diff --git a/cookbooks/consul/attributes.rb b/cookbooks/consul/attributes.rb index 239adad..9520618 100644 --- a/cookbooks/consul/attributes.rb +++ b/cookbooks/consul/attributes.rb @@ -23,6 +23,6 @@ node.reverse_merge!({ 'ipaddr' => ipaddr, 'dns' => dns, 'encrypt' => 's2T3XUTb9MjHYOw8I820O5YkN2G6eJrjLjJRTnEAKoM=', - 'token' => 'acb7096c-dcda-775a-b52c-b47c96b38d0e' + 'token' => '63de6edb-0cb0-de95-d5f1-7facf616c26d' } }) diff --git a/cookbooks/everun/files/etc/cron.d/everun b/cookbooks/everun/files/etc/cron.d/everun-blog similarity index 100% rename from cookbooks/everun/files/etc/cron.d/everun rename to cookbooks/everun/files/etc/cron.d/everun-blog diff --git a/cookbooks/everun/nginx.rb b/cookbooks/everun/nginx.rb index 777d3c1..8e64d95 100644 --- a/cookbooks/everun/nginx.rb +++ b/cookbooks/everun/nginx.rb @@ -24,7 +24,7 @@ execute 'mount -a' do action :nothing end -remote_file '/etc/cron.d/everun' do +remote_file '/etc/cron.d/everun-blog' do owner 'root' group 'root' mode '644' diff --git a/cookbooks/nginx/attributes.rb b/cookbooks/nginx/attributes.rb index ade8d81..c12428c 100644 --- a/cookbooks/nginx/attributes.rb +++ b/cookbooks/nginx/attributes.rb @@ -3,7 +3,7 @@ # ------------------------------------------- node.reverse_merge!({ 'nginx' => { - 'version' => '1.23.2', + 'version' => '1.25.0', 'skip_lego' => 'true', 'skip_webadm' => 'true' } diff --git a/cookbooks/nginx/build.rb b/cookbooks/nginx/build.rb index 1ea752a..d316ccb 100644 --- a/cookbooks/nginx/build.rb +++ b/cookbooks/nginx/build.rb @@ -78,7 +78,7 @@ directory MODULEDIR do end # Build starts here: -execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -openssl" do +execute "#{NGINXBUILD} -d working -v #{version} -c configure.sh -zlib -pcre -libressl -libresslversion 3.8.0" do cwd WORKDIR user USER diff --git a/cookbooks/nginx/files/etc/cron.d/everun b/cookbooks/nginx/files/etc/cron.d/everun new file mode 100644 index 0000000..56a9206 --- /dev/null +++ b/cookbooks/nginx/files/etc/cron.d/everun @@ -0,0 +1,10 @@ +md5:e2c4b92cac6937e5c2e14bcb166748cf:salt:35-2-158-147-217-138-24-188:aes-256-cfb:m5WUGUv4kMl3U4EpsDCZbTmqfDQEp3CGzBk84671Dhxt0rRtETnCY2ECGD7W ++O9MMKk0jCDCUxz7EZoggsHQL40dwvcCKs5qgcFFmZYOMygfxBVJ+cqBZ//0 +Zdav0tp1Qc3ejX2x3kmZBgAn4WCRVCmIZYtPYj0w4nrAohXSITJOo6MKNfsB +ASvoywRNHTYJAxT/UrYrJudR3Yq2a0gIcVgGZAYBKOUb2syMTixo245x128p +pX2QtcHjE87g9uGeUVWLkIM9m5uvBGULgdKknO03PXF0jWHxQvv/RRN+aG0H +To70zhqrlJWibKlO9PgPyVhoQSgxBG9i2f18hw2Kcnr0xSYvfC3yfkvem5C2 +Zgpj+xRIfbB6tw7k/ePdguBJ5e94Y5nDtavMr58Wxgtnleyc3/k/iRgK1wpD +BUrf83ZWMt3QPwDL4J5npo+4YDCObrsvO3BD14XMUHpSpCvVdKCnMnngQdRt +7TERfhMMRCPcHbUD9gFh6HcsT+GzU6a9iwyJ03nYweWB/nXGGfwnTfrklwfJ +CuTSFnA= \ No newline at