playbooks/link.yml

@@ -27,14 +27,6 @@
         group: "{{ podman_prometheus_podman_rootless_user }}"
         mode: "0444"
       become: true
-    - name: Podman CDR Link | Update legacy instance list for Prometheus
-      ansible.builtin.template:
-        src: oldlink_sd.yml
-        dest: "/home/{{ podman_prometheus_podman_rootless_user }}/file-configs/oldlink.yml"
-        owner: "{{ podman_prometheus_podman_rootless_user }}"
-        group: "{{ podman_prometheus_podman_rootless_user }}"
-        mode: "0444"
-      become: true
 
 - name: Legacy Link | Set up ClouDNS monitoring of legacy (Docker Compose) Link instances
   hosts:

playbooks/templates/oldlink_sd.yml

@@ -1,9 +0,0 @@
----
-{% for host in groups['legacy_link'] %}
-- targets:
-    - "{{ hostvars[host].vpc_ip | default(host) }}:9100"
-  labels:
-    job: node
-    app: legacy_link
-    instance: "{{ host }}"
-{% endfor %}

roles/podman_link/defaults/main.yml

@@ -1,6 +1,6 @@
 # podman_link_podman_rootless_user:
 podman_link_web_hostname: "{{ inventory_hostname }}"
-podman_link_stack_version: 3.4.2-beta.3
+podman_link_stack_version: 3.3.2
 podman_link_postgres_zammad_user: postgres
 podman_link_postgres_zammad_database: zammad_production
 podman_link_postgres_link_user: link
@@ -13,6 +13,7 @@ podman_link_postgres_link_database: link
 podman_link_opensearch_memory_limit: 2048
 podman_link_setup_mode: false
 podman_link_leafcutter_enabled: false
+podman_link_dashboard_url: ""
 podman_link_zammad_api_token: ""
 # podman_link_nextauth_secret:
 # podman_link_google_client_id:
@@ -25,3 +26,5 @@ podman_link_zammad_api_token: ""
 podman_link_postgres_zammad_postgresql_host: zammad-postgresql
 podman_link_postgres_zammad_es_host: opensearch
 podman_link_postgres_zammad_memcached_server: zammad-memcached:11211
+# podman_link_opensearch_hub_ip:
+# podman_link_opensearch_spoke_ip:

roles/podman_link/tasks/main.yml

@@ -8,6 +8,23 @@
     mode: "0444"
   become: true
 
+- name: Allow access from hub to spoke to Opensearch using firewalld rich rule
+  ansible.posix.firewalld:
+    rich_rule: >-
+      rule family="ipv4"
+      source address="{{ podman_link_opensearch_hub_ip }}"
+      destination address="{{ podman_link_opensearch_spoke_ip }}"
+      port protocol="tcp" port="{{ item }}" accept
+    permanent: true
+    state: enabled
+  with_items:
+    - 9200
+    - 9300
+  when:
+    - podman_link_opensearch_hub_ip is defined
+    - podman_link_opensearch_spoke_ip is defined
+  become: true
+
 - name: Podman CDR Link | PATCH | Install podman and verify rootless podman user
   ansible.builtin.include_role:
     role: sr2c.core.podman_host
@@ -68,6 +85,18 @@
   notify:
     - Restart Link
 
+# Opensearch Dashboards runs with UID/GID 1000 inside the container
+- name: Podman CDR Link | PATCH | Install Opensearch Dashboards configuration
+  ansible.builtin.template:
+    src: home/opensearch-dashboards.yml
+    dest: "/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml"
+    mode: "0400"
+    owner: "{{ _podman_link_user_subuid_start + 999 }}"
+    group: "{{ _podman_link_user_subgid_start + 999 }}"
+  become: true
+  notify:
+    - Restart Link
+
 # Zammad runs with UID/GID 1000 inside the container
 - name: Podman CDR Link | PATCH | Install Zammad database configuration file
   ansible.builtin.template:
@@ -224,6 +253,7 @@
   with_items:
     - link.container
     - zammad-opensearch.container
+    - opensearch-dashboards.container
     - bridge-worker.container
     - bridge-postgresql.container
     - bridge-whatsapp.container

roles/podman_link/templates/etc/motd.d/10-data-plate.txt

@@ -3,7 +3,7 @@
     Podman user: {{ podman_link_podman_rootless_user }}
     =========================================================
     # Become the podman user
-    sudo -iu {{ podman_link_podman_rootless_user }} bash
+    sudo -iu {{ podman_link_podman_rootless_user }}
     # Check the Link stack status
     systemctl --user status link.target
     # Restart the Link stack

