refs # refactor installer, adds etc where is configuration templates

2025-03-28 08:30:56 +01:00 · 2025-03-28 08:30:56 +01:00 · 0770cb1265
parent 40c0b91644
commit 0770cb1265
11 changed files with 298 additions and 393 deletions
--- a/etc/filebeat/filebeat.yml
+++ b/etc/filebeat/filebeat.yml
@ -0,0 +1,29 @@
 filebeat.inputs:
 - type: log
  enabled: true
  paths:
    - /var/log/opengnsys.log
    - /home/*/opengnsys.log
 setup.template.settings:
  index.number_of_shards: 1
 output.elasticsearch:
  hosts: ["https://oglog-os.mytld:9200"]
  username: "admin"
  password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}"
  protocol: "https"
  ssl.enabled: true
  ssl.verification_mode: full
  ssl.certificate: "/etc/filebeat/ogagent-fb.mytld.crt.pem"
  ssl.key: "/etc/filebeat/ogagent-fb.mytld.key.pem"
 processors:
  - add_host_metadata:
      when.not.contains.tags: forwarded
  - add_cloud_metadata: ~
  - add_docker_metadata: ~
  - add_kubernetes_metadata: ~
 seccomp.enabled: false
--- a/etc/grafana/grafana.ini
+++ b/etc/grafana/grafana.ini
@ -0,0 +1,17 @@
 [server]
 protocol = https
 cert_file = /etc/grafana/oglog-graf.mytld.crt.pem
 cert_key = /etc/grafana/oglog-graf.mytld.key.pem
 [analytics]
 reporting_enabled = false
 check_for_updates = false
 check_for_plugin_updates = false
 [database]
 type = sqlite3
 path = /var/lib/grafana/grafana.db
 [auth]
 disable_login_form = false
--- a/etc/grafana/provisioning/dashboards/dashboard.yaml
+++ b/etc/grafana/provisioning/dashboards/dashboard.yaml
@ -0,0 +1,8 @@
 apiVersion: 1
 providers:
  - name: 'default'
    folder: ''
    type: file
    options:
      path: /etc/grafana/dashboards
--- a/etc/grafana/provisioning/datasources/prometheus.yaml
+++ b/etc/grafana/provisioning/datasources/prometheus.yaml
@ -0,0 +1,8 @@
 apiVersion: 1
 datasources:
  - name: Prometheus
    type: prometheus
    access: proxy
    url: https://oglog-prom.mytld:9090
    isDefault: true
--- a/etc/journalbeat/journalbeat.yml
+++ b/etc/journalbeat/journalbeat.yml
@ -0,0 +1,24 @@
 journalbeat.inputs:
 - paths:
  - "/var/log/journal"
  - "/var/log/journal/remote"
  seek: cursor
 setup.template.settings:
  index.number_of_shards: 1
 output.elasticsearch:
  hosts: ["https://oglog-os.mytld:9200"]
  username: "admin"
  password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}"
  protocol: "https"
  ssl.enabled: true
  ssl.verification_mode: full
  ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem"
  ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem"
 processors:
  - add_docker_metadata: ~
 seccomp.enabled: false
--- a/etc/opensearch-dashboards/opensearch_dashboards.yml
+++ b/etc/opensearch-dashboards/opensearch_dashboards.yml
@ -0,0 +1,13 @@
 server.host: 0.0.0.0
 opensearch.hosts: ["https://oglog-os.mytld:9200"]
 opensearch.username: "admin"
 opensearch.password: "{{OPENSEARCH_INITIAL_ADMIN_PASSWORD}}"
 server.ssl.enabled: true
 server.ssl.certificate: oglog-osdb.mytld.crt.pem
 server.ssl.key: oglog-osdb.mytld.key.pem
 opensearch.ssl.certificate: oglog-osdb.mytld.crt.pem
 opensearch.ssl.key: oglog-osdb.mytld.key.pem
 opensearch.ssl.verificationMode: full
 opensearch.ssl.certificateAuthorities: ["/etc/ssl/certs/ca.crt.pem"]
 opensearch.ssl.alwaysPresentCertificate: true
--- a/etc/opensearch/opensearch.yml
+++ b/etc/opensearch/opensearch.yml
