - /var/log/nginx/*.access.log
--- a/roles/mtail/files/rules/nginx.mtail
+++ b/roles/mtail/files/rules/nginx.mtail
@ -0,0 +1,29 @@
+getfilename() !~ /nginx\/.*\.log$/ {
+    stop
+}
+
+counter nginx_http_requests_total by vhost, method, code
+counter nginx_http_response_size_bytes_total by vhost, method, code
+
+histogram nginx_http_response_time_seconds buckets 0.0, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.5, 5.0, 10.0, 25.0, 50.0 by vhost, method, code
+
+/^/ +
+/(?P<vhost>[0-9A-Za-z\.\-:]+) / +
+/(?P<remote_addr>\S+) / +
+/- / + 
+/(?P<remote_user>\S+) / +
+/\[(?P<time_local>\d{2}\/\w{3}\/\d{4}:\d{2}:\d{2}:\d{2} (\+|-)\d{4})\] / +
+/"(?P<request_method>[A-Z]+) (?P<request_uri>\S+) (?P<http_version>HTTP\/[0-9\.]+)" / +
+/(?P<status>\d{3}) / +
+/(?P<bytes_sent>\d+) / +
+/(?P<request_time>\d+\.\d+) / +
+/"(?P<http_referer>\S+)" / +
+/"(?P<http_user_agent>[[:print:]]+)" / +
+/"(?P<http_x_forwarded_for>\S+)"/ +
+/$/ {
+    nginx_http_requests_total[$vhost][$request_method][$status]++
+
+    nginx_http_response_size_bytes_total[$vhost][$request_method][$status] += $bytes_sent
+
+    nginx_http_response_time_seconds[$vhost][$request_method][$status] = $request_time
+}
--- a/roles/mtail/files/rules/syslog.mtail
+++ b/roles/mtail/files/rules/syslog.mtail
@ -0,0 +1,32 @@
+getfilename() !~ /^\/var\/log\/syslog\// {
+    stop
+}
+
+def syslog {
+    /(?P<date>(?P<legacy_date>\w+\s+\d+\s+\d+:\d+:\d+)|(?P<rfc3339_date>\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}.\d+[+-]\d{2}:\d{2}))/ +
+        /\s+(?:\w+@)?(?P<hostname>[\w\.-]+)\s+(?P<application>[\w\.-]+)(?:\[(?P<pid>\d+)\])?:\s+(?P<message>.*)/ {
+        # If the legacy_date regexp matched, try this format.
+        len($legacy_date) > 0 {
+            strptime($legacy_date, "Jan _2 15:04:05")
+        }
+        # If the RFC3339 style matched, parse it this way.
+        len($rfc3339_date) > 0 {
+            strptime($rfc3339_date, "2006-01-02T15:04:05-07:00")
+        }
+        # Call into the decorated block
+        next
+    }
+}
+
+counter syslog_loglines_total by application
+counter ssh_invalid_user
+
+@syslog {
+    syslog_loglines_total[$application]++
+    $application == "sshd" {
+        $message =~ /^Invalid user/ {
+            ssh_invalid_user++
+        }
+    }
+}
+
--- a/roles/mtail/handlers/main.yaml
+++ b/roles/mtail/handlers/main.yaml
@ -0,0 +1,6 @@
+---
+- name: restart mtail
+  systemd:
+    name: mtail.service
+    daemon_reload: true
+    state: restarted
--- a/roles/mtail/tasks/configure.yaml
+++ b/roles/mtail/tasks/configure.yaml
@ -0,0 +1,67 @@
+---
+- name: create group
+  group:
+    name: "{{ mtail_group }}"
+    system: true
+    state: "{{ mtail_group_state | default('present') }}"
+
+- name: create user
+  user:
+    name: "{{ mtail_user }}"
+    system: true
+    shell: "{{ mtail_user_shell }}"
+    group: "{{ mtail_group }}"
+    groups: "{{ [mtail_group] + (mtail_append_groups | default([])) }}"
+    append: true
+    createhome: false
+    home: "{{ mtail_var_path }}"
+    state: "{{ mtail_user_state | default('present') }}"
+
+- name: create etc path
+  file:
+    path: "{{ mtail_etc_path }}"
+    state: directory
+    owner: "{{ mtail_etc_owner }}"
+    group: "{{ mtail_etc_group }}"
+    mode: "{{ mtail_etc_mode }}"
+
+- name: create var path
+  file:
+    path: "{{ mtail_var_path }}"
+    state: directory
+    owner: "{{ mtail_var_owner }}"
