ansible/roles/syslogd/tasks/server.yml

---
- name: Create data directories
  ansible.builtin.file:
    dest: "{{ item }}"
    state: directory
    mode: "0750"
    owner: root
    group: "{{ ansible_wheel }}"
  with_items:
    - /export/log
    - /export/log/archive

- name: Link data directory
  ansible.builtin.file:
    dest: /srv/log
    src: /export/log
    state: link
    owner: root
    group: "{{ ansible_wheel }}"

- name: Copy server key
  ansible.builtin.copy:
    dest: "{{ tls_private }}/0.0.0.0:6514.key"
    src: /srv/letsencrypt/live/loghost.foo.sh/privkey.pem
    mode: "0600"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart syslogd
  tags: certificates

- name: Copy server crt
  ansible.builtin.copy:
    dest: "{{ tls_certs }}/0.0.0.0:6514.crt"
    src: /srv/letsencrypt/live/loghost.foo.sh/fullchain.pem
    mode: "0644"
    owner: root
    group: "{{ ansible_wheel }}"
  notify: Restart syslogd
  tags: certificates

- name: Add archiving to syslog.conf
  ansible.builtin.blockinfile:
    path: /etc/syslog.conf
    insertbefore: BOF
    block: |
      # everything goes to archive
      *.* /srv/log/all.log
      # only local goes to the standard logs
      +{{ ansible_hostname }}
    marker: "# {mark} ANSIBLE MANAGED BLOCK (syslogd)"
  notify: Restart syslogd

- name: Create dummy all.log
  ansible.builtin.shell:
    cmd: umask 027 ; touch /srv/log/all.log
    creates: /srv/log/all.log

- name: Install log archiver
  ansible.builtin.copy:
    dest: /usr/local/sbin/syslog-archive
    src: syslog-archive.sh
    mode: "0755"
    owner: root
    group: "{{ ansible_wheel }}"

- name: Install log archiver cron
  ansible.builtin.cron:
    name: syslog-archive
    user: root
    hour: "0"
    minute: "0"
    job: /usr/local/sbin/syslog-archive

- name: Enable syslogd remote logging
  ansible.builtin.service:
    name: syslogd
    state: started
    enabled: true
    arguments: -n -K {{ tls_certs }}/ca.crt -S 0.0.0.0:6514 -S ::::6514