Feat/graylog assert (#197)

* feat(roles/graylog_datanode): add validation for graylog_datanode__password_secret length

* feat(roles/graylog_server): add validation for graylog_server__password_secret length

* feat(roles/graylog_datanode): allow users to specify path_node variable in datanode.conf

* fix assert logic

* update docs, add setting for graylog_datanode__node_search_cache_size

* add validation and readme entry for graylog_datanode__node_search_cache_size

* remove invalid assert

* fix(roles/graylog_server): update server configuration to disable telemetry

* fix(roles/graylog_datanode): restrict permissions for snapshot repo paths

* fix(roles/graylog_datanode): extend datanode configuration options to allow __raw configs

* incorporate feedback from pull request

* fix whitespace, headers in templates

* update changelog

* style(roles/graylog_*): fix whitespace

---------

Co-authored-by: Navid Sassan <navid.sassan@linuxfabrik.ch>

Author: ebuerki-lf

CHANGELOG.md

@@ -16,13 +16,17 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Added
 
+* **role:graylog_datanode**: Add optional variable `graylog_datanode__raw`.
+* **role:graylog_datanode**: Add optional variables `graylog_datanode__path_repos`, `graylog_datanode__node_search_cache_size` to configure searchable snapshot locations and size of disk-based searchable snapshot cache.
 * **role:infomaniak_vm**: Add `keep_port_on_absent` subkey on `infomaniak_vm__networks` entries to preserve the port (and its fixed IP) when the VM is set to `infomaniak_vm__state: 'absent'`, so the same IP can be re-used
 * **role:infomaniak_vm**: Add `port_name` subkey on `infomaniak_vm__networks` entries to override the name of the managed port. Defaults to the previous `{{ infomaniak_vm__name }}--{{ item["name"] }}--port` pattern, so existing setups are unaffected
 * **role:kibana**: Add `kibana__logging` variable to make the `logging:` block in `kibana.yml` fully user-configurable (appenders, loggers, root, rotation). The default preserves the previous hardcoded behavior: JSON logs at `/var/log/kibana/kibana.log`, rotated daily, 14 rotations kept
 * **ci**: Add bandit (security) and vulture (dead code) to pre-commit hooks
 
 ### Fixed
 
+* **role:graylog_datanode**: Validate that `graylog_datanode__password_secret | length >= 16`
+* **role:graylog_server**: Validate that `graylog_server__password_secret | length >= 16`
 * **role:nextcloud**: Ensure that the Nextcloud OCC is executable.
 * **execution-environment**: Add missing `sshpass` system package, required for SSH password-based connections (e.g. `--ask-pass`)
 * **role:keycloak**: Fix transaction timeout silently dropping from 3600s to 300s on Keycloak 26.6.0+ due to new `transaction-default-timeout` CLI option overriding the Quarkus property
@@ -31,6 +35,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ### Changed
 
+* **role:graylog_server**: Update `server.conf` templates to include `telemetry_enabled = false`.
 * **role:keepalived**: Document role scope in the README. The role intentionally covers only a minimal VRRP setup (single `vrrp_instance`, single `virtual_ipaddress`, PASS auth, `smtp_alert`). It does not set the `net.ipv4.ip_nonlocal_bind` sysctl and does not open the firewall for VRRP; pointers to the `kernel_settings` and `firewall` roles are included
 * **all roles**: Rewrite all role READMEs to use the new standard format: replace markdown tables with bullet lists for tags and variables, convert HTML/blockquote subkeys to expanded indented format, standardize terminology (`Bool` not `Boolean`, `Mandatory` not `Required`)
 * **role:opensearch**: Rewrite README with step-by-step cluster setup guide, single-node section, post-installation steps, and improved variable documentation

roles/graylog_datanode/README.md

@@ -78,6 +78,12 @@ graylog_datanode__password_secret: 'Linuxfabrik_GmbH'
 * Type: String.
 * Default: `'mongodb://127.0.0.1/graylog'`
 
+`graylog_datanode__node_search_cache_size`
+
+* Size of disk-based cache for searchable snaphots. This space will be automatically reserved if `graylog_datanode__path_repos` is configured. See [docs.opensearch.org - Supported Units](https://docs.opensearch.org/latest/api-reference/units/) for a list of possible options. This setting is only applied when `graylog_datanode__path_repos` contains at least one path.
+* Type: String.
+* Default: `10gb`
+
 `graylog_datanode__opensearch_data_location`
 
