From bf5e0de49c0db6c2abc0c7b2cc75a26aa1679b1f Mon Sep 17 00:00:00 2001
From: Daniel Poelzleithner <git@poelzi.org>
Date: Thu, 4 Jul 2019 04:23:39 +0200
Subject: [PATCH] activate central logging

---
 README.md                                  |  2 +-
 hosts/containers/elastic/configuration.nix |  8 +++++
 hosts/containers/logging/configuration.nix | 39 ++++++++++++++++++++--
 hosts/containers/mongo/configuration.nix   |  7 ++++
 lib/common/common.nix                      | 21 ++++++++++++
 lib/lxc-container.nix                      | 28 +++++++++++++++-
 6 files changed, 100 insertions(+), 5 deletions(-)

diff --git a/README.md b/README.md
index 7c3ac7c2..5a58a217 100644
--- a/README.md
+++ b/README.md
@@ -29,7 +29,7 @@ This does not work yet, as the nixos-system-x86_64-linux.tar.xz image is broken.
 4. Adjust hq.nixops, add  [hostname]
 5. Run
     ```shell
-    ssh k-ot@172.20.73.9
+    ssh k-ot@172.20.73.16
     cd nix-config/
     nixops deploy -d hq --check --include=[hostname]
     ```
diff --git a/hosts/containers/elastic/configuration.nix b/hosts/containers/elastic/configuration.nix
index 25b7c44d..d14e2ccf 100644
--- a/hosts/containers/elastic/configuration.nix
+++ b/hosts/containers/elastic/configuration.nix
@@ -17,6 +17,14 @@
 
   networking = {
     hostName = "elastic1";
+    firewall = {
+      allowedTCPPorts = [ 
+        22
+        9200
+        9300
+      ];
+      enable = true;
+    };
   };
 
   nixpkgs.config.allowUnfree = true; 
diff --git a/hosts/containers/logging/configuration.nix b/hosts/containers/logging/configuration.nix
index f434079c..df01eaf6 100644
--- a/hosts/containers/logging/configuration.nix
+++ b/hosts/containers/logging/configuration.nix
@@ -17,6 +17,21 @@
 
   networking = {
     hostName = "logging";
+    firewall = {
+      allowedTCPPorts = [ 
+        22
+        9000
+        80
+        443
+        5044
+        12201
+        514
+      ];
+      allowedUDPPorts = [ 
+        514
+      ];
+      enable = false;
+    };
   };
 
   services.openssh = {
@@ -24,14 +39,32 @@
     permitRootLogin = "yes";
   };
 
+  services.nginx = {
+    enable = true;
+    virtualHosts = {
+      default = {
+        locations = {
+          "/".proxyPass = "http://127.0.0.1:9000/";
+        };
+      };
+    };
+  };
+
   services.graylog = {
     enable = true;
     passwordSecret = "SDwK3ug9U4gYSVtj3h22i0l57QO6p5RE58sNehAgU3vXgqGa2HuNyhL19vhoUKFqy28rqGfDQkRD5834NqPi5wLsy8H1hz5V";
     # mongo.serv.zentralwerk. ?
-    elasticsearchHosts = [ "http://172.20.73.10:9200" ];
-    rootPasswordSha2 = "0319baba53abe8b33e1da12fd906c27cbe61fad6a129b9d5ecf196b6661e959d";
+    elasticsearchHosts = [ "http://172.20.73.15:9200" ];
+    rootPasswordSha2 = "3e784172684dcd89d66175b8719cd7894cc96b454ef1d5aa74bd92b3c57da7cd";
     # mongo.serv.zentralwerk. ?
-    mongodbUri = "mongodb://172.20.73.12/graylog";
+    mongodbUri = "mongodb://172.20.73.14/graylog";
+    extraConfig = ''
+    http_bind_address = 0.0.0.0:9000
+    elasticsearch_shards = 1
+    allow_highlighting = true
+    allow_leading_wildcard_searches = true
+    '';
+    user = "root";
   };
 
   system.stateVersion = "19.03"; # Did you read the comment?
diff --git a/hosts/containers/mongo/configuration.nix b/hosts/containers/mongo/configuration.nix
index f9790c33..6e470480 100644
--- a/hosts/containers/mongo/configuration.nix
+++ b/hosts/containers/mongo/configuration.nix
@@ -17,6 +17,13 @@
 
   networking = {
     hostName = "mongo";
+    firewall = {
+      allowedTCPPorts = [ 
+        22
+        27017
+      ];
+      enable = true;
+    };
   };
 
   services.openssh = {
diff --git a/lib/common/common.nix b/lib/common/common.nix
index 088f4d1f..5354e987 100644
--- a/lib/common/common.nix
+++ b/lib/common/common.nix
@@ -5,4 +5,25 @@
     nameservers = [ "172.20.72.6" "9.9.9.9" "74.82.42.42" ];
   };
 
+  # add central logging
+  services.journalbeat = {
+    enable = true;
+    extraConfig = ''
+      journalbeat:
+        seek_position: cursor
+        cursor_seek_fallback: tail
+        write_cursor_state: true
+        cursor_flush_period: 5s
+        clean_field_names: true
+        convert_to_numbers: false
+        move_metadata_to_field: journal
+        default_type: journal
+        kernel: true
+      output.logstash:
+        # Boolean flag to enable or disable the output module.
+        enabled: true
+        hosts: ["logging.serv.zentralwerk.org:5044", "172.20.73.13:5044"]
+        '';
+  };
+
 }
diff --git a/lib/lxc-container.nix b/lib/lxc-container.nix
index 0f8440c8..4947982a 100644
--- a/lib/lxc-container.nix
+++ b/lib/lxc-container.nix
@@ -8,9 +8,12 @@
   nix.useSandbox = false;
   nix.maxJobs = lib.mkDefault 1;
   nix.buildCores = lib.mkDefault 4;
-  networking.useNetworkd = true;
+  #networking.useNetworkd = true;
+
+  networking.interfaces.eth0.useDHCP = true;
 
   boot.isContainer = true;
+
   # /sbin/init
   boot.loader.initScript.enable = true;
   boot.loader.grub.enable = false;
@@ -27,6 +30,29 @@
 
   fileSystems."/" = { fsType = "rootfs"; device = "rootfs"; };
 
+  # add central logging
+  services.journalbeat = {
+    enable = true;
+    tags = [ "container" ];
+    extraConfig = ''
+      journalbeat:
+        seek_position: cursor
+        cursor_seek_fallback: tail
+        write_cursor_state: true
+        cursor_flush_period: 5s
+        clean_field_names: true
+        convert_to_numbers: false
+        move_metadata_to_field: journal
+        default_type: journal
+        kernel: true
+      output.logstash:
+        # Boolean flag to enable or disable the output module.
+        enabled: true
+        hosts: ["logging.serv.zentralwerk.org:5044", "172.20.73.13:5044"]
+        '';
+  };
+
   # Required for remote deployment
   services.openssh.enable = true;
+
 }