diff --git a/plays/firewall.yml b/plays/firewall.yml
index 3506856da9e29c9a8a6275646533ad6ee3b91b53..80446c727053b8bf45fc65ae8a8a8dc3b46b540f 100755
--- a/plays/firewall.yml
+++ b/plays/firewall.yml
@@ -2,6 +2,9 @@
---
# Deploy sysctl config files
- hosts: crans_routeurs
+ vars:
+ logs:
+ ip: 172.16.10.1
roles:
- sysctl-forwarding
- logall
diff --git a/roles/logall/tasks/main.yml b/roles/logall/tasks/main.yml
index d9f16005659992e7f076ec7077e93d44a45b396a..f63159b0cfaaac4639f51e33dd8a2725f39e5df6 100644
--- a/roles/logall/tasks/main.yml
+++ b/roles/logall/tasks/main.yml
@@ -7,6 +7,14 @@
owner: root
group: root
+- name: Create firewall log directory
+ file:
+ path: /var/log/firewall
+ mode: 0755
+ owner: root
+ group: root
+ state: directory
+
- name: Deploy firewall logrotate
template:
src: logrotate.d/firewall.j2
@@ -14,3 +22,24 @@
mode: 0644
owner: root
group: root
+
+- name: Create logs directory
+ file:
+ path: /logs
+ mode: 0755
+ owner: root
+ group: root
+ state: directory
+
+- name: Deploy nfs systemd mount
+ template:
+ src: systemd/system/logs.mount.j2
+ dest: /etc/systemd/system/logs.mount
+ mode: 0644
+
+- name: Load and activate nfs systemd mount
+ systemd:
+ name: logs.mount
+ daemon_reload: true
+ enabled: true
+ state: started
diff --git a/roles/logall/templates/logrotate.d/firewall.j2 b/roles/logall/templates/logrotate.d/firewall.j2
index 0867811813db31fdd3db43358e05d2b2ef53f7db..6d733471b41e2f6953c9e08927b6992d64adac90 100644
--- a/roles/logall/templates/logrotate.d/firewall.j2
+++ b/roles/logall/templates/logrotate.d/firewall.j2
@@ -24,6 +24,6 @@
sharedscripts
postrotate
/usr/sbin/invoke-rc.d rsyslog rotate >/dev/null;
- QUIET=y /usr/scripts/firewall/firewall-logrotate-script.sh;
+ QUIET=y /logs/firewall-logrotate-script.sh;
endscript
}
diff --git a/roles/logall/templates/rsyslog.d/10-firewall.conf.j2 b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
index 6faa5180723c7f13c6671d332bb6fde87fdc12da..61281ea9c7b9ad33a349cc5c38bf39425e891aa2 100644
--- a/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
+++ b/roles/logall/templates/rsyslog.d/10-firewall.conf.j2
@@ -15,7 +15,7 @@ if $programname == 'firewall' then /var/log/firewall/iptables.log
if $syslogfacility == '0' and $msg contains 'ff:ff:ff:ff:ff:ff' then ~
# LOG_ALL pour … je sais plus à quoi ça sert …
-if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=136.231.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
+if $syslogfacility == '0' and $msg contains 'LOG_ALL' and ($msg contains 'SRC=10.' or $msg contains 'SRC=100.64.' or $msg contains 'SRC=172.16.' or $msg contains 'SRC=185.230.76.' or $msg contains 'SRC=185.230.77.' or $msg contains 'SRC=185.230.78.' or $msg contains 'SRC=185.230.79.' or $msg contains 'SRC=2a0c:0700:') then /var/log/firewall/logall.log
& ~
# LOG_MAC_IP pour l'association mac_ip en ipv6
diff --git a/roles/logall/templates/systemd/system/logs.mount.j2 b/roles/logall/templates/systemd/system/logs.mount.j2
new file mode 100644
index 0000000000000000000000000000000000000000..a70884492bf2a6542f605b7b00a21fd008e79ca2
--- /dev/null
+++ b/roles/logall/templates/systemd/system/logs.mount.j2
@@ -0,0 +1,14 @@
+{{ ansible_header | comment }}
+[Unit]
+Description=Mount home
+Wants=network-online.target
+After=network-online.target
+
+[Mount]
+What={{ logs.ip }}:/pool/logs
+Where=/logs
+Type=nfs
+Options=rw,nosuid
+
+[Install]
+WantedBy=multi-user.target