+    group: "{{ mtail_var_group }}"
+    mode: "{{ mtail_var_mode }}"
+
+- name: create var_log path
+  file:
+    path: "{{ mtail_var_log_path }}"
+    state: directory
+    owner: "{{ mtail_var_log_owner }}"
+    group: "{{ mtail_var_log_group }}"
+    mode: "{{ mtail_var_log_mode }}"
+
+- name: configure rules
+  copy:
+    src: "{{ item }}"
+    dest: "{{ mtail_etc_path }}/{{ item | basename }}"
+    owner: root
+    group: root
+    mode: "0755"
+  loop: "{{ lookup('fileglob', 'rules/*.mtail', wantlist=True) }}"
+  notify: restart mtail
+
+- name: configure systemd template
+  template:
+    src: mtail.service.j2
+    dest: /etc/systemd/system/mtail.service
+    owner: root
+    group: root
+    mode: 0444
+  notify: restart mtail
+
+- name: manage service
+  service:
+    name: "{{ mtail_service_name }}"
+    enabled: "{{ mtail_service_enabled }}"
+    state: "{{ mtail_service_state }}"
--- a/roles/mtail/tasks/default.yaml
+++ b/roles/mtail/tasks/default.yaml
--- a/roles/mtail/tasks/install.yaml
+++ b/roles/mtail/tasks/install.yaml
@ -0,0 +1,52 @@
+---
+#- block:
+#  - name: download tar
+#    get_url:
+#      url: "{{ mtail_release_url }}"
+#      dest: "{{ mtail_download_path }}"
+#    register: dl
+#    until: dl is success
+#    retries: 5
+#    delay: 10
+#
+#  - name: install binaries
+#    copy:
+#      src: "{{ mtail_download_path }}"
+#      dest: "{{ mtail_bin_path }}/mtail"
+#      owner: root
+#      group: root
+#      mode: 0755
+#      remote_src: true
+#    notify: restart mtail
+#  when: mtail_version != mtail_local_version
+#
+- block:
+  - name: download tar
+    get_url:
+      url: "{{ mtail_release_url }}"
+      dest: "{{ mtail_download_path }}"
+      checksum: "{{ mtail_checksum }}"
+    register: dl
+    until: dl is success
+    retries: 5
+    delay: 10
+
+  - name: extract tar
+    unarchive:
+      src: "{{ mtail_download_path }}"
+      dest: "{{ mtail_unarchive_dest_path }}"
+      creates: "{{ mtail_extracted_path }}/mtail"
+      remote_src: true
+
+  - name: install binaries
+    copy:
+      src: "{{ mtail_extracted_path }}/{{ item }}"
+      dest: "{{ mtail_bin_path }}/{{ item }}"
+      owner: root
+      group: root
+      mode: 0755
+      remote_src: true
+    loop:
+      - mtail
+    notify: restart mtail
+  when: mtail_version != mtail_local_version
--- a/roles/mtail/tasks/main.yaml
+++ b/roles/mtail/tasks/main.yaml
@ -0,0 +1,30 @@
+---
+- name: gather os specific variables
+  include_vars: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - vars
+
+- name: include os specific tasks
+  include_tasks: "{{ lookup('first_found', possible_files) }}"
+  vars:
+    possible_files:
+      files:
+        - "{{ ansible_distribution }}-{{ ansible_distribution_version }}.yaml"
+        - "{{ ansible_distribution }}.yaml"
+        - "{{ ansible_os_family }}.yaml"
+        - "default.yaml"
+      paths:
+        - tasks
+
+- include: pre.yaml
+
+- include: install.yaml
+
+- include: configure.yaml
--- a/roles/mtail/tasks/pre.yaml
+++ b/roles/mtail/tasks/pre.yaml
@ -0,0 +1,88 @@
+---
+#- name: determine if installed
+#  stat:
+#    path: "{{ mtail_bin_path }}/mtail"
+#  register: st
+#
+#- name: set mtail_installed
+#  set_fact:
+#    mtail_installed: "{{ st.stat.exists | bool }}"
+#
+#- block:
+#  - name: determine latest version
+#    uri:
+#      url: https://api.github.com/repos/google/mtail/releases/latest
