From 7088bc9b1483392fec00db6c0e9157889d427eb5 Mon Sep 17 00:00:00 2001
From: Timo Makinen <tmakinen@foo.sh>
Date: Fri, 19 Jul 2019 17:16:59 +0300
Subject: [PATCH] add server support for syslogd

---
 roles/syslogd/files/syslog-archive.sh | 79 +++++++++++++++++++++++++++
 roles/syslogd/tasks/main.yml          |  4 ++
 roles/syslogd/tasks/server.yml        | 76 ++++++++++++++++++++++++++
 3 files changed, 159 insertions(+)
 create mode 100755 roles/syslogd/files/syslog-archive.sh
 create mode 100644 roles/syslogd/tasks/server.yml

diff --git a/roles/syslogd/files/syslog-archive.sh b/roles/syslogd/files/syslog-archive.sh
new file mode 100755
index 0000000..c73123a
--- /dev/null
+++ b/roles/syslogd/files/syslog-archive.sh
@@ -0,0 +1,79 @@
+#!/bin/sh
+
+LOGDIR="/srv/log"
+ARCHIVE="${LOGDIR}/archive"
+
+DATE="`date +%Y-%m-%d`"
+YEAR="`date +%Y`"
+
+umask 027
+
+myerror()
+{
+    echo "Error: $*" 1>&2
+    exit 1
+}
+
+archive_log()
+{
+    FILE="${1}"
+    DEST="${2}"
+
+    if [ -f "${DEST}" -o -f "${DEST}.gz" ]; then
+        echo "Skipping ${FILE}: Archive already exists" 1>&2
+    else
+        echo "Archiving file ${FILE} to ${DEST}"
+        mv "${FILE}" "${DEST}"
+        touch "${FILE}"
+        LOGS="${LOGS} ${DEST}"
+    fi
+}
+
+restart_syslog()
+{
+    for i in syslog.pid rsyslogd.pid syslogd.pid ; do
+        if [ -f "/var/run/$i" ]; then
+            PIDFILE="/var/run/$i"
+            break
+        fi
+    done
+    if [ "blah${PIDFILE}" = "blah" ]; then
+        myerror "Cannot find syslog pid file"
+    fi
+    kill -HUP `cat ${PIDFILE}`
+}
+
+[ $# -gt 0 ] || myerror "Usage: `basename $0` <file|dir> [file|dir] ..."
+
+[ -d ${LOGDIR} ] || myerror "Not a directory: ${LOGDIR}"
+
+while [ "$*" ]; do
+    if [ -f "${LOGDIR}/${1}" ]; then
+        dstdir=${ARCHIVE}/${YEAR}
+        dstfile=${dstdir}/`basename ${1}`.${DATE}
+        [ -d "${dstdir}" ] || mkdir -p ${dstdir}
+        archive_log ${LOGDIR}/${1} ${dstfile}
+    elif [ -d "${LOGDIR}/${1}" ]; then
+        for f in ${LOGDIR}/${1}/*.log; do
+            if [ -f "${f}" ]; then
+                dstdir=${ARCHIVE}/${1}/${YEAR}
+                dstfile=${dstdir}/`basename ${f}`.${DATE}
+                [ -d "${dstdir}" ] || mkdir -p ${dstdir}
+                archive_log ${f} ${dstfile}
+            else
+                echo "Skipping ${f}: not a file" 1>&2
+            fi
+        done
+    else
+        echo "Skipping ${1}: not a file or directory" 1>&2
+    fi
+    shift
+done
+
+restart_syslog
+
+for log in ${LOGS}; do
+    gzip -f ${log} || myerror "Error while gzipping ${log}"
+    loggz="`basename ${log}`.gz"
+    ( cd `dirname ${log}` && openssl sha1 -out ${loggz}.sha1 ${loggz} )
+done
diff --git a/roles/syslogd/tasks/main.yml b/roles/syslogd/tasks/main.yml
index bb58cfc..f23ed22 100644
--- a/roles/syslogd/tasks/main.yml
+++ b/roles/syslogd/tasks/main.yml
@@ -25,3 +25,7 @@
     path: /etc/newsyslog.conf
     regexp: "^/var/log/all.log.*"
     line: "/var/log/all.log root:{{ ansible_wheel }}	640  7     *    $D0  Z"
+
+- name: include server config
+  include_tasks: server.yml
+  when: inventory_hostname == "log01.home.foo.sh"
diff --git a/roles/syslogd/tasks/server.yml b/roles/syslogd/tasks/server.yml
new file mode 100644
index 0000000..3de2491
--- /dev/null
+++ b/roles/syslogd/tasks/server.yml
@@ -0,0 +1,76 @@
+---
+
+- name: create data directories
+  file:
+    dest: "{{ item }}"
+    state: directory
+    mode: 0750
+    owner: root
+    group: "{{ ansible_wheel }}"
+  with_items:
+    - /export/log
+    - /export/log/archive
+
+- name: link data directory
+  file:
+    dest: /srv/log
+    src: /export/log
+    state: link
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: copy server key
+  copy:
+    dest: "{{ tls_private }}/0.0.0.0:6514.key"
+    src: /srv/letsencrypt/live/loghost.foo.sh/privkey.pem
+    mode: 0600
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: copy server crt
+  copy:
+    dest: "{{ tls_certs }}/0.0.0.0:6514.crt"
+    src: /srv/letsencrypt/live/loghost.foo.sh/fullchain.pem
+    mode: 0644
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: add archiving to syslog.conf
+  blockinfile:
+    path: /etc/syslog.conf
+    insertbefore: BOF
+    block: |
+      # everything goes to archive
+      *.* /srv/log/all.log
+      # only local goes to the standard logs
+      +{{ inventory_hostname }}
+    marker: "# {mark} ANSIBLE MANAGED BLOCK (syslogd)"
+  notify: restart syslogd
+
+- name: create dummy all.log
+  shell: umask 027 ; touch /srv/log/all.log
+  args:
+    creates: /srv/log/all.log
+
+- name: install log archiver
+  copy:
+    dest: /usr/local/sbin/syslog-archive
+    src: syslog-archive.sh
+    mode: 0755
+    owner: root
+    group: "{{ ansible_wheel }}"
+
+- name: install log archiver cron
+  cron:
+    name: syslog-archive
+    user: root
+    hour: 0
+    minute: 0
+    job: /usr/local/sbin/syslog-archive /srv/log all.log
+
+- name: enable syslogd remote logging
+  service:
+    name: syslogd
+    state: started
+    enabled: true
+    arguments: -n -K {{ tls_certs }}/ca.crt -S 0.0.0.0:6514 -S ::::6514