initial commit

5 files changed, 215 insertions, 0 deletions

diff --git a/roles/rsyslog_server/defaults/main.yml b/roles/rsyslog_server/defaults/main.yml
new file mode 100644
index 0000000..7931580
--- /dev/null
+++ b/roles/rsyslog_server/defaults/main.yml
@@ -0,0 +1,14 @@
+rsyslog_owner: root
+rsyslog_group: root
+rsyslog_file_mode: '0640'
+rsyslog_dir_mode: '0750'
+
+rsyslog_port: 514
+rsyslog_relp_port: 20514
+rsyslog_relp_tls_port: 10514
+
+rsyslog_gzip_on_calendar: daily
+rsyslog_gzip_days_ago: 7
+
+rsyslog_permitted_peers:
+  - '*.{{ ansible_domain }}'
diff --git a/roles/rsyslog_server/handlers/main.yml b/roles/rsyslog_server/handlers/main.yml
new file mode 100644
index 0000000..fdad349
--- /dev/null
+++ b/roles/rsyslog_server/handlers/main.yml
@@ -0,0 +1,10 @@
+- name: restart rsyslog
+  systemd:
+    name: rsyslog
+    state: restarted
+
+- name: reload syslog-gzip timer
+  systemd:
+    name: syslog-gzip.timer
+    daemon-reload: yes
+    state: restarted
diff --git a/roles/rsyslog_server/tasks/main.yml b/roles/rsyslog_server/tasks/main.yml
new file mode 100644
index 0000000..2a77388
--- /dev/null
+++ b/roles/rsyslog_server/tasks/main.yml
@@ -0,0 +1,74 @@
+- name: install rsyslog
+  dnf:
+    name: '{{ rsyslog_packages }}'
+    state: present
+
+- name: request TLS certificate
+  include_role:
+    name: getcert_request
+  vars:
+    certificate_service: syslog
+    certificate_path: '{{ rsyslog_certificate_path }}'
+    certificate_key_path: '{{ rsyslog_certificate_key_path }}'
+    certificate_hook: systemctl restart rsyslog
+
+- name: generate config file
+  template:
+    src: etc/rsyslog.conf.j2
+    dest: /etc/rsyslog.conf
+  notify: restart rsyslog
+
+- name: create syslog-gzip systemd timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: syslog-gzip
+    timer_description: Compress old syslog files
+    timer_after: nss-user-lookup.target
+    timer_on_calendar: '{{ rsyslog_gzip_on_calendar }}'
+    timer_user: '{{ rsyslog_owner }}'
+    timer_group: '{{ rsyslog_group }}'
+    timer_exec: find {{ rsyslog_storage_dir }} -type f -mtime +{{ rsyslog_gzip_days_ago }} -not -name '*.gz' -exec gzip {} ;
+
+- name: create syslog-update-today-symlink timer
+  include_role:
+    name: systemd_timer
+  vars:
+    timer_name: syslog-update-today-symlink
+    timer_description: Update today symlink in syslog dir
+    timer_after: nss-user-lookup.target
+    timer_on_calendar: daily
+    timer_user: '{{ rsyslog_owner }}'
+    timer_group: '{{ rsyslog_group }}'
+    timer_shell: yes
+    timer_exec: ln -sfT "$(date +%Y/%m/%d)" {{ rsyslog_storage_dir }}/today
+
+- name: create remote log directory
+  file:
+    path: '{{ rsyslog_storage_dir }}'
+    state: directory
+
+- name: create today symlink
+  systemd:
+    name: syslog-update-today-symlink.service
+    state: started
+  changed_when: no
+
+- name: enable rsyslog
+  systemd:
+    name: rsyslog
+    enabled: yes
+    state: started
+
+- name: open firewall ports
+  firewalld:
+    port: '{{ item }}'
+    permanent: yes
+    immediate: yes
+    state: enabled
+  loop:
+    - '{{ rsyslog_port }}/tcp'
+    - '{{ rsyslog_port }}/udp'
+    - '{{ rsyslog_relp_port }}/tcp'
+    - '{{ rsyslog_relp_tls_port }}/tcp'
+  tags: firewalld
diff --git a/roles/rsyslog_server/templates/etc/rsyslog.conf.j2 b/roles/rsyslog_server/templates/etc/rsyslog.conf.j2
new file mode 100644
index 0000000..174e966
--- /dev/null
+++ b/roles/rsyslog_server/templates/etc/rsyslog.conf.j2
@@ -0,0 +1,97 @@
+module(load="imklog")
+module(load="imuxsock" SysSock.name="/run/systemd/journal/syslog")
+module(load="imudp")
+module(load="imtcp")
+module(load="imfile")
+module(load="imrelp" tls.tlslib="openssl")
+
+global(