+#      return_content: true
+#      body_format: json
+#    register: _latest_version
+#    until: _latest_version.status == 200
+#    retries: 3
+#
+#  - name: set mtail_version
+#    set_fact:
+#      mtail_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+#
+#- block:
+#  - name: determine installed version
+#    command: "{{ mtail_bin_path }}/mtail --version"
+#    register: _installed_version_string
+#    changed_when: false
+#
+#  - name: set mtail_local_version
+#    set_fact:
+#      mtail_local_version: "{{ _installed_version_string.stdout | regex_search(mtail_version_regex, '\\1') | first }}"
+#  when: mtail_installed
+#
+#- name: set mtail_local_version to 0
+#  set_fact:
+#    mtail_local_version: "0"
+#  when: not mtail_installed
+- name: determine if installed
+  stat:
+    path: "{{ mtail_bin_path }}/mtail"
+  register: st
+
+- name: set mtail_installed
+  set_fact:
+    mtail_installed: "{{ st.stat.exists | bool }}"
+
+- block:
+  - name: determine latest version
+    uri:
+      url: https://api.github.com/repos/google/mtail/releases/latest
+      return_content: true
+      body_format: json
+    register: _latest_version
+    until: _latest_version.status == 200
+    retries: 3
+
+  - name: set mtail_version
+    set_fact:
+      mtail_version: "{{ _latest_version.json['tag_name'] | regex_replace('^v', '') }}"
+
+- block:
+  - name: determine installed version
+    command: "{{ mtail_bin_path }}/mtail --version"
+    register: _installed_version_string
+    changed_when: false
+
+  - name: set mtail_local_version
+    set_fact:
+      mtail_local_version: "{{ _installed_version_string.stdout | regex_search(mtail_version_regex, '\\1') | first }}"
+  when: mtail_installed
+
+- name: set mtail_local_version to 0
+  set_fact:
+    mtail_local_version: "0"
+  when: not mtail_installed
+
+- block:
+  - name: get checksums
+    set_fact:
+      _checksums: "{{ lookup('url', mtail_checksum_url, wantlist=True) }}"
+
+  - name: set mtail_checksum
+    set_fact:
+      mtail_checksum: "sha256:{{ item.split(' ') | first }}"
+    loop: "{{ _checksums }}"
+    when: "mtail_release_file in item"
--- a/roles/mtail/templates/mtail.service.j2
+++ b/roles/mtail/templates/mtail.service.j2
@ -0,0 +1,16 @@
+[Unit]
+Description=mtail
+
+[Service]
+User={{ mtail_user }}
+ExecStart={{ mtail_bin_path }}/mtail \
+  --progs {{ mtail_etc_path }} \
+  --log_dir={{ mtail_var_log_path }} \
+{% if mtail_arg_logs %}
+{% for path in  mtail_arg_logs %}
+  --logs {{ path }} \
+{% endfor %}
+{% endif %}
+
+[Install]
+WantedBy=multi-user.target
--- a/roles/mtail/vars/default.yaml
+++ b/roles/mtail/vars/default.yaml
--- a/roles/mysql/README.md
+++ b/roles/mysql/README.md
@ -0,0 +1,38 @@
+Role Name
+=========
+
+A brief description of the role goes here.
+
+Requirements
+------------
+
+Any pre-requisites that may not be covered by Ansible itself or the role should be mentioned here. For instance, if the role uses the EC2 module, it may be a good idea to mention in this section that the boto package is required.
+
+Role Variables
+--------------
+
+A description of the settable variables for this role should go here, including any variables that are in defaults/main.yml, vars/main.yml, and any variables that can/should be set via parameters to the role. Any variables that are read from other roles and/or the global scope (ie. hostvars, group vars, etc.) should be mentioned here as well.
