From f59d9ee6f054c5987a0912471c1e7cc3799fa3a1 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Tue, 30 Mar 2021 06:01:43 +0200
Subject: [PATCH 1/4] WIP: add logrotate config for rsyslog-managed files

---
 log.yml                                       |  4 ++
 roles/logrotate/handlers/main.yml             |  7 ++--
 roles/logrotate/tasks/main.yml                | 29 ++++++++------
 roles/logrotate/templates/logrotate.conf      |  7 ++++
 .../templates/logrotate.d/rsyslog.j2          | 39 -------------------
 roles/rsyslog_common/meta/main.yml            |  4 ++
 roles/rsyslog_common/tasks/main.yml           | 10 +++++
 roles/rsyslog_common/templates/logrotate.j2   | 17 ++++++++
 8 files changed, 63 insertions(+), 54 deletions(-)
 create mode 100644 roles/logrotate/templates/logrotate.conf
 delete mode 100644 roles/logrotate/templates/logrotate.d/rsyslog.j2
 create mode 100644 roles/rsyslog_common/meta/main.yml
 create mode 100644 roles/rsyslog_common/templates/logrotate.j2

diff --git a/log.yml b/log.yml
index 8c8fc15..fb8db3d 100644
--- a/log.yml
+++ b/log.yml
@@ -2,4 +2,8 @@
 - hosts: log.adm.auro.re
   roles:
     - rsyslog_collector
+
+- hosts: all
+  roles:
+    - rsyslog_common
 ...
diff --git a/roles/logrotate/handlers/main.yml b/roles/logrotate/handlers/main.yml
index a58c62e..bd56c18 100644
--- a/roles/logrotate/handlers/main.yml
+++ b/roles/logrotate/handlers/main.yml
@@ -1,5 +1,6 @@
 ---
-- name: reload logrotate
-  service:
-    name: logrotate
+- name: Reload logrotate
+  systemd:
+    name: logrotate.service
     state: reloaded
+...
diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml
index e76b591..58cbab9 100644
--- a/roles/logrotate/tasks/main.yml
+++ b/roles/logrotate/tasks/main.yml
@@ -1,29 +1,34 @@
 ---
-# Install and configure logrotate
-
 # Install the apt package
 - name: Install logrotate
   apt:
     name:
       - logrotate
+    state: present
 
-# Copy the configuration and reload the service if it has changed
-- name: Configure logrotate
-  template:
-    src: logrotate.d/rsyslog.j2
-    dest: /etc/logrotate.d/rsyslog
+- name: Create rsyslog configuration directory
+  file:
+    path: /etc/rsyslog.d
     owner: root
     group: root
-    mode: "0644"
-  notify: reload logrotate
+    mode: u=rwx,g=rx,o=rx
+
+- name: Configure logrotate
+  template:
+    src: logrotate.conf
+    dest: /etc/logrotate.conf
+    owner: root
+    group: root
+    mode: u=rwx,g=r,o=r
+  notify: Reload logrotate
 
-# Make sure the service is enabled and started
 - name: Enable logrotate service
-  service:
-    name: logrotate
+  systemd:
+    name: logrotate.service
     enabled: true
     state: started
 
 # Enforce new logrotate rules now
 - name: Run logrotate now
   command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog
+...
diff --git a/roles/logrotate/templates/logrotate.conf b/roles/logrotate/templates/logrotate.conf
new file mode 100644
index 0000000..7e65378
--- /dev/null
+++ b/roles/logrotate/templates/logrotate.conf
@@ -0,0 +1,7 @@
+{{ ansible_managed | comment }}
+
+weekly
+rotate 4
+create
+
+include /etc/logrotate.d
diff --git a/roles/logrotate/templates/logrotate.d/rsyslog.j2 b/roles/logrotate/templates/logrotate.d/rsyslog.j2
deleted file mode 100644
index f47e725..0000000
--- a/roles/logrotate/templates/logrotate.d/rsyslog.j2
+++ /dev/null
@@ -1,39 +0,0 @@
-# {{ ansible_managed }}
-
-/var/log/syslog
-{
-	rotate 7
-	daily
-	missingok
-	notifempty
-	delaycompress
-	compress
-	postrotate
-		/usr/lib/rsyslog/rsyslog-rotate
-	endscript
-}
-
-/var/log/mail.info
-/var/log/mail.warn
-/var/log/mail.err
-/var/log/mail.log
-/var/log/daemon.log
-/var/log/kern.log
-/var/log/auth.log
-/var/log/user.log
-/var/log/lpr.log
-/var/log/cron.log
-/var/log/debug
-/var/log/messages
-{
-	rotate 90
-	daily
-	missingok
-	notifempty
-	compress
-	delaycompress
-	sharedscripts
-	postrotate
-		/usr/lib/rsyslog/rsyslog-rotate
-	endscript
-}
diff --git a/roles/rsyslog_common/meta/main.yml b/roles/rsyslog_common/meta/main.yml
new file mode 100644
index 0000000..edb558f
--- /dev/null
+++ b/roles/rsyslog_common/meta/main.yml
@@ -0,0 +1,4 @@
+---
+dependencies:
+  - role: logrotate
+...
diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml
index 030fd10..337fe3d 100644
--- a/roles/rsyslog_common/tasks/main.yml
+++ b/roles/rsyslog_common/tasks/main.yml
@@ -51,6 +51,16 @@
     mode: u=rw,g=r,o=r
   notify: Restart systemd-journald
 