@ -0,0 +1,10 @@
 network.host: "{{IP_MAQUINA}}"
 plugins.security.ssl.http.pemcert_filepath: oglog-os.mytld.crt.pem
 plugins.security.ssl.http.pemkey_filepath: oglog-os.mytld.key.pem
 plugins.security.ssl.http.pemtrustedcas_filepath: ca.crt.pem
 discovery.type: single-node
 compatibility.override_main_response_version: true
 plugins.security.ssl.http.clientauth_mode: REQUIRE
 plugins.security.ssl_cert_reload_enabled: true
--- a/etc/prometheus/prometheus.yml
+++ b/etc/prometheus/prometheus.yml
@ -0,0 +1,13 @@
 global:
  scrape_interval: 15s
  evaluation_interval: 15s
 scrape_configs:
  - job_name: ogserver
    static_configs:
      - targets: ['ogserver.mytld:9100']
  - job_name: ogagent
    static_configs:
      - targets: ['ogagent.mytld:9100']
--- a/etc/prometheus/web-config.yml
+++ b/etc/prometheus/web-config.yml
@ -0,0 +1,4 @@
 tls_server_config:
  cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem
  key_file: /etc/prometheus/oglog-prom.mytld.key.pem
--- a/script/journal-upload.sh
+++ b/script/journal-upload.sh
@ -1,64 +1,77 @@
 #!/bin/bash
-set -e  # Detener el script si ocurre un error
+set -e
-# Verificar que la variable de entorno IP_SERVER esté configurada
+LOGFILE="/tmp/ogcore-installer.log"
-if [[ -z "$IP_SERVER" ]]; then
+exec > >(tee -a "$LOGFILE") 2>&1
-  echo "ERROR: La variable de entorno IP_SERVER no está configurada."
+
-  echo "Por favor, exporta IP_SERVER antes de ejecutar este script."
+log() {
-  exit 1
+  echo "$1" | tee -a "$LOGFILE"
 }
 log "Inicio instalación ogcore: $(date)"
 # Mediciones iniciales
 log "Tamaño inicial del disco:" && df -h /
 log "Carga inicial CPU:" && uptime
 # Variables
 IP_SERVER="${IP_SERVER:?La variable IP_SERVER es requerida}"
 NFS_SERVER="ognartefactos.evlt.uma.es"
 LOCAL_MOUNT="/mnt"
 # Montar NFS
 if ! mountpoint -q "$LOCAL_MOUNT"; then
  mkdir -p "$LOCAL_MOUNT"
  mount -t nfs "$NFS_SERVER:/" "$LOCAL_MOUNT"
 fi
-# Ejecutar el script mkcerts.sh
+# Actualizar hosts
-#bash ./mkcerts.sh
+echo "$IP_SERVER oglog-jrem.mytld" >> /etc/hosts
-# Actualizar /etc/hosts con los nombres de dominio
+# Instalar dependencias
 cat >>/etc/hosts <<EOF
 $IP_SERVER oglog-jrem.mytld
 EOF
 echo "Actualizando paquetes e instalando dependencias..."
 apt-get update
-apt-get -y install \
+apt-get install -y prometheus-node-exporter systemd-journal-remote
  prometheus-node-exporter \
  systemd-journal-remote
-echo "Configurando TLS y copiando certificados..."
+# Copiar certificados
-
+cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/"{ca.crt.pem,ogserver.mytld.crt.pem} /etc/ssl/certs/
-# Copiar el certificado de la CA a /etc/ssl/certs/
+cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/ogserver.mytld.key.nopass.pem" /etc/ssl/private/ogserver.mytld.key.pem
 cp CA/certs/ca.crt.pem /etc/ssl/certs/
 # Crear un enlace simbólico para el certificado de la CA
 ln -sf /etc/ssl/certs/ca.crt.pem /etc/ssl/certs/$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0
 # Copiar los certificados del servidor
 cp CA/certs/ogserver.mytld.crt.pem /etc/ssl/certs/
 cp CA/private/ogserver.mytld.key.nopass.pem /etc/ssl/private/ogserver.mytld.key.pem
 # Asegurar permisos en los archivos de certificados
 chmod 600 /etc/ssl/private/ogserver.mytld.key.pem
 chown root:root /etc/ssl/private/ogserver.mytld.key.pem
-echo "Configurando systemd-journal-upload..."