+
+Dependencies
+------------
+
+A list of other roles hosted on Galaxy should go here, plus any details in regards to parameters that may need to be set for other roles, or variables that are used from other roles.
+
+Example Playbook
+----------------
+
+Including an example of how to use your role (for instance, with variables passed in as parameters) is always nice for users too:
+
+    - hosts: servers
+      roles:
+         - { role: username.rolename, x: 42 }
+
+License
+-------
+
+BSD
+
+Author Information
+------------------
+
+An optional section for the role authors to include contact information, or a website (HTML is not allowed).
--- a/roles/mysql/defaults/main.yaml
+++ b/roles/mysql/defaults/main.yaml
@ -0,0 +1,57 @@
+---
+mysql_package_state: 'present'
+
+mysql_service_name: 'mysql'
+mysql_service_state: 'started'
+mysql_service_enabled: yes
+
+mysql_initialize_log_error: /var/tmp/mysqld_initialize.log
+
+mysql_cfg_path: /etc/my.cnf
+
+mysql_datadir_owner: mysql
+mysql_datadir_group: mysql
+mysql_datadir_mode: 0700
+
+mysql_config:
+  mysql:
+    port: 3306
+    socket: /var/run/mysqld/mysqld.sock
+  mysqld:
+    basedir: /usr
+    bind_address: 127.0.0.1
+    datadir: /var/lib/mysql
+    default_storage_engine: InnoDB
+    innodb_buffer_pool_size: "{{ (ansible_memtotal_mb * 0.25) | int }}M"
+    innodb_file_per_table: 1
+    innodb_flush_log_at_trx_commit: 1
+    innodb_flush_method: O_DIRECT
+    innodb_log_file_size: 128M
+    innodb_log_files_in_group: 2
+    key_buffer_size: 16M
+    log_error: /var/log/mysql/mysql-error.log
+    log_queries_not_using_indexes: 1
+    max_allowed_packet: 16M
+    max_connect_errors: 1000000
+    max_connections: 100
+    max_heap_table_size: 32M
+    myisam_recover_options: FORCE,BACKUP
+    open_files_limit: 65535
+    pid_file: /var/run/mysqld/mysqld.pid
+    query_cache_size: 0
+    query_cache_type: 0
+    slow_query_log: 1
+    slow_query_log_file: /var/log/mysql/mysql-slow.log
+    socket: /var/run/mysqld/mysqld.sock
+    table_definition_cache: 4096
+    table_open_cache: 300
+    thread_cache_size: 16
+    tmp_table_size: 32M
+    tmpdir: /tmp
+    user: mysql
+  mysqld_safe:
+    nice: 0
+    socket: /var/run/mysqld/mysqld.sock
+    syslog: ~
+
+# vim:ft=yaml.ansible:
--- a/roles/mysql/handlers/main.yml
+++ b/roles/mysql/handlers/main.yml
@ -0,0 +1,5 @@
+---
+- name: restart mysql
+  service:
+    name: "{{ mysql_service_name }}"
+    state: restarted
--- a/roles/mysql/meta/main.yml
+++ b/roles/mysql/meta/main.yml
@ -0,0 +1,60 @@
+galaxy_info:
+  author: your name
+  description: your description
+  company: your company (optional)
+
+  # If the issue tracker for your role is not on github, uncomment the
+  # next line and provide a value
+  # issue_tracker_url: http://example.com/issue/tracker
+
+  # Some suggested licenses:
+  # - BSD (default)
+  # - MIT
+  # - GPLv2
+  # - GPLv3
+  # - Apache
+  # - CC-BY
+  license: license (GPLv2, CC-BY, etc)
+
+  min_ansible_version: 2.4
+
+  # If this a Container Enabled role, provide the minimum Ansible Container version.
+  # min_ansible_container_version:
+
+  # Optionally specify the branch Galaxy will use when accessing the GitHub
+  # repo for this role. During role install, if no tags are available,
+  # Galaxy will use this branch. During import Galaxy will access files on
+  # this branch. If Travis integration is configured, only notifications for this
+  # branch will be accepted. Otherwise, in all cases, the repo's default branch
+  # (usually master) will be used.
+  #github_branch:
+
+  #
+  # Provide a list of supported platforms, and for each platform a list of versions.
