Add logrotate for proxy systems

Added rsyslog logrotate cong for proxy systems and a task land the
configs as well as fix some yamllint errors.

files/common/rsyslog-logrotate

@@ -0,0 +1,20 @@
+/var/log/cron
+/var/log/maillog
+/var/log/messages
+/var/log/secure
+/var/log/spooler
+{
+    missingok
+    sharedscripts
+    postrotate
+        /usr/bin/systemctl reload rsyslog.service >/dev/null 2>&1 || true
+    endscript
+    daily
+    rotate 7
+    ifempty
+    compress
+    compresscmd /usr/bin/xz
+    uncompresscmd /usr/bin/xz
+    compressext .xz
+    dateext
+}

roles/base/tasks/main.yml

@@ -40,14 +40,18 @@
   tags:
   - packages
   - base
-  when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
+  when: >
+    ansible_distribution_major_version|int >= 8 and
+    ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
 
 - name: global default packages to install (dnf)
   dnf: state=present name="{{ global_pkgs_inst }}"
   tags:
   - packages
   - base
-  when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
+  when: >
+    ansible_distribution_major_version|int > 29 and
+    ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
 
 - name: make sure hostname is set right on all hosts
   hostname: name="{{inventory_hostname}}"
@@ -94,28 +98,39 @@
   tags:
   - packages
   - base
-  when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
+  when: >
+    ansible_distribution_major_version|int > 29 and
+    ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
 
 - name: dist pkgs to remove (dnf)
   dnf: state=absent name="{{ base_pkgs_erase }}"
   tags:
   - packages
   - base
-  when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
+  when: >
+    ansible_distribution_major_version|int >= 8 and
+    ansible_distribution == 'RedHat' and
+    ansible_cmdline.ostree is not defined
 
 - name: dist pkgs to install (dnf)
   dnf: state=present name="{{ base_pkgs_inst }}"
   tags:
   - packages
   - base
-  when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
+  when: >
+    ansible_distribution_major_version|int > 29 and
+    ansible_distribution == 'Fedora' and
+    ansible_cmdline.ostree is not defined
 
 - name: dist pkgs to install (dnf)
   dnf: state=present name="{{ base_pkgs_inst }}"
   tags:
   - packages
   - base
-  when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
+  when: >
+    ansible_distribution_major_version|int >= 8 and
+    ansible_distribution == 'RedHat' and
+    ansible_cmdline.ostree is not defined
 
 - name: dist disabled services
   service: state=stopped enabled=false name={{ item }}
@@ -134,7 +149,10 @@
   - service
   - config
   - base
-  when: ansible_distribution_major_version|int > 31 and ansible_distribution == 'Fedora' or ansible_distribution == 'RedHat'
+  when: >
+    ansible_distribution_major_version|int > 31 and
+    ansible_distribution == 'Fedora' or
+    ansible_distribution == 'RedHat'
 
 - name: Ensure iptables is installed
   package: state=present name=iptables
@@ -184,7 +202,11 @@
     - blocklist
 
 - name: iptables
-  template: src={{ item }} dest=/etc/sysconfig/iptables mode=0600 validate="/sbin/iptables-restore --test %s"
+  template:
+    src: "{{ item }}"
+    dest: /etc/sysconfig/iptables
+    mode: '0600'
+    validate: "/sbin/iptables-restore --test %s"
   with_first_found:
     - iptables/iptables.{{ datacenter }}
     - iptables/iptables.{{ inventory_hostname }}
@@ -256,7 +278,8 @@
   - flush journald tmpfiles to persistent store
 
 - name: install rh ca for splunk
-  copy: src={{private}}/files/splunk-certs/2022-IT-Root-CA.pem dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
+  copy: src={{ private }}/files/splunk-certs/2022-IT-Root-CA.pem
+        dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
   tags:
   - rsyslogd
   - config
@@ -343,7 +366,8 @@
   - config
 
 - name: rsyslogd put systemd limits directory for file handles
-  copy: src=rsyslog/rsyslog-limits-systemd dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
+  copy: src=rsyslog/rsyslog-limits-systemd
+        dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
   when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
   tags:
   - rsyslogd
@@ -428,7 +452,7 @@
   import_tasks: watchdog.yml
 
 
-#Set PS1 to show stage environment at PS1
+# Set PS1 to show stage environment at PS1
 #
 - name: set PS1 for stage in /etc/profile.d
   copy: >
@@ -443,7 +467,7 @@
   - config
   - prompt
 
-#Set PS1 to show prod environment at PS1
+# Set PS1 to show prod environment at PS1
 #
 - name: set PS1 for prod in /etc/profile.d
   copy: >
@@ -458,7 +482,7 @@
   - config
   - prompt
 
-#Set PS1 to show prod-iad2 environment at PS1
+# Set PS1 to show prod-iad2 environment at PS1
 #
 - name: set PS1 for prod in /etc/profile.d
   copy: >
@@ -537,3 +561,13 @@
 
 - name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
   import_tasks: crypto-policies.yml
+
+- name: proxy log rotate for proxy servers
+  copy: src="{{ files }}"/common/rsyslog-logrotate dest=/etc/logrotate.d/rsyslog-logrotate mode=0644
+  when: inventory_hostname.startswith('proxy')
+  notify:
+  - restart rsyslog
+  tags:
+  - rsyslogd
+  - config
+  - base