Merge branch 'logall' into 'newinfra'

[logall] Deploy rsyslogd config, logrotate and mount logs See merge request !157

Merge branch 'logall' into 'newinfra'
[logall] Deploy rsyslogd config, logrotate and mount logs See merge request !157
f3f8d683 · Benjamin Graillot · 834f8e34 · 4a20b96d · f3f8d683 · f3f8d683
Commit f3f8d683 authored 4 years ago by Benjamin Graillot
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -2,6 +2,9 @@
 ---
 # Deploy sysctl config files
 - hosts: crans_routeurs
+  vars:
+    logs:
+      ip: 172.16.10.1
  roles:
    - sysctl-forwarding
    - logall

--- a/roles/logall/tasks/main.yml
+++ b/roles/logall/tasks/main.yml
@@ -7,6 +7,14 @@
    owner: root
    group: root

+- name: Create firewall log directory
+  file:
+    path: /var/log/firewall
+    mode: 0755
+    owner: root
+    group: root
+    state: directory
+
 - name: Deploy firewall logrotate
  template:
    src: logrotate.d/firewall.j2
@@ -14,3 +22,24 @@
    mode: 0644
    owner: root
    group: root
+
+- name: Create logs directory
+  file:
+    path: /logs
+    mode: 0755
+    owner: root
+    group: root
+    state: directory
+
+- name: Deploy nfs systemd mount
+  template:
+    src: systemd/system/logs.mount.j2
+    dest: /etc/systemd/system/logs.mount
+    mode: 0644
+
+- name: Load and activate nfs systemd mount
+  systemd:
+    name: logs.mount
+    daemon_reload: true
+    enabled: true
+    state: started
--- a/roles/logall/templates/logrotate.d/firewall.j2
+++ b/roles/logall/templates/logrotate.d/firewall.j2
@@ -24,6 +24,6 @@
        sharedscripts
        postrotate
        /usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
-    QUIET=y /usr/scripts/firewall/firewall-logrotate-script.sh;
+    QUIET=y /logs/firewall-logrotate-script.sh;
    endscript
 }
--- a/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
+++ b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
@@ -15,7 +15,7 @@ if $programname == 'firewall' then /var/log/firewall/iptables.log
 if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~

 # LOG_ALL pour … je sais plus à quoi ça sert …
-if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=136.231.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
 &   ~

 # LOG_MAC_IP pour l'association mac_ip en ipv6

--- a/roles/logall/templates/systemd/system/logs.mount.j2
+++ b/roles/logall/templates/systemd/system/logs.mount.j2
+{{ ansible_header | comment }}
+[Unit]
+Description=Mount home
+Wants=network-online.target
+After=network-online.target
+
+[Mount]
+What={{ logs.ip }}:/pool/logs
+Where=/logs
+Type=nfs
+Options=rw,nosuid
+
+[Install]
+WantedBy=multi-user.target