+  # If you don't wish to enumerate all versions for a particular platform, use 'all'.
+  # To view available platforms and versions (or releases), visit:
+  # https://galaxy.ansible.com/api/v1/platforms/
+  #
+  # platforms:
+  # - name: Fedora
+  #   versions:
+  #   - all
+  #   - 25
+  # - name: SomePlatform
+  #   versions:
+  #   - all
+  #   - 1.0
+  #   - 7
+  #   - 99.99
+
+  galaxy_tags: []
+    # List tags for your role here, one per line. A tag is a keyword that describes
+    # and categorizes the role. Users find roles by searching for tags. Be sure to
+    # remove the '[]' above, if you add tags to this list.
+    #
+    # NOTE: A tag is limited to a single word comprised of alphanumeric characters.
+    #       Maximum 20 tags per role.
+
+dependencies: []
+  # List your role dependencies here, one per line. Be sure to remove the '[]' above,
+  # if you add dependencies to this list.
--- a/roles/mysql/tasks/main.yml
+++ b/roles/mysql/tasks/main.yml
@ -0,0 +1,39 @@
+---
+- name: gather OS distribution version specific variables
+  include_vars: "{{ ansible_distribution }}-{{ ansible_distribution_major_version }}.yaml"
+
+- name: gather OS distribution specific variables
+  include_vars: "{{ ansible_distribution }}.yaml"
+
+- name: gather OS family specific variables
+  include_vars: "{{ ansible_os_family }}.yaml"
+
+- name: manage mysql package
+  package:
+    name: "{{ mysql_package_name }}"
+    state: "{{ mysql_package_state }}"
+
+- name: create datadir
+  file:
+    path: "{{ mysql_config.mysqld.datadir }}"
+    owner: "{{ mysql_datadir_owner }}"
+    group: "{{ mysql_datadir_group }}"
+    mode: "{{ mysql_datadir_mode }}"
+    state: directory
+
+- name: initialize mysql
+  command: "mysqld --initialize --log-error={{ mysql_initialize_log_error }}"
+  args:
+    creates: "{{ mysql_config.mysqld.datadir }}/mysql"
+
+- name: configure mysql
+  template:
+    src: my.cnf.j2
+    dest: "{{ mysql_cfg_path }}"
+  notify: restart mysql
+
+- name: manage mysql service
+  service:
+    name: "{{ mysql_service_name }}"
+    state: "{{ mysql_service_state }}"
+    enabled: "{{ mysql_service_enabled }}"
--- a/roles/mysql/templates/my.cnf.j2
+++ b/roles/mysql/templates/my.cnf.j2
@ -0,0 +1,12 @@
+# {{ ansible_managed }}
+{% for section, cfg in mysql_config.iteritems() | sort %}
+
+[{{section}}]
+{% for k, v in cfg.iteritems() | sort %}
+{% if k is defined and v is not none %}
+{{ k }} = {{ v }}
+{% elif k and v is none %}
+{{ k }}
+{% endif %}
+{% endfor %}
+{% endfor %}
--- a/roles/mysql/tests/inventory
+++ b/roles/mysql/tests/inventory
@ -0,0 +1,2 @@
+localhost
+
--- a/roles/mysql/tests/test.yml
+++ b/roles/mysql/tests/test.yml
@ -0,0 +1,5 @@
+---
+- hosts: localhost
+  remote_user: root
+  roles:
+    - roles/mysql
--- a/roles/mysql/vars/Debian.yaml
+++ b/roles/mysql/vars/Debian.yaml
@ -0,0 +1,2 @@
+---
+mysql_cfg_path: /etc/my.cnf
--- a/roles/mysql/vars/Ubuntu-18.yaml
+++ b/roles/mysql/vars/Ubuntu-18.yaml
@ -0,0 +1,5 @@
+---
+mysql_service_name: 'mysql.service'
+mysql_cfg_path: /etc/mysql/my.cnf
+
+# vim:ft=yaml.ansible:
--- a/roles/mysql/vars/Ubuntu.yaml