+- name: Deploy logrotate configuration
+  become: true
+  template:
+    src: logrotate.j2
+    dest: /etc/logrotate.d/rsyslog
+    owner: root
+    group: root
+    mode: u=rw,g=r,o=r
+  notify: Restart logrotate
+
 - name: Enable rsyslog service
   become: true
   systemd:
diff --git a/roles/rsyslog_common/templates/logrotate.j2 b/roles/rsyslog_common/templates/logrotate.j2
new file mode 100644
index 0000000..455b35f
--- /dev/null
+++ b/roles/rsyslog_common/templates/logrotate.j2
@@ -0,0 +1,17 @@
+{{ ansible_managed | comment }}
+
+/var/log/auth.log
+/var/log/mail.log
+/var/log/kern.log
+/var/log/syslog.log
+{
+	rotate 7
+	daily
+	missingok
+	notifempty
+	delaycompress
+	compress
+	postrotate
+		/usr/lib/rsyslog/rsyslog-rotate
+	endscript
+}
-- 
2.45.2


From 3030d3bfab6e5008d46907ec9196297132c32943 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Tue, 30 Mar 2021 07:42:46 +0200
Subject: [PATCH 2/4] Fix typo: use 'Reload' instead of 'Restart'

---
 roles/rsyslog_common/tasks/main.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/roles/rsyslog_common/tasks/main.yml b/roles/rsyslog_common/tasks/main.yml
index 337fe3d..6ca28d1 100644
--- a/roles/rsyslog_common/tasks/main.yml
+++ b/roles/rsyslog_common/tasks/main.yml
@@ -59,7 +59,7 @@
     owner: root
     group: root
     mode: u=rw,g=r,o=r
-  notify: Restart logrotate
+  notify: Reload logrotate
 
 - name: Enable rsyslog service
   become: true
-- 
2.45.2


From 606df6553540087d45859d580ea78155cd7d2bd0 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Tue, 30 Mar 2021 07:45:52 +0200
Subject: [PATCH 3/4] Cleanup logrotate role

---
 roles/logrotate/tasks/main.yml | 8 +-------
 1 file changed, 1 insertion(+), 7 deletions(-)

diff --git a/roles/logrotate/tasks/main.yml b/roles/logrotate/tasks/main.yml
index 58cbab9..2ccfaa8 100644
--- a/roles/logrotate/tasks/main.yml
+++ b/roles/logrotate/tasks/main.yml
@@ -1,9 +1,7 @@
 ---
-# Install the apt package
 - name: Install logrotate
   apt:
-    name:
-      - logrotate
+    name: logrotate
     state: present
 
 - name: Create rsyslog configuration directory
@@ -27,8 +25,4 @@
     name: logrotate.service
     enabled: true
     state: started
-
-# Enforce new logrotate rules now
-- name: Run logrotate now
-  command: /usr/sbin/logrotate -f /etc/logrotate.d/rsyslog
 ...
-- 
2.45.2


From 85e691a0a2b65e909f16a64cb8536b591dd79504 Mon Sep 17 00:00:00 2001
From: Jeltz <tom.barthe+aurore@ens-paris-saclay.fr>
Date: Tue, 30 Mar 2021 07:46:06 +0200
Subject: [PATCH 4/4] Don't store journald logs to disk

As they are already stored on disk by rsyslog.
---
 roles/rsyslog_common/templates/forward-syslog.conf.j2 | 1 +
 1 file changed, 1 insertion(+)

diff --git a/roles/rsyslog_common/templates/forward-syslog.conf.j2 b/roles/rsyslog_common/templates/forward-syslog.conf.j2
index c332de6..758aa85 100644
--- a/roles/rsyslog_common/templates/forward-syslog.conf.j2
+++ b/roles/rsyslog_common/templates/forward-syslog.conf.j2
@@ -1,5 +1,6 @@
 {{ ansible_managed | comment }}
 
 [Journal]
+Storage=volatile
 ForwardToSyslog=yes
 MaxLevelSyslog=debug
-- 
2.45.2