Add logrotate for proxy systems
Added rsyslog logrotate cong for proxy systems and a task land the configs as well as fix some yamllint errors.
This commit is contained in:
Andrew Heath
zlopez
parent
3284cdb6e4
commit
f97666a75d
2 changed files with 86 additions and 32 deletions
20
files/common/rsyslog-logrotate
Normal file
20
files/common/rsyslog-logrotate
Normal file
|
|
@ -0,0 +1,20 @@
|
||||||
|
/var/log/cron
|
||||||
|
/var/log/maillog
|
||||||
|
/var/log/messages
|
||||||
|
/var/log/secure
|
||||||
|
/var/log/spooler
|
||||||
|
{
|
||||||
|
missingok
|
||||||
|
sharedscripts
|
||||||
|
postrotate
|
||||||
|
/usr/bin/systemctl reload rsyslog.service >/dev/null 2>&1 || true
|
||||||
|
endscript
|
||||||
|
daily
|
||||||
|
rotate 7
|
||||||
|
ifempty
|
||||||
|
compress
|
||||||
|
compresscmd /usr/bin/xz
|
||||||
|
uncompresscmd /usr/bin/xz
|
||||||
|
compressext .xz
|
||||||
|
dateext
|
||||||
|
}
|
||||||
|
|
@ -29,7 +29,7 @@
|
||||||
- name: global default packages to install (yum)
|
- name: global default packages to install (yum)
|
||||||
package: state=present name={{ item }}
|
package: state=present name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ global_pkgs_inst }}"
|
- "{{ global_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
|
|
@ -40,14 +40,18 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
|
when: >
|
||||||
|
ansible_distribution_major_version|int >= 8 and
|
||||||
|
ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: global default packages to install (dnf)
|
- name: global default packages to install (dnf)
|
||||||
dnf: state=present name="{{ global_pkgs_inst }}"
|
dnf: state=present name="{{ global_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
|
when: >
|
||||||
|
ansible_distribution_major_version|int > 29 and
|
||||||
|
ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: make sure hostname is set right on all hosts
|
- name: make sure hostname is set right on all hosts
|
||||||
hostname: name="{{inventory_hostname}}"
|
hostname: name="{{inventory_hostname}}"
|
||||||
|
|
@ -74,7 +78,7 @@
|
||||||
- name: dist pkgs to remove (yum)
|
- name: dist pkgs to remove (yum)
|
||||||
package: state=absent name={{ item }}
|
package: state=absent name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ base_pkgs_erase }}"
|
- "{{ base_pkgs_erase }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
|
|
@ -83,7 +87,7 @@
|
||||||
- name: dist pkgs to install (yum)
|
- name: dist pkgs to install (yum)
|
||||||
package: state=present name={{ item }}
|
package: state=present name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ base_pkgs_inst }}"
|
- "{{ base_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
|
|
@ -94,33 +98,44 @@
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
|
when: >
|
||||||
|
ansible_distribution_major_version|int > 29 and
|
||||||
|
ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: dist pkgs to remove (dnf)
|
- name: dist pkgs to remove (dnf)
|
||||||
dnf: state=absent name="{{ base_pkgs_erase }}"
|
dnf: state=absent name="{{ base_pkgs_erase }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
|
when: >
|
||||||
|
ansible_distribution_major_version|int >= 8 and
|
||||||
|
ansible_distribution == 'RedHat' and
|
||||||
|
ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: dist pkgs to install (dnf)
|
- name: dist pkgs to install (dnf)
|
||||||
dnf: state=present name="{{ base_pkgs_inst }}"
|
dnf: state=present name="{{ base_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 29 and ansible_distribution == 'Fedora' and ansible_cmdline.ostree is not defined
|
when: >
|
||||||
|
ansible_distribution_major_version|int > 29 and
|
||||||
|
ansible_distribution == 'Fedora' and
|
||||||
|
ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: dist pkgs to install (dnf)
|
- name: dist pkgs to install (dnf)
|
||||||
dnf: state=present name="{{ base_pkgs_inst }}"