+++ b/roles/mysql/vars/Ubuntu.yaml
@ -0,0 +1,4 @@
+---
+mysql_package_name: 'mysql-server'
+
+# vim:ft=yaml.ansible:
--- a/roles/mysql/vars/main.yml
+++ b/roles/mysql/vars/main.yml
@ -0,0 +1,2 @@
+---
+# vars file for roles/mysql
--- a/roles/node_exporter/defaults/main.yaml
+++ b/roles/node_exporter/defaults/main.yaml
@ -0,0 +1,51 @@
+---
+node_exporter_go_arch_map:
+  i386: '386'
+  x86_64: 'amd64'
+
+node_exporter_go_arch: "{{ node_exporter_go_arch_map[ansible_architecture] | default('amd64') }}"
+
+node_exporter_service_name: node_exporter.service
+node_exporter_service_enabled: true
+node_exporter_service_state: started
+
+node_exporter_version_regex: ^node_exporter, version ([\d.]+)
+
+node_exporter_release_file: "node_exporter-{{ node_exporter_version }}.{{ ansible_system | lower }}-{{ node_exporter_go_arch }}.tar.gz"
+node_exporter_release_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/{{ node_exporter_release_file }}"
+node_exporter_checksum_url: "https://github.com/prometheus/node_exporter/releases/download/v{{ node_exporter_version }}/sha256sums.txt"
+node_exporter_download_path: "/tmp/{{ node_exporter_release_file }}"
+node_exporter_unarchive_dest_path: /tmp
+node_exporter_extracted_path: "{{ node_exporter_download_path | replace('.tar.gz', '') }}"
+
+node_exporter_user: node_exporter
+node_exporter_user_state: present
+node_exporter_user_shell: /usr/sbin/nologin
+
+node_exporter_group: node_exporter
+node_exporter_group_state: "{{ node_exporter_user_state | default('present') }}"
+
+node_exporter_var_path: /var/lib/node_exporter
+node_exporter_var_owner: "{{ node_exporter_user }}"
+node_exporter_var_group: "{{ node_exporter_group }}"
+node_exporter_var_mode: "0755"
+
+node_exporter_spool_path: /var/spool/node_exporter
+node_exporter_spool_owner: "{{ node_exporter_user }}"
+node_exporter_spool_group: "{{ node_exporter_group }}"
+node_exporter_spool_mode: "0755"
+
+node_exporter_bin_path: /usr/local/bin
+
+node_exporter_collectors_enabled:
+  - textfile:
+      directory: "{{ node_exporter_spool_path }}/textfile_collector"
+  - processes
+  - tcpstat
+  - ntp
+  - supervisord:
+      url: unix:///var/run/supervisor.sock
+  - systemd:
+      enable-task-metrics:
+      enable-restarts-metrics:
+      enable-start-time-metrics:
--- a/roles/node_exporter/files/apt-exporter.pl
+++ b/roles/node_exporter/files/apt-exporter.pl
@ -0,0 +1,36 @@
+#!/usr/bin/env perl
+use strict;
+use warnings;
+
+my $cmd = "apt-get --just-print dist-upgrade";
+my %metrics;
+
+open(my $fh, '-|', $cmd) or die $!;
+while(my $line = <$fh>) {
+    if ($line =~ /Inst \S+ \S+ \(\S+ (.+) \[(\S+)\]\)/) {
+        my $k = sprintf("apt_upgrades_pending{origin=\"%s\", arch=\"%s\"}", $1, $2); 
+        if (!exists $metrics{$k}) {
+            $metrics{$k} = 1;
+        } else {
+            $metrics{$k}++;
+        }
+    }
+}
+
+if (%metrics) {
+    # print apt metrics
+    while(my($k, $v) = each %metrics) {
+        printf("%s %d\n", $k, $v)
+    }
+}
+else {
+    print("apt_upgrades_pending{origin=\"\",arch=\"\"} 0\n");
+}
+
+# print reboot required metric