roles/podman_link/templates/home/config/containers/systemd/common-bridge.env

@@ -3,10 +3,11 @@ POSTGRES_PASSWORD={{ podman_link_postgres_link_password }}
 POSTGRES_DB={{ podman_link_postgres_link_database }}
 NEXTAUTH_URL=https://{{ podman_link_web_hostname }}/link/api/auth
 NEXTAUTH_SECRET={{ podman_link_nextauth_secret }}
-KEYCLOAK_ISSUER={{ podman_link_keycloak_issuer }}
+{% if podman_link_google_client_id is defined %}
-KEYCLOAK_CLIENT_ID={{ podman_link_keycloak_id }}
+GOOGLE_CLIENT_ID={{ podman_link_google_client_id }}
-KEYCLOAK_CLIENT_SECRET={{ podman_link_keycloak_secret }}
+GOOGLE_CLIENT_SECRET={{ podman_link_google_client_secret }}
-BRIDGE_FRONTEND_URL=http://link:3000/link
+{% endif %}
+BRIDGE_FRONTEND_URL=http://link:3000
 BRIDGE_SIGNAL_URL=http://signal-cli-rest-api:8081
 BRIDGE_WHATSAPP_URL=http://bridge-whatsapp:5000
 DATABASE_NAME={{ podman_link_postgres_link_database }}

roles/podman_link/templates/home/config/containers/systemd/opensearch-dashboards.container

@@ -0,0 +1,17 @@
+[Unit]
+Requires=zammad-opensearch.service
+After=zammad-opensearch.service
+PartOf=link.target
+
+[Container]
+ContainerName=opensearch-dashboards
+Environment=OPENSEARCH_USERNAME=admin
+Environment=OPENSEARCH_PASSWORD={{ podman_link_opensearch_password  | replace("%", "%%") }}
+Image=registry.gitlab.com/digiresilience/link/link-stack/opensearch-dashboards:{{ podman_link_stack_version }}
+PublishPort=127.0.0.1:5601:5601
+Volume=/home/{{ podman_link_podman_rootless_user }}/opensearch-dashboards.yml:/usr/share/opensearch-dashboards/config/opensearch_dashboards.yml:ro,Z
+Network=zammad.network
+
+[Service]
+Restart=always
+Slice=link.slice

roles/podman_link/templates/home/config/containers/systemd/zammad-nginx.container

@@ -1,6 +1,5 @@
 [Unit]
-Requires=zammad-railsserver.service zammad-websocket.service
+Requires=zammad-railsserver.service zammad-websocket.service link.service
-Wants=link.service
 After=zammad-railsserver.service zammad-websocket.service link.service
 PartOf=link.target
 

roles/podman_link/templates/home/config/systemd/user/link.target

@@ -1,9 +1,9 @@
 [Unit]
 Description=Podman CDR Link Stack by SR2 Communications
-Wants=zammad-nginx.service
+Requires=opensearch-dashboards.service
+Requires=zammad-nginx.service
+After=opensearch-dashboards.service
 After=zammad-nginx.service
-Wants=nginx.service
-After=nginx.service
 
 [Install]
 WantedBy=default.target

roles/podman_link/templates/home/opensearch-dashboards.yml

@@ -0,0 +1,36 @@
+---
+opensearch.hosts: [https://zammad-opensearch:9200]
+opensearch.ssl.verificationMode: none
+opensearch.requestHeadersAllowlist:
+  - "securitytenant"
+  - "Authorization"
+  - "x-forwarded-for"
+  - "x-forwarded-user"
+  - "x-forwarded-roles"
+opensearch_security.auth.type: "proxy"
+opensearch_security.proxycache.user_header: "x-forwarded-user"
+opensearch_security.proxycache.roles_header: "x-forwarded-roles"
+opensearch_security.multitenancy.enabled: true
+opensearch_security.multitenancy.tenants.enable_global: true
+opensearch_security.multitenancy.tenants.enable_private: true
+opensearch_security.multitenancy.tenants.preferred: [Private, Global]
+opensearch_security.cookie.secure: false
+server.basePath: "/link/dashboards"
+server.rewriteBasePath: false
+
+opensearch.username: "admin"
+opensearch.password: "{{ podman_link_opensearch_password }}"
+
+server.host: "0.0.0.0"
+
+# New config that adds to or overrides existing one:
+#
+# server.port: 5601
+# server.name: "nextgen-dashboards"
+# opensearch.hosts: ["https://aberdeen-opensearch:9200"]
+# opensearch.ssl.verificationMode: certificate
+# opensearch.ssl.certificateAuthorities:
+# ["/usr/share/opensearch-dashboards/config/certs/ca.pem"]
+
+# opensearch.requestHeadersAllowlist: ["securitytenant", "Authorization"]
+# opensearch_security.readonly_mode.roles: ["kibana_read_only"]

roles/podman_seafile/tasks/main.yml

@@ -123,10 +123,10 @@
 
 - name: Podman Seafile | Set up ClouDNS monitoring
   sr2c.core.cloudns_monitor:
-    name: "Seafile - {{ podman_seafile_hostname[:22] }}"
+    name: "Seafile - {{ inventory_hostname[:22] }}"
-    host: "{{ podman_seafile_hostname }}"
+    host: "{{ inventory_hostname }}"
-    ip: "{{ podman_seafile_hostname }}"
+    ip: "{{ inventory_hostname }}"
-    http_status_code: "302"  # This is going to redirect for SSO
+    http_status_code: "200"
     emails: "{{ cloudns_monitoring_emails }}"
     auth_id: "{{ cloudns_auth_id }}"
     auth_password: "{{ cloudns_auth_password }}"