+  workDirectory="/var/lib/rsyslog"
+  parser.escapecontrolcharactertab="off"
+)
+
+module(load="builtin:omfile"
+  template="RSYSLOG_TraditionalFileFormat"
+  dirCreateMode="{{ rsyslog_dir_mode }}"
+  dirOwner="{{ rsyslog_owner }}"
+  dirGroup="{{ rsyslog_group }}"
+  fileCreateMode="{{ rsyslog_file_mode }}"
+  fileOwner="{{ rsyslog_owner }}"
+  fileGroup="{{ rsyslog_group }}")
+
+include(file="/etc/rsyslog.d/*.conf" mode="optional")
+
+template(name="RemoteLogSavePath" type="list") {
+  constant(value="{{ rsyslog_storage_dir }}/")
+  property(name="timegenerated" dateFormat="year")   constant(value="/")
+  property(name="timegenerated" dateFormat="month")  constant(value="/")
+  property(name="timegenerated" dateFormat="day")    constant(value="/")
+  property(name="fromhost" caseConversion="lower")   constant(value="/")
+  property(name="$.filename" caseConversion="lower")
+}
+
+template(name="HttpdAccessLog_FileFormat" type="string"
+  string="%HOSTNAME% %syslogtag%%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
+)
+
+ruleset(name="RemoteLog") {
+  # default filename
+  set $.filename = "messages.log";
+
+  # drop any debug messages
+  if not prifilt("*.info") then {
+    stop
+  }
+
+  # program-specific overrides
+  if $syslogtag == {{ (rsyslog_log_by_tag + rsyslog_access_log_by_tag) | to_json }} then {
+    if $syslogtag == {{ rsyslog_log_by_tag | to_json }} then {
+      set $.filename = $syslogtag & ".log";
+    } else if prifilt("*.=info") then {
+      set $.filename = $syslogtag & "-access.log";
+    } else {
+      set $.filename = $syslogtag & "-error.log";
+    }
+
+    action(type="omfile"
+      template="HttpdAccessLog_FileFormat"
+      dynaFile="RemoteLogSavePath"
+      dynaFileCacheSize="1024"
+      asyncWriting="on"
+      flushOnTXEnd="off"
+      flushInterval="1"
+      ioBufferSize="64k")
+  } else {
+    action(type="omfile"
+      template="RSYSLOG_FileFormat"
+      dynaFile="RemoteLogSavePath"
+      dynaFileCacheSize="1024"
+      asyncWriting="on"
+      flushOnTXEnd="off"
+      flushInterval="1"
+      ioBufferSize="64k")
+  }
+}
+
+input(type="imtcp" port="{{ rsyslog_port }}" ruleset="RemoteLog")
+input(type="imudp" port="{{ rsyslog_port }}" ruleset="RemoteLog")
+input(type="imrelp" port="{{ rsyslog_relp_port }}" ruleset="RemoteLog")
+input(type="imrelp"
+      port="{{ rsyslog_relp_tls_port }}"
+      tls="on"
+      tls.caCert="{{ rsyslog_certificate_ca_path }}"
+      tls.myCert="{{ rsyslog_certificate_path }}"
+      tls.myPrivKey="{{ rsyslog_certificate_key_path }}"
+      tls.authMode="name"
+      tls.permittedPeer=["{{ rsyslog_permitted_peers | join('", "') }}"]
+      ruleset="RemoteLog")
+
+
+# EL defaults
+*.info;mail.none;authpriv.none;cron.none  /var/log/messages
+authpriv.*                                /var/log/secure
+mail.*                                    -/var/log/maillog
+cron.*                                    /var/log/cron
+*.emerg                                   :omusrmsg:*
+uucp,news.crit                            /var/log/spooler
+local7.*                                  /var/log/boot.log
diff --git a/roles/rsyslog_server/vars/main.yml b/roles/rsyslog_server/vars/main.yml
new file mode 100644
index 0000000..3cd223c
--- /dev/null
+++ b/roles/rsyslog_server/vars/main.yml
@@ -0,0 +1,20 @@
+rsyslog_packages:
+  - rsyslog
+  - rsyslog-doc
+  - rsyslog-relp
+  - rsyslog-openssl
+
+rsyslog_log_by_tag:
+  - unifi
+  - airsonic
+
+rsyslog_access_log_by_tag:
+  - httpd
+  - nginx
+  - slapd
+
+rsyslog_certificate_path: /etc/pki/rsyslog/syslog.pem
+rsyslog_certificate_key_path: /etc/pki/rsyslog/syslog.key
+rsyslog_certificate_ca_path: /etc/ipa/ca.crt
+
+rsyslog_storage_dir: /var/log/remote