+# Configuración journal-upload
 sed -i -e '/DynamicUser/s/.*/DynamicUser=no/' \
       -e '/User/s/.*/User=root/' \
       /usr/lib/systemd/system/systemd-journal-upload.service
 # Modificar el archivo de unidad para que el servicio se ejecute como root
 sed -i -e '/DynamicUser/s/.*/DynamicUser=no/' /usr/lib/systemd/system/systemd-journal-upload.service
 sed -i -e '/User/       s/.*/User=root/'      /usr/lib/systemd/system/systemd-journal-upload.service
 # Recargar los servicios de systemd para aplicar los cambios
 systemctl daemon-reload
-# Configurar el archivo de configuración de systemd-journal-upload
+cat >/etc/systemd/journal-upload.conf <<EOF
-sed -i -e '/URL/                   s%.*%URL=https://oglog-jrem.mytld:19532%'                          /etc/systemd/journal-upload.conf
+[Upload]
-sed -i -e '/ServerKeyFile/         s%.*%ServerKeyFile=/etc/ssl/private/ogserver.mytld.key.pem%'       /etc/systemd/journal-upload.conf
+URL=https://oglog-jrem.mytld:19532
-sed -i -e '/ServerCertificateFile/ s%.*%ServerCertificateFile=/etc/ssl/certs/ogserver.mytld.crt.pem%' /etc/systemd/journal-upload.conf
+ServerKeyFile=/etc/ssl/private/ogserver.mytld.key.pem
-sed -i -e '/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/ssl/certs/ca.crt.pem%'            /etc/systemd/journal-upload.conf
+ServerCertificateFile=/etc/ssl/certs/ogserver.mytld.crt.pem
 TrustedCertificateFile=/etc/ssl/certs/ca.crt.pem
 EOF
-# Habilitar e iniciar el servicio
+# Activar servicio robustamente
-echo "Habilitando y arrancando systemd-journal-upload..."
+reiniciar_servicio() {
-systemctl enable --now systemd-journal-upload
+  systemctl restart "$1"
  log "Esperando que $1 esté activo..."
  for i in {1..10}; do
    if systemctl is-active --quiet "$1"; then
      log "$1 activo."
      return
    fi
    sleep 2
  done
  log "ERROR: $1 no arrancó correctamente."
  exit 1
 }
-# Verificar el estado del servicio
+reiniciar_servicio "systemd-journal-upload"
 systemctl status systemd-journal-upload --no-pager
-echo "Configuración completada con éxito. Los logs se están enviando al servidor remoto."
+# Mediciones finales
 log "Tamaño final del disco:" && df -h /
 log "Carga final CPU:" && uptime
 log "Instalación ogcore finalizada: $(date)"
--- a/script/script.sh
+++ b/script/script.sh
@ -1,358 +1,124 @@
 #!/bin/bash
-# Comprobar que las variables de entorno están definidas
+set -e
-if [[ -z "$IP_MAQUINA" || -z "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" ]]; then
+
-  echo "ERROR: Las variables de entorno IP_MAQUINA y OPENSEARCH_INITIAL_ADMIN_PASSWORD deben estar definidas."