|
dnf: state=present name="{{ base_pkgs_inst }}"
|
||||||
tags:
|
tags:
|
||||||
- packages
|
- packages
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int >= 8 and ansible_distribution == 'RedHat' and ansible_cmdline.ostree is not defined
|
when: >
|
||||||
|
ansible_distribution_major_version|int >= 8 and
|
||||||
|
ansible_distribution == 'RedHat' and
|
||||||
|
ansible_cmdline.ostree is not defined
|
||||||
|
|
||||||
- name: dist disabled services
|
- name: dist disabled services
|
||||||
service: state=stopped enabled=false name={{ item }}
|
service: state=stopped enabled=false name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ service_disabled }}"
|
- "{{ service_disabled }}"
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- config
|
- config
|
||||||
|
|
@ -129,12 +144,15 @@
|
||||||
- name: dist enabled services
|
- name: dist enabled services
|
||||||
service: state=started enabled=true name={{ item }}
|
service: state=started enabled=true name={{ item }}
|
||||||
with_items:
|
with_items:
|
||||||
- "{{ service_enabled }}"
|
- "{{ service_enabled }}"
|
||||||
tags:
|
tags:
|
||||||
- service
|
- service
|
||||||
- config
|
- config
|
||||||
- base
|
- base
|
||||||
when: ansible_distribution_major_version|int > 31 and ansible_distribution == 'Fedora' or ansible_distribution == 'RedHat'
|
when: >
|
||||||
|
ansible_distribution_major_version|int > 31 and
|
||||||
|
ansible_distribution == 'Fedora' or
|
||||||
|
ansible_distribution == 'RedHat'
|
||||||
|
|
||||||
- name: Ensure iptables is installed
|
- name: Ensure iptables is installed
|
||||||
package: state=present name=iptables
|
package: state=present name=iptables
|
||||||
|
|
@ -151,7 +169,7 @@
|
||||||
- name: setup builder ipset if this is a new install
|
- name: setup builder ipset if this is a new install
|
||||||
shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi"
|
shell: "/usr/sbin/ipset create osbuildapi hash:ip; touch /etc/sysconfig/ipset-osbuildapi"
|
||||||
args:
|
args:
|
||||||
creates: /etc/sysconfig/ipset-osbuildapi
|
creates: /etc/sysconfig/ipset-osbuildapi
|
||||||
when: "'osbuild' in group_names"
|
when: "'osbuild' in group_names"
|
||||||
tags:
|
tags:
|
||||||
- base
|
- base
|
||||||
|
|
@ -184,13 +202,17 @@
|
||||||
- blocklist
|
- blocklist
|
||||||
|
|
||||||
- name: iptables
|
- name: iptables
|
||||||
template: src={{ item }} dest=/etc/sysconfig/iptables mode=0600 validate="/sbin/iptables-restore --test %s"
|
template:
|
||||||
|
src: "{{ item }}"
|
||||||
|
dest: /etc/sysconfig/iptables
|
||||||
|
mode: '0600'
|
||||||
|
validate: "/sbin/iptables-restore --test %s"
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- iptables/iptables.{{ datacenter }}
|
- iptables/iptables.{{ datacenter }}
|
||||||
- iptables/iptables.{{ inventory_hostname }}
|
- iptables/iptables.{{ inventory_hostname }}
|
||||||
- iptables/iptables.{{ host_group }}
|
- iptables/iptables.{{ host_group }}
|
||||||
- iptables/iptables.{{ env }}
|
- iptables/iptables.{{ env }}
|
||||||
- iptables/iptables
|
- iptables/iptables
|
||||||
when: baseiptables|bool
|
when: baseiptables|bool
|
||||||
notify:
|
notify:
|
||||||
- restart iptables
|
- restart iptables
|
||||||
|
|
@ -211,11 +233,11 @@
|
||||||
- name: ip6tables
|
- name: ip6tables
|
||||||
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
|
template: src={{ item }} dest=/etc/sysconfig/ip6tables mode=0600 backup=yes
|
||||||
with_first_found:
|
with_first_found:
|
||||||
- iptables/ip6tables.{{ datacenter }}
|
- iptables/ip6tables.{{ datacenter }}
|
||||||
- iptables/ip6tables.{{ inventory_hostname }}
|
- iptables/ip6tables.{{ inventory_hostname }}
|
||||||
- iptables/ip6tables.{{ host_group }}
|
- iptables/ip6tables.{{ host_group }}
|
||||||
- iptables/ip6tables.{{ env }}
|
- iptables/ip6tables.{{ env }}
|
||||||
- iptables/ip6tables
|
- iptables/ip6tables
|
||||||