end of file diff --git a/cookbooks/nginx/files/etc/cron.d/kazu634 b/cookbooks/nginx/files/etc/cron.d/kazu634 new file mode 100644 index 0000000..7cd897f --- /dev/null +++ b/cookbooks/nginx/files/etc/cron.d/kazu634 @@ -0,0 +1,10 @@ +md5:3429dd1d1b7fae6ff356c639afaeaa7c:salt:114-48-239-183-69-3-57-50:aes-256-cfb:/mKhySMGT7hiRIYO45LOqBxEmwI6wCQKvrwdK+sOJq5p5xbn7wDiYwUWnhGT +feCcW0iiVS0Qq5Wpnf01KTBaQWPditaR/CBYxCToV0EZ+7lA6HUTaX7qELGP +nPTkPn6CmTgW7I/kI9XfkeeSbT0Ti+2xo3XSpce1kftGp67aBcxM6XLSCKiS +IUMFoQIBHbUlJxJ5y6vj3uA/2v/r99y/dHymoKS695abnFPfq6rDqnJC7PKe +wEeLoObLSauqgnTF4CZUgZxaSSVUCNRjkV3WTHiu3UIEsHjiwJFBqJfWzVr9 +dvgzZAFt5YUwwGHEhZjtO66/Tp8Po4SZzRRDbftCBSS8nIZQ66qYwmKHGK98 +eYOFtpbQYnVMJKWd+orSDse61CcaT2tPgTZ4fjln/a4Ru4V5Kr4/HRyRmn6J +bIzBVuBVuh8T0oh36GSefSjfL7KyProS4waFlX53qwrMPHBmP873cJ2ZO1GN +HYk2QEUPP1BWEWiv9kfNu6mZPKVHIL7CEkvOAxlDWaKjgll5eNbbfzDw1hh3 +Hn3RPGs= \ No newline at end of file diff --git a/cookbooks/nginx/files/etc/cron.d/lego b/cookbooks/nginx/files/etc/cron.d/lego deleted file mode 100644 index 10c1a49..0000000 --- a/cookbooks/nginx/files/etc/cron.d/lego +++ /dev/null @@ -1,15 +0,0 @@ -md5:c79b07af6291083d791d1902a2637509:salt:199-29-148-147-93-118-94-214:aes-256-cfb:+1A39ytpBJ0l9yD+eCP5DmHnSILgFr9JLu0o+JoVbBEY2JoJiv6e0M23etSN -OHHH/AlnnrSarWA7UzO3aXZP8aNsi5N6VWXwGLw4XtqnwjWryUebGjIDwGrU -ioN1q0lVfw+Yqo5k27eVrVJNrL/Ki/Uu5NPqdGZScFcBq4FYjDUfFAuJqKCB -LAf24VqY3d9DhxibsVlM4kkEczOzjX0opRLPAyef50pSlu53SCnM/93v8ekN -03JUPGove1klD+gwYBWEx6PLJp/ECnPeRhIqRayEDTpGQ7kVoK7zruJGTPhj -Esk9yd6wabSHVv7TrsyFQxqzVn93zd/KnivKtCs1qf7kvg24zpvAygjn5RhW -MyXxIPDw7TE64xzwzhmu2/mVRZrUxsY2entJ9OJFqi9a7n54Io6iLKN70b3R -ecg2qXX8arlSKqb4QzqegRr1/w3t67EsuyTArU6Juj48gHKGiwbp9pdMTLdZ -L7lLUn8pbFNldWFCT4UjYtXPPpdNbm9Fp4RQXTYZdY8cYYGHzffLwCk7GlGX -uTpXtmGnfyQtZm+c7X2MP/dWCyyexBQXj+S5YSdE47XVYMnCKrVJjej6Q2je -qTd+Axrzn9K4p7Q9fOwOKLMUXOgfMMmHbfw2xmcpt+oWIWm+JyiGngylOu0b -zxWrff+iUIL0EedLSes0Opc4/gFKqa97r5qv5qwDKR7jgjeULDe6Rzn/Xv+M -lVGm3YGZnnNGG7Nf/qIn2SEyEi89DbPTLfOeeFx1ThVMVTjU7sLivyIrmz5e -8T0Cq/i9K2A8iijhyOugDWikNCRjQK8ZzL6WAtzL7nWLYp5jCTD9PFMfDgFo -7t4zAqat4iT1HtZdt7hiUO5MbA== \ No newline at end of file diff --git a/cookbooks/nginx/files/etc/lego/everun_run.sh b/cookbooks/nginx/files/etc/lego/everun_run.sh index 94e4b10..a957647 100644 --- a/cookbooks/nginx/files/etc/lego/everun_run.sh +++ b/cookbooks/nginx/files/etc/lego/everun_run.sh @@ -1,8 +1,8 @@ -md5:e7887186aea3bbd3d6b4951de375c79d:salt:136-75-189-47-2-186-228-12:aes-256-cfb:7pH09CBmCgVKJDl2WTrPt25WbDmnb6nxroKOpF/0/f1o98IelqLWvsFwSXzI -1e56t8SGpgDt9X+a13QDO5JaSyBAINMbzZMDXMqDuN49BMbo1nbEvWOG0DTC -7zrsNK/l3qIMo8ArpvnF36QZseXibP1rrRb1IslwmlfuvZz5Vg39IAcQH/Ny -3bSdxcE3ssbr9XuaG3HmPpTHmywn5Pc5lCSbKMW1mnCEMlPOiL4pJdHQzy24 -YAlrt7A+TNIBk056J4DrfnRYaB2FhrXtN8BFjAzkH5RJvRBRVbCHnZM30bxG -hJgzmPK2MBflKTM1tSQ6ZwUnZie84AETk0hZZBTjHSWHvI21zStTe974R/cC -0KMPAWSprEt0Vpa81GBhwrC7UVCyEeE0DhaFiM5vCgvqSuMDFzESGGTztJzW -baxx8T8CfNAcvpkcRyfQYk7S \ No newline at end of file +md5:c97addd9484611e9038f4d21490f95ef:salt:46-243-167-154-98-197-19-76:aes-256-cfb:MulsiIrRht0HvexrIXKc6q6pW9B4LnSaNB3FQyOghiAmaQKafmjvaPycv3nl +O/2FKcYHZ9g4sRysBo9t/Yttd7Q+ytGKz5MWG0w7vddvVsijaBjcqltS5Zvh +r6gTozBur13iBqsk7AYlU/wjyH62Zdgmo0rJBHp70Zqx4Bk81bDrqHbypzcK +XcM1Qg1jU1Y0bJgUyCLkpTYOjtNBug0sRYQ/Slv0/UbzgEA5WtTO7sRAEPuj +Y0qvUJVDz+0zYRinOwCOA+IGARqB5GsDtQ4YgGR9kKSmoUPPRSjIg7xSKB0S +rn1CUSjKEbmPIHeOMWSg7CXmOzzVPMTNqM6MLjGHmOyWGSDPvwRiPI5AacNu +AmOsFNY2EiWUJolrz5RpZZXjkGFmcwnxn+7ZtoWO7nD8JhaCrPpxC6C/rnav +ZGg= \ No newline at end of file diff --git a/cookbooks/nginx/files/etc/lego/kazu634_run.sh b/cookbooks/nginx/files/etc/lego/kazu634_run.sh index 0fd9a4a..ea6ddf5 100644 --- a/cookbooks/nginx/files/etc/lego/kazu634_run.sh +++ b/cookbooks/nginx/files/etc/lego/kazu634_run.sh @@ -1,8 +1,8 @@ -md5:96eae5dbfe873212499d1cda58215bc0:salt:45-243-88-46-67-155-255-124:aes-256-cfb:q3OckWaetMF6FqeKkB2j34jtTSs4xOtwz0ZBG0hP3NjCUxK13XH55/IIjTI3 -HDrqT+2FWXPxUOBEk0JNqJ1jJKIRLR7Td0yfa908RH2fRHsyXNs9So4fx3cM -SDkTQO6olnKBr9hGm/ua1ohvRFfoUSMu1eNfe+X0FkZZxES0CJBBb43vitDq -dsL1lgP1Co0HjvrGu3VKRPSDbUYhfI7raq4jZAy5Q9IJrMLrLdKjlJYjg5St -1Cso0QR938DG3UM0uLXrj9YZ5BdNCqUFvu/gJPjA+VfL4giAYy5cmslEuvV7 -EKkFuTmOOBY4fXSZIDfQinl966QgnCQgmYiPNctyVMtJPF7GA0K/FPMx/CHH -KZUuXkKo04jeSWuQ9ZQC81xEifZb1CXlh0p9AIn2i9aSMrRBMHGmzfEb4FKH -8d4onnK27xWC \ No newline at end of file +md5:032af53422a767d4edf60d5d2f8ec84e:salt:231-40-60-67-6-253-79-25:aes-256-cfb:PiAZ+U6IHA4GvL3gDsLzeV48MvnaAaEbAqWqYLq4TrsrbRj8J2QT6ANUjZoC +IxHgZ8yn/jNmpGrqj1ZPvF3V2qGG9RomI5txRf3oEWaiM1EGoHrcgj5GSEeF +7izz9sPV+DGA/aY0VTZOSIIdogZ7yY8KGRJ5w30KTmJtvZ6zzYUFzBtzqLup +Ax3I5OzDJUuIOWr0wcE+SPAuBq4VWzfY2gTUUeepy+VMDilN2dltRAlPL+6R +t8wy4JjIuQ8y/fYVYkSVACWgL9cXWWQWgyk8yr+KJFV3ejL0UxwCGtpy54cj +kVtt1b3i/VhntaSFKMzY6BtRKrSbtd1nvuMT8gSrY9Kq6MFUNorjlAkAznkK +R4Jw6aWF8aMor3JhCp0aqc109K9pvmvkCRvCkYKH/Fs9DLGD1AsEDPFrdndi +AWs= \ No newline at end of file diff --git a/cookbooks/nginx/files/etc/nginx/nginx.conf b/cookbooks/nginx/files/etc/nginx/nginx.conf index c9c5eae..62c9bd0 100644 --- a/cookbooks/nginx/files/etc/nginx/nginx.conf +++ b/cookbooks/nginx/files/etc/nginx/nginx.conf @@ -96,16 +96,27 @@ http { # Logging Settings ## - log_format ltsv "time:$time_local\thost:$remote_addr" - "\tforwardedfor:$http_x_forwarded_for\t" - "method:$request_method\tpath:$request_uri\tprotocol:$server_protocol" - "\tstatus:$status\tsize:$body_bytes_sent\treferer:$http_referer" - "\tua:$http_user_agent\ttaken_sec:$request_time" - "\tbackend:$upstream_addr\tbackend_status:$upstream_status" - "\tcache:$upstream_http_x_cache\tbackend_runtime:$upstream_response_time" - "\tvhost:$host"; + log_format json escape=json + '{' + '"time":"$time_local",' + '"host":"$remote_addr",' + '"forwardedfor":"$http_x_forwarded_for",' + '"method":"$request_method",' + '"path":"$request_uri",' + '"protocol":"$server_protocol",' + '"status":"$status",' + '"size":"$body_bytes_sent",' + '"referer":"$http_referer",' + '"ua":"$http_user_agent",' + '"taken_sec":"$request_time",' + '"backend":"$upstream_addr",' + '"backend_status":"$upstream_status",' + '"cache":"$upstream_http_x_cache",' + '"backend_runtime":"$upstream_response_time",' + '"vhost":"$host"' + '}'; - access_log /var/log/nginx/access.log ltsv; + access_log /var/log/nginx/access.log json; error_log /var/log/nginx/error.log; ## diff --git a/cookbooks/nginx/files/etc/systemd/system/vector-nginx-access.service b/cookbooks/nginx/files/etc/systemd/system/vector-nginx-access.service new file mode 100644 index 0000000..6ec76bc --- /dev/null +++ b/cookbooks/nginx/files/etc/systemd/system/vector-nginx-access.service @@ -0,0 +1,17 @@ +[Unit] +Description=Vector +Documentation=https://vector.dev +After=network-online.target +Requires=network-online.target + +[Service] +ExecStart=/usr/bin/vector --config /etc/vector/nginx-access.toml +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +StandardOutput=journal +StandardError=journal +SyslogIdentifier=vector + +[Install] +WantedBy=multi-user.target + diff --git a/cookbooks/nginx/files/etc/systemd/system/vector-nginx-error.service b/cookbooks/nginx/files/etc/systemd/system/vector-nginx-error.service new file mode 100644 index 0000000..2debe77 --- /dev/null +++ b/cookbooks/nginx/files/etc/systemd/system/vector-nginx-error.service @@ -0,0 +1,17 @@ +[Unit] +Description=Vector +Documentation=https://vector.dev +After=network-online.target +Requires=network-online.target + +[Service] +ExecStart=/usr/bin/vector --config /etc/vector/nginx-error.toml +ExecReload=/bin/kill -HUP $MAINPID +Restart=always +StandardOutput=journal +StandardError=journal +SyslogIdentifier=vector + +[Install] +WantedBy=multi-user.target + diff --git a/cookbooks/nginx/files/etc/vector/nginx-access.toml b/cookbooks/nginx/files/etc/vector/nginx-access.toml new file mode 100644 index 0000000..9326888 --- /dev/null +++ b/cookbooks/nginx/files/etc/vector/nginx-access.toml @@ -0,0 +1,65 @@ +data_dir = "/var/lib/vector/" + +[sources.nginx] + type = "file" + include = [ "/var/log/nginx/*access.log" ] + ignore_older_secs = 600 + read_from = "beginning" + +[transforms.nginx_transform] + type = "remap" + inputs = ["nginx"] + source = ''' + .hostname = .host + + l = parse_json!