+LOGFILE="/tmp/oglog-install.log"
-  exit 1
+exec > >(tee -a "$LOGFILE") 2>&1
 log() {
  echo "$1" | tee -a "$LOGFILE"
 }
 log "Inicio de instalación: $(date)"
 # Tamaño inicial del disco
 log "Tamaño inicial del disco:"
 df -h / | tee -a "$LOGFILE"
 # Carga inicial de CPU
 log "Carga inicial de CPU:"
 uptime | tee -a "$LOGFILE"
 # Inicio del cronómetro
 SECONDS=0
 # Montar servidor NFS
 NFS_SERVER="ognartefactos.evlt.uma.es"
 NFS_PATH="/"
 LOCAL_MOUNT="/mnt"
 if ! mountpoint -q "$LOCAL_MOUNT"; then
  mkdir -p "$LOCAL_MOUNT"
  mount -t nfs "$NFS_SERVER:$NFS_PATH" "$LOCAL_MOUNT"
 fi
-# Validar la contraseña cumple con los requisitos
+# Comprobar variables de entorno requeridas
-if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 ||       ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] ||       ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] ||       ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then
+required_env_vars=("IP_MAQUINA" "OPENSEARCH_INITIAL_ADMIN_PASSWORD")
-  echo "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple con los requisitos:"
+for var in "${required_env_vars[@]}"; do
-  echo "- Mínimo 12 caracteres."
+  if [[ -z "${!var}" ]]; then
-  echo "- Al menos una mayúscula, un número y un carácter especial."
+    log "ERROR: La variable de entorno $var debe estar definida."
-  exit 1
+    exit 1
-fi
+  fi
 # Actualizar /etc/hosts con los nombres de dominio
 cat >>/etc/hosts <<EOF
 $IP_MAQUINA oglog-os.mytld
 $IP_MAQUINA oglog-osdb.mytld
 $IP_MAQUINA oglog-jb.mytld
 $IP_MAQUINA oglog-jrem.mytld
 $IP_MAQUINA oglog-prom.mytld
 $IP_MAQUINA oglog-graf.mytld
 EOF
 # Instalar dependencias iniciales
 apt-get update
 apt-get -y install     ca-certificates     gnupg2     lsb-release     systemd-journal-remote
 # Ejecutar el script mkcerts.sh
 bash ./mkcerts.sh
 # Configuración de certificados SSL en el sistema
 cp CA/certs/ca.crt.pem /etc/ssl/certs/
 ln -s /etc/ssl/certs/ca.crt.pem /etc/ssl/certs/"$(openssl x509 -in /etc/ssl/certs/ca.crt.pem -hash -noout).0"
 # Configurar Journalbeat
 # Verificar si la URL es accesible
 curl -I --connect-timeout 10 --max-time 30 --retry 5 "https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-oss-7.12.1-amd64.deb" -o /dev/null -s
 if [[ $? -ne 0 ]]; then
  echo "ERROR: No se puede resolver la URL. Verifica tu conexión a Internet o la disponibilidad del servidor."
  exit 1  # Detener el script
 fi
 echo "La URL es accesible. Continuando..."
 curl --connect-timeout 10 --max-time 60 -L -o /tmp/journalbeat-oss-7.12.1-amd64.deb https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-oss-7.12.1-amd64.deb
 dpkg -i /tmp/journalbeat-oss-7.12.1-amd64.deb
 cp CA/certs/oglog-jb.mytld.crt.pem          /etc/journalbeat/
 cp CA/private/oglog-jb.mytld.key.nopass.pem /etc/journalbeat/oglog-jb.mytld.key.pem
 cat >/etc/journalbeat/journalbeat.yml <<EOF
 journalbeat.inputs:
 - paths:
  - "/var/log/journal"
  - "/var/log/journal/remote"
  seek: cursor
 setup.template.settings:
  index.number_of_shards: 1
 output.elasticsearch:
  hosts: ["oglog-os.mytld:9200"]
  username: "admin"
  pipeline: "simple_parse_pipeline"
  password: "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
  protocol: "https"
  ssl.enabled: true
  ssl.verification_mode: full
  ssl.certificate: "/etc/journalbeat/oglog-jb.mytld.crt.pem"
  ssl.key: "/etc/journalbeat/oglog-jb.mytld.key.pem"
