Add role to install and template configuration for Alloy

5 files changed, 85 insertions, 0 deletions

diff --git a/ansible/roles/alloy/README.md b/ansible/roles/alloy/README.md
new file mode 100644
index 0000000..3cb4004
--- /dev/null
+++ b/ansible/roles/alloy/README.md
@@ -0,0 +1,26 @@
+# Grafana Alloy
+
+This role deploys an instance of Grafana Alloy with configuration that by
+default:
+- Exports the system journal to the configured Loki instance
+- Exports other log files to the configured Loki instance, including:
+  - `/var/log/auth.log`
+
+It requires the addition of the Grafana package repository to allow Alloy to be
+installed with `apt`. This is handled by the role.
+
+## Configuration values
+
+Required user configuration options:
+
+- `alloy_loki_endpoint`: The Loki log push endpoint to stream logs into.
+
+Defaulted configuration options:
+
+- `alloy_grafana_signing_key`: Signing key URL to use for Grafana packages
+  (default: `https://apt.grafana.com/gpg.key`)
+- `alloy_grafana_signing_key_fingerprint`: Expected key fingerprint from above
+  configuration key, used to prevent malicious tampering (default: most recent
+  known fingerprint of above address)
+- `alloy_grafana_repository`: Repository to configure and add to aptitude
+  (default: `deb https://apt.grafana.com stable main`)
diff --git a/ansible/roles/alloy/defaults/main.yml b/ansible/roles/alloy/defaults/main.yml
new file mode 100644
index 0000000..fac8845
--- /dev/null
+++ b/ansible/roles/alloy/defaults/main.yml
@@ -0,0 +1,4 @@
+---
+alloy_grafana_signing_key: "https://apt.grafana.com/gpg.key"
+alloy_grafana_signing_key_fingerprint: "B53AE77BADB630A683046005963FA27710458545"
+alloy_grafana_repository: "deb https://apt.grafana.com stable main"
diff --git a/ansible/roles/alloy/handlers/main.yml b/ansible/roles/alloy/handlers/main.yml
new file mode 100644
index 0000000..e38b3c6
--- /dev/null
+++ b/ansible/roles/alloy/handlers/main.yml
@@ -0,0 +1,7 @@
+---
+- name: Reload the alloy service
+  service:
+    name: alloy
+    state: reloaded
+  tags:
+    - role::alloy
diff --git a/ansible/roles/alloy/tasks/main.yml b/ansible/roles/alloy/tasks/main.yml
new file mode 100644
index 0000000..f593e61
--- /dev/null
+++ b/ansible/roles/alloy/tasks/main.yml
@@ -0,0 +1,45 @@
+---
+
+- name: Add apt signing key for Grafana repo
+  ansible.builtin.apt_key:
+    url: "{{ alloy_grafana_signing_key }}"
+    state: present
+    id: "{{ alloy_grafana_signing_key_fingerprint }}"
+    keyring: "/etc/apt/trusted.gpg.d/grafana.gpg"
+  tags:
+    - role::alloy
+
+- name: Add Grafana apt repository to apt lists
+  ansible.builtin.apt_repository:
+    repo: "{{ alloy_grafana_repository }}"
+    filename: grafana
+    state: present
+  tags:
+    - role::alloy
+
+- name: Install Alloy package from Grafana repository
+  package:
+    name: alloy
+    state: present
+  tags:
+    - role::alloy
+
+- name: Template Alloy configuration file into Alloy configuration
+  template:
+    src: config.alloy.j2
+    dest: /etc/alloy/config.alloy
+    group: root
+    owner: root
+    mode: "0644"
+  tags:
+    - role::alloy
+  notify:
+    - Reload the alloy service
+
+- name: Start and enable the Alloy service
+  service:
+    name: alloy
+    state: started
+    enabled: true
+  tags:
+    - role::alloy
diff --git a/ansible/roles/alloy/templates/config.alloy.j2 b/ansible/roles/alloy/templates/config.alloy.j2
new file mode 100644
index 0000000..ac27875
--- /dev/null
+++ b/ansible/roles/alloy/templates/config.alloy.j2
@@ -0,0 +1,3 @@
+logging {
+  level = "info"
+}