(.message) + . = merge!(., l) + + del(.message) + del(.host) + + .status = string!(.status) + if match(.status, r'^[23]') { + .level = "info" + } else if match(.status, r'^[4]') { + .level = "warn" + } else { + .level = "error" + } + + .timestamp = parse_timestamp!(.time, format: "%d/%b/%Y:%T %z") + del(.time) + ''' + +[sinks.nginx_output] +type = "file" +inputs = [ "nginx_transform" ] +compression = "none" +path = "/tmp/nginx-access-%Y-%m-%d.log" + + [sinks.nginx_output.encoding] + codec = "json" + + [sinks.nginx_output.buffer] + max_size = 268435488 + type = "disk" + +[sinks.nginx_loki] +type = "loki" +inputs = [ "nginx_transform" ] +endpoint = "http://loki.service.consul:3100" +compression = "snappy" + + [sinks.nginx_loki.labels] + level = "{{ level }}" + hostname = "{{ hostname }}" + job = "nginx" + vhost = "{{ vhost }}" + + [sinks.nginx_loki.encoding] + codec = "json" + + [sinks.nginx_loki.buffer] + max_size = 268435488 + type = "disk" + diff --git a/cookbooks/nginx/files/etc/vector/nginx-error.toml b/cookbooks/nginx/files/etc/vector/nginx-error.toml new file mode 100644 index 0000000..d4b2f2b --- /dev/null +++ b/cookbooks/nginx/files/etc/vector/nginx-error.toml @@ -0,0 +1,56 @@ +data_dir = "/var/lib/vector/" + +[sources.nginx-error] + type = "file" + include = [ "/var/log/nginx/*error.log" ] + ignore_older_secs = 600 + read_from = "beginning" + +[transforms.nginx-error_transform] + type = "remap" + inputs = ["nginx-error"] + source = ''' + .hostname = .host + del(.host) + + el, err = parse_regex(.message, r'^(?P[^ ]+ [^ ]+) (?P[^ ]+) (?P.*)$') + . = merge(., el) + + tmp, err = replace(.level, "[", "") + .level = replace(tmp, "]", "") + + .timestamp = parse_timestamp!(.timestamp, "%Y/%m/%d %T") + ''' + +[sinks.nginx-error_output] +type = "file" +inputs = [ "nginx-error_transform" ] +compression = "none" +path = "/tmp/nginx-error-%Y-%m-%d.log" + + [sinks.nginx-error_output.encoding] + codec = "json" + + [sinks.nginx-error_output.buffer] + max_size = 268435488 + type = "disk" + +[sinks.nginx-error_loki] +type = "loki" +inputs = [ "nginx-error_transform" ] +endpoint = "http://loki.service.consul:3100" +compression = "snappy" + + [sinks.nginx-error_loki.labels] + level = "{{ level }}" + hostname = "{{ hostname }}" + vhost = "{{ vhost }}" + job = "nginx" + + [sinks.nginx-error_loki.encoding] + codec = "json" + + [sinks.nginx-error_loki.buffer] + max_size = 268435488 + type = "disk" + diff --git a/cookbooks/nginx/files/home/webadm/nginx-build/configure.sh b/cookbooks/nginx/files/home/webadm/nginx-build/configure.sh