when: baseiptables|bool
|
when: baseiptables|bool
|
||||||
notify:
|
notify:
|
||||||
- restart ip6tables
|
- restart ip6tables
|
||||||
|
|
@ -256,7 +278,8 @@
|
||||||
- flush journald tmpfiles to persistent store
|
- flush journald tmpfiles to persistent store
|
||||||
|
|
||||||
- name: install rh ca for splunk
|
- name: install rh ca for splunk
|
||||||
copy: src={{private}}/files/splunk-certs/2022-IT-Root-CA.pem dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
|
copy: src={{ private }}/files/splunk-certs/2022-IT-Root-CA.pem
|
||||||
|
dest=/etc/pki/tls/certs/2022-IT-Root-CA.pem
|
||||||
tags:
|
tags:
|
||||||
- rsyslogd
|
- rsyslogd
|
||||||
- config
|
- config
|
||||||
|
|
@ -299,7 +322,7 @@
|
||||||
- name: add rsyslog config to /etc/rsyslog.d
|
- name: add rsyslog config to /etc/rsyslog.d
|
||||||
copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
|
copy: src={{ item }} dest=/etc/rsyslog.d/ owner=root group=root mode=0644
|
||||||
with_fileglob:
|
with_fileglob:
|
||||||
- rsyslog/*.conf
|
- rsyslog/*.conf
|
||||||
notify:
|
notify:
|
||||||
- restart rsyslog
|
- restart rsyslog
|
||||||
tags:
|
tags:
|
||||||
|
|
@ -343,7 +366,8 @@
|
||||||
- config
|
- config
|
||||||
|
|
||||||
- name: rsyslogd put systemd limits directory for file handles
|
- name: rsyslogd put systemd limits directory for file handles
|
||||||
copy: src=rsyslog/rsyslog-limits-systemd dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
|
copy: src=rsyslog/rsyslog-limits-systemd
|
||||||
|
dest=/etc/systemd/system/rsyslog.service.d/limits.conf mode=0644
|
||||||
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
|
when: inventory_hostname.startswith('log') or inventory_hostname.startswith('people')
|
||||||
tags:
|
tags:
|
||||||
- rsyslogd
|
- rsyslogd
|
||||||
|
|
@ -409,7 +433,7 @@
|
||||||
- name: Install common scripts
|
- name: Install common scripts
|
||||||
copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
|
copy: src={{ item }} dest=/usr/local/bin/ owner=root group=root mode=0755
|
||||||
with_fileglob:
|
with_fileglob:
|
||||||
- common-scripts/*
|
- common-scripts/*
|
||||||
tags:
|
tags:
|
||||||
- config
|
- config
|
||||||
- base
|
- base
|
||||||
|
|
@ -428,7 +452,7 @@
|
||||||
import_tasks: watchdog.yml
|
import_tasks: watchdog.yml
|
||||||
|
|
||||||
|
|
||||||
#Set PS1 to show stage environment at PS1
|
# Set PS1 to show stage environment at PS1
|
||||||
#
|
#
|
||||||
- name: set PS1 for stage in /etc/profile.d
|
- name: set PS1 for stage in /etc/profile.d
|
||||||
copy: >
|
copy: >
|
||||||
|
|
@ -443,7 +467,7 @@
|
||||||
- config
|
- config
|
||||||
- prompt
|
- prompt
|
||||||
|
|
||||||
#Set PS1 to show prod environment at PS1
|
# Set PS1 to show prod environment at PS1
|
||||||
#
|
#
|
||||||
- name: set PS1 for prod in /etc/profile.d
|
- name: set PS1 for prod in /etc/profile.d
|
||||||
copy: >
|
copy: >
|
||||||
|
|
@ -458,7 +482,7 @@
|
||||||
- config
|
- config
|
||||||
- prompt
|
- prompt
|
||||||
|
|
||||||
#Set PS1 to show prod-iad2 environment at PS1
|
# Set PS1 to show prod-iad2 environment at PS1
|
||||||
#
|
#
|
||||||
- name: set PS1 for prod in /etc/profile.d
|
- name: set PS1 for prod in /etc/profile.d
|
||||||
copy: >
|
copy: >
|
||||||
|
|
@ -537,3 +561,13 @@
|
||||||
|
|
||||||
- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
|
- name: Set crypto-policy to LEGACY on fedora 33 hosts to get 2fa working
|
||||||
import_tasks: crypto-policies.yml
|
import_tasks: crypto-policies.yml
|
||||||
|
|
||||||
|
- name: proxy log rotate for proxy servers
|
||||||
|
copy: src="{{ files }}"/common/rsyslog-logrotate dest=/etc/logrotate.d/rsyslog-logrotate mode=0644
|
||||||
|
when: inventory_hostname.startswith('proxy')
|
||||||
|
notify:
|
||||||
|
- restart rsyslog
|
||||||
|
tags:
|
||||||
|
- rsyslogd
|
||||||
|
- config
|
||||||
|
- base
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue