Closes #2: install + configure kibana.

.gitmodules

@@ -1,3 +1,6 @@
 [submodule "roles/ansible-letsencrypt"]
 	path = graylog-ec2/roles/ansible-letsencrypt
 	url = git@github.com:jaywink/ansible-letsencrypt.git
+[submodule "graylog-ec2/roles/ansible-role-kibana"]
+	path = graylog-ec2/roles/ansible-role-kibana
+	url = git@github.com:geerlingguy/ansible-role-kibana.git

graylog-ec2/kibana.yml

@@ -0,0 +1,52 @@
+---
+# Installs kibana (v4.6, since that is compatible with ES 2.4.2, which is the version graylog uses)
+# Thx! https://github.com/geerlingguy/ansible-role-kibana
+- name: Install and configure Kibana
+  hosts: metrics
+  vars:
+    nginx_conf_dir: /opt/graylog/conf/nginx
+    passwdfile: "{{ nginx_conf_dir }}/.htpasswd"    # location of the .htpasswd file used to 
+    password: ""                                    # basic auth password for the 'metrics' account to secure kibana instance. if empty, will skip setting/creating the file.
+    kibana_conf_file: /opt/kibana/config/kibana.yml # config location for kibana
+    kibana_subpath: "viz"                           # path uri for accessing kibana, i.e. https://myhost.com/{{ kibana_subpath }}
+  remote_user: ubuntu
+  become: yes
+
+  roles:
+  - role: ansible-role-kibana
+    kibana_elasticsearch_url: "http://{{ ansible_default_ipv4.address }}:9200"
+
+  post_tasks:
+  - name: Set kibana to only listen on loopback interface
+    replace:
+      dest: "{{ kibana_conf_file }}"
+      regexp: '^.*server.host.*$'
+      replace: "server.host: 127.0.0.1"
+  - name: Set kibana basepath to match set kibana uri path
+    replace:
+      dest: "{{ kibana_conf_file }}"
+      regexp: '^.*server.basePath.*$'
+      replace: 'server.basePath: "/{{ kibana_subpath }}"'
+    notify: restart kibana
+  - name: Create htpasswd file for basic auth (if does not exist)
+    htpasswd:
+      path: "{{ passwdfile }}"
+      name: metrics
+      password: "{{ password }}"
+      owner: root
+      group: root
+      mode: 0644
+      state: present
+      create: yes
+    when: password | trim != ''
+  - name: Copy over nginx config file
+    template:
+      src: templates/kibana-nginx-conf.j2
+      dest: "{{ nginx_conf_dir }}/nginx.conf"
+    notify: restart nginx
+
+  handlers:
+    - name: restart nginx
+      command: graylog-ctl restart nginx
+    - name: restart kibana
+      service: name=kibana state=restarted

graylog-ec2/templates/kibana-nginx-conf.j2

@@ -0,0 +1,73 @@
+worker_processes  1;
+daemon off;
+
+events {
+    worker_connections  1024;
+}
+
+http {
+    include       {{  nginx_conf_dir }}/mime.types;
+    default_type  application/octet-stream;
+    log_format    graylog_format  'nginx: $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent" "$http_x_forwarded_for" <msec=$msec|connection=$connection|connection_requests=$connection_requests|millis=$request_time>';
+    access_log    /dev/stdout graylog_format;
+
+    server {
+      listen 80;
+      return 301 https://$host:443$request_uri;
+      error_page 502 /502.html;
+      location  /502.html {
+        internal;
+      }
+    }
+
+    server {
+      listen 443;
+
+      ssl on;
+      ssl_certificate {{ nginx_conf_dir }}/ca/graylog.crt;
+      ssl_certificate_key {{ nginx_conf_dir }}/ca/graylog.key;
+      ssl_session_timeout 5m;
+      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
+      ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA;
+      ssl_prefer_server_ciphers on;
+
+      location / {
+        proxy_pass http://localhost:9000/;
+        proxy_http_version 1.1;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Graylog-Server-URL https://{{ inventory_hostname }}/api/;
+        proxy_pass_request_headers on;
+        proxy_connect_timeout 150;
+        proxy_send_timeout 100;
+        proxy_read_timeout 100;
+        proxy_buffers 4 32k;
+        client_max_body_size 8m;
+        client_body_buffer_size 128k;
+      }
+
+      location /api/ {
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header Host $http_host;
+        proxy_pass http://localhost:9000/api/;
+      }
+
+      location /viz/ {
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Real-IP $remote_addr;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Forwarded-Proto $scheme;
+        proxy_pass          http://localhost:5601/;
+        proxy_read_timeout  90;
+        proxy_redirect      http://localhost:5601/ https://{{ inventory_hostname }}/{{ kibana_subpath }}/;
+        auth_basic "Restricted Content";
+        auth_basic_user_file {{ passwdfile }};
+      }
+
+      error_page 502 /502.html;
+      location  /502.html {
+        internal;
+      }
+    }
+}