diff --git a/disks/layout_vm_log.nix b/disks/layout_vm_log.nix new file mode 100644 index 0000000..815944f --- /dev/null +++ b/disks/layout_vm_log.nix @@ -0,0 +1,24 @@ +{ ... }: + +{ + disko.devices = { + disk = { + logs = { + type = "disk"; + content = { + type = "gpt"; + partitions = { + data = { + size = "100%"; + content = { + type = "filesystem"; + format = "ext4"; + mountpoint = "/var/log"; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/flake.nix b/flake.nix index 2036630..7c68637 100644 --- a/flake.nix +++ b/flake.nix @@ -60,6 +60,14 @@ ] ++ defaultVM; }; + log-2 = nixosSystem { + specialArgs = inputs; + modules = [ + ./hosts/vm/log-2 + ./disks/layout_vm_log.nix + ] + ++ defaultVM; + }; # VL: Peut-être avoir de l'auto-discovery: On a beaucoup trop de machines jitsi = nixosSystem { specialArgs = inputs; diff --git a/hosts/vm/log-2/default.nix b/hosts/vm/log-2/default.nix new file mode 100644 index 0000000..114891d --- /dev/null +++ b/hosts/vm/log-2/default.nix @@ -0,0 +1,56 @@ +{ ... }: + +{ + imports = [ + ./log.nix + ]; + + disko.devices.disk.logs.device = "/dev/disk/by-id/scsi-0QEMU_QEMU_HARDDISK_drive-scsi1"; + + networking = { + hostName = "log-2"; + domain = "int.infra.auro.re"; + }; + + boot.loader.systemd-boot.enable = true; + + systemd.network = { + enable = true; + + links = { + "10-int" = { + matchConfig.MACAddress = "04:00:00:37:f2:a1"; + linkConfig.Name = "int"; + }; + }; + + networks = { + "10-int" = { + domains = [ + "int.infra.auro.re" + "auro.re" + ]; + matchConfig.Name = "int"; + linkConfig.RequiredForOnline = "routable"; + address = [ + "10.206.1.10/16" + "2a09:6840:206::1:10/64" + ]; + routes = [ + { Gateway = "10.206.0.1"; } + { Gateway = "2a09:6840:206::1"; } + ]; + dns = [ + "10.206.1.1" + "10.206.1.2" + "2a09:6840:206::1:1" + "2a09:6840:206::1:2" + ]; + }; + }; + }; + + # TODO: script de rotation des logs + + system.stateVersion = "25.05"; +} diff --git a/hosts/vm/log-2/log.nix b/hosts/vm/log-2/log.nix new file mode 100644 index 0000000..3da85c8 --- /dev/null +++ b/hosts/vm/log-2/log.nix @@ -0,0 +1,43 @@ +{ ... }: + +{ + services.rsyslogd = { + extraConfig = '' + module(load="mmrm1stspace") + module(load="imrelp") + + template(name="incomingFilename" type="list") { + constant(value="/var/log/remote/") + property(name="fromhost-ip") + constant(value="/") + property(name="timegenerated" dateFormat="year") + constant(value="-") + property(name="timegenerated" dateFormat="month") + constant(value="-") + property(name="timegenerated" dateFormat="day") + constant(value=".log") + } + + ruleset(name="handleIncomingLogs") { + action(type="mmrm1stspace") + action( + type="omfile" + dynaFile="incomingFilename" + template="RSYSLOG_FileFormat" + ) + } + + input( + type="imrelp" + port="20514" + ruleset="handleIncomingLogs" + ) + ''; + }; + + networking.firewall.allowedTCPPorts = [ 20514 ]; + + systemd.tmpfiles.rules = [ + "d /var/log/remote 0750 root root -" + ]; +} diff --git a/profiles/common/default.nix b/profiles/common/default.nix index 44c6e44..44d97c2 100644 --- a/profiles/common/default.nix +++ b/profiles/common/default.nix @@ -8,6 +8,7 @@ ./ntp.nix ./programs.nix ./prometheus-node-exporter.nix + ./rsyslog.nix ./ssh.nix ./tmp.nix ]; diff --git a/profiles/common/rsyslog.nix b/profiles/common/rsyslog.nix new file mode 100644 index 0000000..b6084f7 --- /dev/null +++ b/profiles/common/rsyslog.nix @@ -0,0 +1,59 @@ +{ lib, ... }: + +{ + services.rsyslogd = { + enable = true; + defaultConfig = '' + # TODO: Vérifier s'il existe des services qui ne savent pas envoyer + # leurs logs sur journald (peut-être freeradius) + global( + workDirectory="/var/spool/rsyslog" # TODO: read the doc + preserveFQDN="on" + ) + + module(load="imjournal") + module(load="mmjsonparse") + module(load="omrelp") + + module( + load="builtin:omfile" + template="RSYSLOG_FileFormat" + fileOwner="root" + fileGroup="root" + fileCreateMode="0640" + dirCreateMode="0755" + ) + + ruleset(name="sendLogsToRemote") { + action( + type="omrelp" + + target="10.206.1.10" + port="20514" + + queue.type="LinkedList" + queue.spoolDirectory="/var/spool/rsyslog" + queue.fileName="queue_1" + queue.saveOnShutdown="on" + + queue.highWatermark="500" + queue.lowWatermark="100" + queue.checkpointInterval="200" + queue.syncqueuefiles="on" + queue.maxDiskSpace="500m" + + action.resumeRetryCount="-1" + action.reportSuspension="on" + action.reportSuspensionContinuation="on" + ) + } + + # Send local logs to the remote collector + call sendLogsToRemote + ''; + }; + + # Pas de risque de boucle dès lors qu'on n'injecte pas les logs + # dans journald. + systemd.services.syslog.serviceConfig.StandardOutput = lib.mkForce "journal"; +} diff --git a/profiles/vm/nginx.nix b/profiles/vm/nginx.nix index 8b22c19..226f80f 100644 --- a/profiles/vm/nginx.nix +++ b/profiles/vm/nginx.nix @@ -5,6 +5,11 @@ recommendedTlsSettings = true; recommendedOptimisation = true; recommendedGzipSettings = true; - recommendedProxySettings = true; + recommendedProxySettings = true; + + appendHttpConfig = '' + access_log syslog:server=unix:/dev/log combined; + error_log syslog:server=unix:/dev/log; + ''; }; }