 processors:
  - add_docker_metadata: ~
 seccomp.enabled: false
 EOF
 systemctl enable --now journalbeat
 # Configurar repositorios y llaves para OpenSearch
 curl -o- https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --dearmor --batch --yes -o /usr/share/keyrings/opensearch-keyring
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" > /etc/apt/sources.list.d/opensearch-2.x.list
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" > /etc/apt/sources.list.d/opensearch-dashboards-2.x.list
 apt-get update
 apt-get install -y opensearch opensearch-dashboards
 # Configurar OpenSearch con los certificados y la IP
 cp CA/certs/ca.crt.pem /etc/opensearch/
 cp CA/certs/oglog-os.mytld.crt.pem /etc/opensearch/
 cp CA/private/oglog-os.mytld.key.nopass.pem /etc/opensearch/oglog-os.mytld.key.pem
 chown opensearch:opensearch /etc/opensearch/{ca.crt.pem,oglog-os.mytld.crt.pem,oglog-os.mytld.key.pem}
 cp CA/certs/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/
 cp CA/private/oglog-osdb.mytld.key.nopass.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
 chown opensearch-dashboards:opensearch-dashboards /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
 sed -i -e '/^plugins.security.ssl.http.pemcert_filepath:/      s/: .*/: oglog-os.mytld.crt.pem/'  /etc/opensearch/opensearch.yml
 sed -i -e '/^plugins.security.ssl.http.pemkey_filepath:/       s/: .*/: oglog-os.mytld.key.pem/'  /etc/opensearch/opensearch.yml
 sed -i -e '/^plugins.security.ssl.http.pemtrustedcas_filepath:/s/: .*/: ca.crt.pem/'              /etc/opensearch/opensearch.yml
 sed -i -e '/^#network.host/                                    s/.*/network.host: '"$IP_MAQUINA"'/' /etc/opensearch/opensearch.yml
 cat >>/etc/opensearch/opensearch.yml <<EOF
 discovery.type: single-node
 compatibility.override_main_response_version: true
 plugins.security.ssl.http.clientauth_mode: REQUIRE
 plugins.security.ssl_cert_reload_enabled: true
 EOF
 # Configurar OpenSearch Dashboards
 cp -a /etc/opensearch-dashboards/opensearch_dashboards.yml /etc/opensearch-dashboards/opensearch_dashboards.yml.dist
 cat >/etc/opensearch-dashboards/opensearch_dashboards.yml <<EOF
 server.host: 0.0.0.0
 opensearch.hosts: ["https://oglog-os.mytld:9200"]
 opensearch.username: "admin"
 opensearch.password: "$OPENSEARCH_INITIAL_ADMIN_PASSWORD"
 server.ssl.enabled: true
 server.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
 server.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
 opensearch.ssl.certificate: /etc/opensearch-dashboards/oglog-osdb.mytld.crt.pem
 opensearch.ssl.key: /etc/opensearch-dashboards/oglog-osdb.mytld.key.pem
 opensearch.ssl.verificationMode: full
 opensearch.ssl.certificateAuthorities: [ "/etc/ssl/certs/ca.crt.pem" ]
 opensearch.ssl.alwaysPresentCertificate: true
 EOF
 # Habilitar servicios de OpenSearch
 systemctl enable --now opensearch.service opensearch-dashboards.service
 # Esperar a que OpenSearch esté disponible
 echo "Esperando a que OpenSearch esté disponible..."
 until curl -s --fail \
    --cert /etc/opensearch/oglog-os.mytld.crt.pem \
    --key /etc/opensearch/oglog-os.mytld.key.pem \
    --cacert /etc/opensearch/ca.crt.pem \
    -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
    "https://oglog-os.mytld:9200/_cluster/health"; do
    sleep 5
 done
 echo "OpenSearch está disponible."
