gw1: Scrape BIND DNS server logs

The BIND server on the firewall is configured to write query logs and
RPZ rewrite logs to files under `/var/log/named`.  We can scrape these
logs with Promtail and use the messages for analytics on the DNS-based
firewall, etc.

host_vars/gw1.pyrocufflink.blue/main.yml

@@ -21,3 +21,19 @@ sudo_authorized_ssh_keys: |
 # Default flags include -n, which makes Ansible complain about a "missing
 # become password," even though it would never actually prompt for one.
 ansible_become_flags: -H
+
+promtail_scrape_configs:
+- '{{ promtail_default_scrape.journal }}'
+- job_name: named
+  static_configs:
+  - labels:
+      __path__: /var/log/named/*.log
+      job: named
+  pipeline_stages:
+  - regex:
+      expression: ^(?P<timestamp>\S+?) (?P<message>.*)
+  - timestamp:
+      source: timestamp
+      format: '2006-01-02T15:04:05.000'
+  - output:
+      source: message