+if (-e "/var/run/reboot-required") {
+    print("node_reboot_required 1\n")
+}
+else {
+    print("node_reboot_required 0\n")
+}
--- a/roles/node_exporter/files/promcat.sh
+++ b/roles/node_exporter/files/promcat.sh
@ -0,0 +1,42 @@
+#!/bin/bash
+
+function usage { printf "Usage: %s FILE\n" "$(basename "$0")" >&2; exit 1; }
+
+while getopts "h" opt; do
+    case "${opt}" in
+        *)
+            usage
+            ;;
+    esac
+done
+shift $((OPTIND-1))
+
+FILE="$1"
+
+if [ -z "${FILE}" ]; then
+    usage
+    exit 1
+fi
+
+if command -v sponge > /dev/null; then
+    ( echo "# promcat (sponge)" ; cat /dev/stdin ) | sponge "${FILE}"
+else
+    TEMP=$(mktemp --suffix .prom)
+
+    function finish {
+        if [ -f "${TEMP}" ]; then
+            rm -f "${TEMP}"
+        fi
+    }
+    trap finish EXIT
+
+    echo "# promcat (mktemp, mv)" > "${TEMP}"
+    cat /dev/stdin >> "${TEMP}"
+
+    if [ ! -s "${TEMP}" ] || grep -q '^[[:space:]]*$' "${TEMP}" ; then
+        printf "%s is empty\n" "${TEMP}" >&2
+        exit 1
+    else
+        mv "${TEMP}" "${FILE}"
+    fi
+fi
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Ryan Cavicchioni	6705256abc	Add workstation lab playbook	2022-08-30 07:52:01 -05:00
Ryan Cavicchioni	0e6490bbd2	add dl role	2022-08-30 07:51:55 -05:00
Ryan Cavicchioni	0760ae4c2c	add wireguard role	2022-08-30 07:51:47 -05:00
Ryan Cavicchioni	2b6b7aca79	add vault role	2022-08-30 07:51:35 -05:00
Ryan Cavicchioni	4c64613a90	add thanos role	2022-08-30 07:51:26 -05:00
Ryan Cavicchioni	04dfdbd399	add swap role	2022-08-30 07:51:17 -05:00
Ryan Cavicchioni	49be68b4db	add supervisor role	2022-08-30 07:51:10 -05:00
Ryan Cavicchioni	3a14992832	add rabbitmq role	2022-08-30 07:50:44 -05:00
Ryan Cavicchioni	a948debbf8	add promtail role	2022-08-30 07:50:35 -05:00
Ryan Cavicchioni	eae4e0120c	add pushgateway role	2022-08-30 07:50:07 -05:00
Ryan Cavicchioni	749934f9e1	add prometheus role	2022-08-30 07:49:57 -05:00
Ryan Cavicchioni	ec17840809	add podman role	2022-08-30 07:49:41 -05:00
Ryan Cavicchioni	d55f62893d	add openvpn role	2022-08-30 07:49:30 -05:00
Ryan Cavicchioni	5b55cc1a16	add nomad role	2022-08-30 07:49:09 -05:00
Ryan Cavicchioni	d5fd90a9e9	add node_exporter role	2022-08-30 07:49:00 -05:00
Ryan Cavicchioni	3e982b9729	add mysql role	2022-08-30 07:48:38 -05:00
Ryan Cavicchioni	523d6f3b32	add mtail role	2022-08-30 07:48:26 -05:00
Ryan Cavicchioni	341583bbe1	add loki role	2022-08-30 07:48:13 -05:00
Ryan Cavicchioni	4a497c211a	add kthxbye role	2022-08-30 07:48:06 -05:00
Ryan Cavicchioni	72254bd72e	add keepalived role	2022-08-30 07:47:54 -05:00
Ryan Cavicchioni	4541bab1bc	add karma role	2022-08-30 07:46:29 -05:00
Ryan Cavicchioni	8122bd25d7	add docker role	2022-08-30 07:46:19 -05:00
Ryan Cavicchioni	149fff70a3	add crio role	2022-08-30 07:46:03 -05:00
Ryan Cavicchioni	789541a90f	add consul role	2022-08-30 07:45:41 -05:00
Ryan Cavicchioni	4d07232525	add blackbox_exporter role	2022-08-30 07:45:26 -05:00
Ryan Cavicchioni	8e899da042	add alertmanager role	2022-08-30 07:45:14 -05:00
				`@ -0,0 +1 @@`
				`crio_os: "CentOS_{{ ansible_distribution_major_version }}"`