 * Set this OpenSearch folder if you need OpenSearch to be located in a special place.
@@ -90,6 +96,18 @@ graylog_datanode__password_secret: 'Linuxfabrik_GmbH'
 * Type: String.
 * Default: 50% of system memory, e.g. `'8g'`
 
+`graylog_datanode__path_repos`
+
+* Filesystem paths where searchable snapshots should be stored.
+* Type: List of Strings.
+* Default: `[]`
+
+`graylog_datanode__raw`
+
+* Multiline string. Raw content which will be appended to the `datanode.conf` config file. Note that the config file uses the Java properties format and not YAML.
+* Type: String.
+* Default: unset
+
 `graylog_datanode__service_enabled`
 
 * Enables or disables the graylog-datanode service, analogous to `systemctl enable/disable --now`.
@@ -102,8 +120,13 @@ Example:
 graylog_datanode__bind_address: '127.0.0.1'
 graylog_datanode__datanode_http_port: 8999
 graylog_datanode__mongodb_uri: 'mongodb://127.0.0.1/graylog'
+graylog_datanode__node_search_cache_size: '5gb'
 graylog_datanode__opensearch_data_location: '/data/opensearch'
 graylog_datanode__opensearch_heap: '8g'
+graylog_datanode__path_repos:
+  - '/mnt/backups/graylog-datanode/backup'
+graylog_datanode__raw: |-
+  insecure_startup = false
 graylog_datanode__service_enabled: true
 ```
 

roles/graylog_datanode/defaults/main.yml

@@ -1,8 +1,10 @@
 graylog_datanode__bind_address: '127.0.0.1'
 graylog_datanode__datanode_http_port: 8999
+graylog_datanode__mongodb_uri: 'mongodb://127.0.0.1/graylog'
+graylog_datanode__node_search_cache_size: '10gb'
 graylog_datanode__opensearch_data_location: '/var/lib/graylog-datanode/opensearch/data'
 graylog_datanode__opensearch_heap: '{{ [((ansible_facts["memtotal_mb"] * 0.5) | int), 31744] | min }}m'
-graylog_datanode__mongodb_uri: 'mongodb://127.0.0.1/graylog'
+graylog_datanode__path_repos: []
 graylog_datanode__service_enabled: true
 
 # ------

roles/graylog_datanode/tasks/main.yml

@@ -1,3 +1,23 @@
+- block:
+
+  - name: 'Validate that graylog_datanode__password_secret length >= 16 characters'
+    ansible.builtin.assert:
+      that:
+        - 'graylog_datanode__password_secret | length >= 16'
+      fail_msg: 'graylog_datanode__password_secret must be at least 16 characters'
+      quiet: true
+
+  - name: 'Validate that graylog_datanode__node_search_cache_size follows OpenSearch Bytes format'
+    ansible.builtin.assert:
+      that:
+        - 'graylog_datanode__node_search_cache_size | ansible.builtin.regex_search("^[0-9]+(b|kb|mb|gb|tb|pb)$")'
+      fail_msg: '`graylog_datanode__node_search_cache_size: {{ graylog_datanode__node_search_cache_size }}` does not follow OpenSearch Bytes format'
+      quiet: true
+
+  tags:
+    - 'always'
+
+
 - block:
 
   - name: 'Install graylog-datanode'
@@ -62,6 +82,15 @@
       group: 'graylog-datanode'
       mode: 0o755
 
+  - name: 'mkdir -p {{ item }}; chown graylog-datanode:graylog-datanode {{ item }}'
+    ansible.builtin.file:
+      path: '{{ item }}'
+      state: 'directory'
+      owner: 'graylog-datanode'
+      group: 'graylog-datanode'
+      mode: 0o740
+    loop: '{{ graylog_datanode__path_repos }}'
+
   tags:
     - 'graylog_datanode'
     - 'graylog_datanode:configure'

roles/graylog_datanode/templates/etc/graylog/datanode/6.1-datanode.conf.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2025082001
+# 2026042401
 # 6.1
 # see https://go2docs.graylog.org/6-1/setting_up_graylog/data_node_configuration_file.htm
 #####################################
@@ -163,3 +163,13 @@ opensearch_logs_location = /var/log/graylog-datanode/opensearch
 # indexer_jwt_auth_token_expiration_duration = 180s
 
 opensearch_heap = {{ graylog_datanode__opensearch_heap }}
+
+{% if graylog_datanode__path_repos | length %}
+#### Data Tiering Properties