-# Configurar pipeline por defecto
+# Validar la contraseña
-curl -XPUT "https://oglog-os.mytld:9200/_ingest/pipeline/simple_parse_pipeline" \
+if [[ ${#OPENSEARCH_INITIAL_ADMIN_PASSWORD} -lt 12 || \
-    --cert /etc/opensearch/oglog-os.mytld.crt.pem \
+  ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [A-Z] || \
-    --key /etc/opensearch/oglog-os.mytld.key.pem \
+  ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [0-9] || \
-    --cacert /etc/opensearch/ca.crt.pem \
+  ! "$OPENSEARCH_INITIAL_ADMIN_PASSWORD" =~ [^a-zA-Z0-9] ]]; then
-    -u "admin:$OPENSEARCH_INITIAL_ADMIN_PASSWORD" \
+  log "ERROR: La contraseña OPENSEARCH_INITIAL_ADMIN_PASSWORD no cumple los requisitos."
-    -H 'Content-Type: application/json' \
+  exit 1
-    -d'
+fi
 {
  "description": "Parse logs to extract http_code and desc, supporting various severity levels",
  "processors": [
    {
      "script": {
        "if": "ctx.syslog?.identifier != '\''ogboot'\''",
        "source": "ctx.debug = '\''Skipped: identifier is '\'' + (ctx.syslog?.identifier ?: '\''undefined'\''); ctx.pipeline_stop = true;"
      }
    },
    {
      "set": {
        "field": "debug",
        "value": "Processed: identifier is ogboot"
      }
    },
    {
      "gsub": {
        "field": "message",
        "pattern": "^app\\.[A-Z]+: ",
        "replacement": "",
        "ignore_failure": true
      }
    },
    {
      "json": {
        "field": "message",
        "target_field": "parsed_message",
        "ignore_failure": true
      }
    },
    {
      "set": {
        "field": "http_code",
        "value": "{{parsed_message.http_code}}",
        "ignore_empty_value": true
      }
    },
    {
      "set": {
        "field": "description",
        "value": "{{parsed_message.desc}}",
        "ignore_empty_value": true
      }
    }
  ]
 }'
 echo "Pipeline simple_parse_pipeline configurado."
 # Actualizar /etc/hosts
 cat >> /etc/hosts <<EOF
 $IP_MAQUINA oglog-os.mytld oglog-osdb.mytld oglog-jb.mytld oglog-jrem.mytld oglog-prom.mytld oglog-graf.mytld
 EOF
-# Configurar systemd-journal-remote
+# Añadir repositorios y claves GPG
-cp CA/certs/ca.crt.pem /etc/systemd/
+apt-get update
-cp CA/certs/oglog-jrem.mytld.crt.pem /etc/systemd/
+apt-get install -y apt-transport-https software-properties-common wget curl
-cp CA/private/oglog-jrem.mytld.key.nopass.pem /etc/systemd/oglog-jrem.mytld.key.pem
+
-chown systemd-journal-remote:systemd-journal-remote /etc/systemd/oglog-jrem.mytld.crt.pem /etc/systemd/oglog-jrem.mytld.key.pem
+# Grafana
-install --owner systemd-journal-remote --group systemd-journal-remote --mode 0750 --directory /var/log/journal/remote/
+wget -q -O - https://apt.grafana.com/gpg.key | gpg --dearmor | tee /usr/share/keyrings/grafana.gpg > /dev/null
 echo "deb [signed-by=/usr/share/keyrings/grafana.gpg] https://apt.grafana.com stable main" | tee /etc/apt/sources.list.d/grafana.list
 # OpenSearch y OpenSearch Dashboards
 curl -fsSL https://artifacts.opensearch.org/publickeys/opensearch.pgp | gpg --dearmor | tee /usr/share/keyrings/opensearch-keyring > /dev/null
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch.list
 echo "deb [signed-by=/usr/share/keyrings/opensearch-keyring] https://artifacts.opensearch.org/releases/bundle/opensearch-dashboards/2.x/apt stable main" | tee /etc/apt/sources.list.d/opensearch-dashboards.list
 apt-get update
