unbound: smarter logging

- stop using journald, write to /var/log/unbound/
- set up frequent log rotation for the huge log files
we are producing

roles/unbound/handlers/main.yml

@@ -2,3 +2,6 @@
   systemd:
     state: restarted
     name: unbound
+
+- name: read unbound apparmor config
+  command: apparmor_parser -r /etc/apparmor.d/usr.sbin.unbound

roles/unbound/tasks/main.yml

@@ -33,6 +33,27 @@
     mode: 0644
   notify: restart unbound
 
+- name: ensure unbound log directory exists
+  file:
+    path: /var/log/unbound
+    state: directory
+    mode: '0755'
+    owner: unbound
+    group: unbound
+
+- name: ask apparmor to allow unbound to write to log file
+  template:
+    src: unbound-apparmor-config
+    dest: /etc/apparmor.d/local/usr.sbin.unbound
+    mode: '0644'
+  notify: read unbound apparmor config
+
+- name: setup unbound log rotation
+  template:
+    src: unbound-logrotate.j2
+    dest: /etc/logrotate.d/unbound
+    mode: 0644
+
 - name: setup recursive DNS server config
   template:
     src: recursive.conf.j2

roles/unbound/templates/recursive.conf.j2

@@ -8,8 +8,7 @@ server:
     verbosity: 3
 
     # "" sends logs to stderr, journalctl will pick things up.
-    logfile: ""
-
+    logfile: "/var/log/unbound/unbound.log"
 
     do-ip4: yes
     # FIXME: IPv6 deployment... someday...

roles/unbound/templates/unbound-apparmor-config

@@ -0,0 +1 @@
+/var/log/unbound/unbound.log rw,

roles/unbound/templates/unbound-logrotate.j2

@@ -0,0 +1,13 @@
+/var/log/unbound/*.log {
+	daily
+	rotate 30
+	missingok
+	notifempty
+	compress
+	delaycompress
+	sharedscripts
+	create 644
+	postrotate
+		/usr/local/sbin/unbound-control log_reopen
+	endscript
+}