+node_search_cache_size = {{ graylog_datanode__node_search_cache_size }}
+path_repo = {{ graylog_datanode__path_repos | join(',') }}
+{% endif %}
+{% if graylog_datanode__raw is defined and graylog_datanode__raw | length %}
+#### Raw
+{{ graylog_datanode__raw }}
+{% endif %}

roles/graylog_datanode/templates/etc/graylog/datanode/6.2-datanode.conf.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2025082001
+# 2026042401
 # 6.2
 # see https://go2docs.graylog.org/6-2/setting_up_graylog/data_node_configuration_file.htm
 #####################################
@@ -163,3 +163,13 @@ opensearch_logs_location = /var/log/graylog-datanode/opensearch
 # indexer_jwt_auth_token_expiration_duration = 180s
 
 opensearch_heap = {{ graylog_datanode__opensearch_heap }}
+
+{% if graylog_datanode__path_repos | length %}
+#### Data Tiering Properties
+node_search_cache_size = {{ graylog_datanode__node_search_cache_size }}
+path_repo = {{ graylog_datanode__path_repos | join(',') }}
+{% endif %}
+{% if graylog_datanode__raw is defined and graylog_datanode__raw | length %}
+#### Raw
+{{ graylog_datanode__raw }}
+{% endif %}

roles/graylog_datanode/templates/etc/graylog/datanode/6.3-datanode.conf.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2025082001
+# 2026042401
 # 6.3
 # see https://go2docs.graylog.org/6-3/setting_up_graylog/data_node_configuration_file.htm
 #####################################
@@ -163,3 +163,13 @@ opensearch_logs_location = /var/log/graylog-datanode/opensearch
 # indexer_jwt_auth_token_expiration_duration = 180s
 
 opensearch_heap = {{ graylog_datanode__opensearch_heap }}
+
+{% if graylog_datanode__path_repos | length %}
+#### Data Tiering Properties
+node_search_cache_size = {{ graylog_datanode__node_search_cache_size }}
+path_repo = {{ graylog_datanode__path_repos | join(',') }}
+{% endif %}
+{% if graylog_datanode__raw is defined and graylog_datanode__raw | length %}
+#### Raw
+{{ graylog_datanode__raw }}
+{% endif %}

roles/graylog_datanode/templates/etc/graylog/datanode/7.0-datanode.conf.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2026011601
+# 2026042401
 # 7.0
 # see https://go2docs.graylog.org/7-0/setting_up_graylog/data_node_configuration_file.htm
 #####################################
@@ -163,3 +163,13 @@ opensearch_logs_location = /var/log/graylog-datanode/opensearch
 # indexer_jwt_auth_token_expiration_duration = 180s
 
 opensearch_heap = {{ graylog_datanode__opensearch_heap }}
+
+{% if graylog_datanode__path_repos | length %}
+#### Data Tiering Properties
+node_search_cache_size = {{ graylog_datanode__node_search_cache_size }}
+path_repo = {{ graylog_datanode__path_repos | join(',') }}
+{% endif %}
+{% if graylog_datanode__raw is defined and graylog_datanode__raw | length %}
+#### Raw
+{{ graylog_datanode__raw }}
+{% endif %}

roles/graylog_server/tasks/main.yml

@@ -1,3 +1,16 @@
+- block:
+
+  - name: 'Validate that graylog_server__password_secret length >= 16 characters'
+    ansible.builtin.assert:
+      that:
+        - 'graylog_server__password_secret | length >= 16'
+      fail_msg: 'graylog_server__password_secret must be at least 16 characters'
+      quiet: true
+
+  tags:
+    - 'always'
+
+
 - block:
 
   - name: 'Install graylog-server'

roles/graylog_server/templates/etc/graylog/server/6.1-server.conf.j2

@@ -1,5 +1,5 @@
 # {{ ansible_managed }}
-# 2026012102
+# 2026032701
 # 6.1
 ############################
 # GRAYLOG CONFIGURATION FILE
@@ -781,3 +781,9 @@ integrations_scripts_dir = /usr/share/graylog-server/scripts
 #   event-processor-execution-v1
 #   notification-execution-v1
 #job_scheduler_concurrency_limits = event-processor-execution-v1:2,notification-execution-v1:2
+
+##################
+# Privacy settings
+##################
+
+telemetry_enabled = false