 # Consolidar instalación de paquetes
 apt-get install -y ca-certificates gnupg2 lsb-release systemd-journal-remote \
  prometheus grafana opensearch opensearch-dashboards
 # Instalación explícita de Journalbeat
 download_file() {
  curl --retry 5 --connect-timeout 10 --max-time 60 -fL "$1" -o "$2" || {
    log "Error descargando $1"
    exit 1
  }
 }
 JOURNALBEAT_URL="https://artifacts.elastic.co/downloads/beats/journalbeat/journalbeat-oss-7.12.1-amd64.deb"
 download_file "$JOURNALBEAT_URL" "/tmp/journalbeat.deb"
 dpkg -i /tmp/journalbeat.deb
 rm -f /tmp/journalbeat.deb
 # Gestión de certificados SSL
 declare -A CERT_SERVICES=(
  [journalbeat]="oglog-jb.mytld"
  [opensearch]="oglog-os.mytld"
  [opensearch-dashboards]="oglog-osdb.mytld"
  [prometheus]="oglog-prom.mytld"
  [grafana]="oglog-graf.mytld"
  [systemd]="oglog-jrem.mytld"
 )
 for service in "${!CERT_SERVICES[@]}"; do
  domain="${CERT_SERVICES[$service]}"
  cert_dir="/etc/$service"
  mkdir -p "$cert_dir"
  cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/${domain}.crt.pem" "$cert_dir/"
  cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/private/${domain}.key.nopass.pem" "$cert_dir/${domain}.key.pem"
  case "$service" in
    opensearch) chown opensearch: "$cert_dir/"* ;;
    opensearch-dashboards) chown opensearch-dashboards: "$cert_dir/"* ;;
    prometheus) chown prometheus: "$cert_dir/"* ;;
    grafana) chown grafana: "$cert_dir/"* ;;
    systemd) chown systemd-journal-remote: "$cert_dir/"* ;;
  esac
 done
 cp "$LOCAL_MOUNT/srv/artefactos/oglog/CA/certs/ca.crt.pem" /etc/ssl/certs/
 # Configuración de systemd-journal-remote
 sed -i -e '/ServerKeyFile/        s%.*%ServerKeyFile=/etc/systemd/oglog-jrem.mytld.key.pem%'         /etc/systemd/journal-remote.conf
 sed -i -e '/ServerCertificateFile/s%.*%ServerCertificateFile=/etc/systemd/oglog-jrem.mytld.crt.pem%' /etc/systemd/journal-remote.conf
 sed -i -e '/TrustedCertificateFile/s%.*%TrustedCertificateFile=/etc/systemd/ca.crt.pem%'             /etc/systemd/journal-remote.conf
 systemctl enable --now systemd-journal-remote.service
-
+log "Instalación finalizada: $(date)"
 # Configurar Prometheus
 apt-get install -y prometheus
 cp CA/certs/oglog-prom.mytld.crt.pem          /etc/prometheus/
 cp CA/private/oglog-prom.mytld.key.nopass.pem /etc/prometheus/oglog-prom.mytld.key.pem
 chown prometheus:prometheus /etc/prometheus/oglog-prom.mytld.crt.pem /etc/prometheus/oglog-prom.mytld.key.pem
 cat >>/etc/prometheus/prometheus.yml <<EOF
  - job_name: ogserver
    static_configs:
      - targets: ['ogserver.mytld:9100']
  - job_name: ogagent
    static_configs:
      - targets: ['ogagent.mytld:9100']
 EOF
 cat >/etc/prometheus/web-config.yml <<EOF
 tls_server_config:
  cert_file: /etc/prometheus/oglog-prom.mytld.crt.pem
  key_file: /etc/prometheus/oglog-prom.mytld.key.pem
 EOF
 sed -i -e '/^ARGS/s%"$%--web.config.file=/etc/prometheus/web-config.yml"%' /etc/default/prometheus
 systemctl restart prometheus
 # Configurar Grafana
 # Prueba de conexión a la URL de la clave GPG
 echo "Verificando conectividad con https://apt.grafana.com/gpg.key..."
 curl -I --connect-timeout 10 --max-time 30 -s -o /dev/null --retry 5 https://apt.grafana.com/gpg.key
 if [[ $? -ne 0 ]]; then
  echo "ERROR: No se puede conectar a https://apt.grafana.com/gpg.key. Verifica tu conexión a Internet o la disponibilidad del servidor."
  exit 1
 fi
 curl --connect-timeout 10 --max-time 30 -s https://apt.grafana.com/gpg.key | gpg --dearmor > /etc/apt/keyrings/grafana.gpg
 echo "deb [signed-by=/etc/apt/keyrings/grafana.gpg] https://apt.grafana.com stable main" >/etc/apt/sources.list.d/grafana.list
 apt-get update
 apt-get install --yes grafana
 cp CA/certs/oglog-graf.mytld.crt.pem               /etc/grafana/
 cp CA/private/oglog-graf.mytld.key.nopass.pem      /etc/grafana/oglog-graf.mytld.key.pem
 chown grafana:grafana /etc/grafana/oglog-graf.mytld.crt.pem /etc/grafana/oglog-graf.mytld.key.pem
 # Descargar el dashboard
 echo "Descargando el dashboard"
 mkdir -p /etc/grafana/dashboards
 if curl -o /etc/grafana/dashboards/1860.json --connect-timeout 10 --max-time 30 --retry 5 https://grafana.com/api/dashboards/1860/revisions/37/download; then
  echo "Dashboard descargado correctamente en /etc/grafana/dashboards/1860.json."
 else
  echo "Error: No se pudo descargar el dashboard desde https://grafana.com/api/dashboards/1860/revisions/37/download."
  exit 1
 fi
 # Configurar Grafana
 echo "Haciendo copia de seguridad del archivo de configuración original..."
 cp -a /etc/grafana/grafana.ini /etc/grafana/grafana.ini.dist
 echo "Configurando Grafana..."
 cat >/etc/grafana/grafana.ini <<EOF
 [server]
 protocol = https
 cert_file = /etc/grafana/oglog-graf.mytld.crt.pem
 cert_key = /etc/grafana/oglog-graf.mytld.key.pem
 [analytics]
 reporting_enabled = false
 check_for_updates = false
 check_for_plugin_updates = false
 [database]
 type = sqlite3
 path = /var/lib/grafana/grafana.db
 [auth]
 disable_login_form = false
 EOF
 # Configuración de datasource para Prometheus
 echo "Creando configuración de datasource para Prometheus..."
 mkdir -p /etc/grafana/provisioning/datasources
 cat >/etc/grafana/provisioning/datasources/prometheus.yaml <<EOF
 apiVersion: 1
 datasources:
  - name: Prometheus
    type: prometheus
    access: proxy
    url: https://oglog-prom.mytld:9090
    isDefault: true
 EOF
 # Configuración de dashboards
 echo "Configurando dashboards..."
 mkdir -p /etc/grafana/provisioning/dashboards
 cat >/etc/grafana/provisioning/dashboards/dashboard.yaml <<EOF
 apiVersion: 1
 providers:
  - name: 'default'
    folder: ''
    type: file
    options:
      path: /etc/grafana/dashboards
 EOF
 # Habilitar e iniciar el servicio de Grafana
 echo "Habilitando e iniciando Grafana..."
 systemctl enable --now grafana-server
 # Reiniciar los servicios
 systemctl restart journalbeat
 sleep 5
 sudo systemctl restart filebeat
 sleep 5
 systemctl restart opensearch
 sleep 5
 systemctl restart opensearch-dashboards
 sleep 5
 systemctl restart systemd-journal-remote
 sleep 5
 systemctl restart prometheus
 sleep 5
 systemctl restart grafana-server
 sleep 5
 # Verificar el estado de los servicios
 echo "Estado de journalbeat:"
 systemctl status journalbeat --no-pager
 echo "Estado de filebeat:"
 systemctl status filebeat --no-pager
 echo "Estado de opensearch:"
 systemctl status opensearch --no-pager
 echo "Estado de opensearch-dashboards:"
 systemctl status opensearch-dashboards --no-pager
 echo "Estado de systemd-journal-remote:"
 systemctl status systemd-journal-remote --no-pager
 echo "Estado de prometheus:"
 systemctl status prometheus --no-pager
 echo "Estado de grafana-server:"
 systemctl status grafana-server --no-pager