old mode 100644 new mode 100755 index 6930690..71fb9f3 --- a/cookbooks/nginx/files/home/webadm/nginx-build/configure.sh +++ b/cookbooks/nginx/files/home/webadm/nginx-build/configure.sh @@ -8,4 +8,4 @@ --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module \ --with-http_v2_module --with-http_stub_status_module --with-http_realip_module --with-http_auth_request_module \ --with-http_addition_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzip_static_module \ - --with-http_sub_module --with-stream --with-stream_ssl_module + --with-http_sub_module --with-stream --with-stream_ssl_module --with-http_v3_module diff --git a/cookbooks/nginx/lego.rb b/cookbooks/nginx/lego.rb index 7e903af..dbaf358 100644 --- a/cookbooks/nginx/lego.rb +++ b/cookbooks/nginx/lego.rb @@ -91,14 +91,14 @@ end user 'root' cwd LEGO_STORAGE end -end -encrypted_remote_file '/etc/cron.d/lego' do - owner 'root' - group 'root' - mode '644' - source 'files/etc/cron.d/lego' - password ENV['ITAMAE_PASSWORD'] + encrypted_remote_file "/etc/cron.d/#{domain}" do + owner 'root' + group 'root' + mode '644' + source "files/etc/cron.d/#{domain}" + password ENV['ITAMAE_PASSWORD'] + end end remote_file "/etc/lego/dhparams_4096.pem" do diff --git a/cookbooks/nginx/setup.rb b/cookbooks/nginx/setup.rb index 0ef7337..1433459 100644 --- a/cookbooks/nginx/setup.rb +++ b/cookbooks/nginx/setup.rb @@ -13,7 +13,7 @@ remote_file '/lib/systemd/system/nginx.service' do end # Firewall Setting: -%w( 80/tcp 443/tcp ).each do |port| +%w( 80/tcp 443/tcp 443/udp ).each do |port| execute "ufw allow #{port}" do user 'root' @@ -35,25 +35,36 @@ service 'nginx' do action [ :enable, :start ] end -# Deploy `promtail` config file: -HOSTNAME = run_command('uname -n').stdout.chomp - -template '/etc/promtail/nginx.yaml' do - owner 'root' - group 'root' - mode '644' - - variables(HOSTNAME: HOSTNAME, LOKIENDPOINT: node['promtail']['lokiendpoint']) -end - -# Deploy the `systemd` configuration: -remote_file '/lib/systemd/system/promtail-nginx.service' do +# Deploy `vector` config: +remote_file '/etc/vector/nginx-access.toml' do owner 'root' group 'root' mode '644' end -# Service setting: -service 'promtail-nginx' do - action [ :enable, :restart ] +remote_file '/etc/systemd/system/vector-nginx-access.service' do + owner 'root' + group 'root' + mode '644' end + +service 'vector-nginx-access' do + action [ :enable, :start ] +end + +remote_file '/etc/vector/nginx-error.toml' do + owner 'root' + group 'root' + mode '644' +end + +remote_file '/etc/systemd/system/vector-nginx-error.service' do + owner 'root' + group 'root' + mode '644' +end + +service 'vector-nginx-error' do + action [ :enable, :start ] +end +