Update to 2021-12-01 19:13

2025-11-03 20:31:26 +01:00 · 2021-12-01 19:13:34 +01:00
commit 4c4556c660
2153 changed files with 60999 additions and 0 deletions
--- a/roles/journal_remote/defaults/main.yml
+++ b/roles/journal_remote/defaults/main.yml
@@ -0,0 +1,8 @@
+---
+
+journal_remote_port: 19532
+journal_remote_src_ip: []
+journal_remote_seal: False
+# journal_remote_crt: /path/to/cert.pem
+# journal_remote_key: /path/to/key.pem
+# journal_remote_ca: /path/to/cacert.pem
--- a/roles/journal_remote/handlers/main.yml
+++ b/roles/journal_remote/handlers/main.yml
@@ -0,0 +1,4 @@
+---
+
+- name: restart journal-remote
+  service: name=systemd-journal-remote state=restarted
--- a/roles/journal_remote/tasks/main.yml
+++ b/roles/journal_remote/tasks/main.yml
@@ -0,0 +1,49 @@
+---
+
+- name: Install the Journal gateway
+  yum: name=systemd-journal-gateway
+  tags: logs
+
+- name: Create journal storage directory
+  file: path=/var/log/journal/remote state=directory owner=systemd-journal-remote group=systemd-journal-remote mode=700
+  tags: logs
+
+- name: Override systemd unit
+  template: src=systemd-journal-remote.service.j2 dest=/etc/systemd/system/systemd-journal-remote.service
+  notify: restart journal-remote
+  register: journal_remote_unit
+  tags: logs
+
+- name: Reload systemd
+  command: systemctl daemon-reload
+  when: journal_remote_unit.changed
+  tags: logs
+
+- name: Deploy journal-remote configuration
+  template: src=journal-remote.conf.j2 dest=/etc/systemd/journal-remote.conf
+  notify: restart journal-remote
+  tags: logs
+
+- name: Create dehydrated hook dir
+  file: path=/etc/dehydrated/hooks_deploy_cert.d/ state=directory
+  tags: logs
+
+- name: Deploy dehydrated hooks
+  template: src=dehydrated_hook.sh.j2 dest=/etc/dehydrated/hooks_deploy_cert.d/20journal-remote.sh mode=755
+  tags: logs
+
+- name: Handle journal-remote ports
+  iptables_raw:
+    name: journal_remote_ports
+    state: "{{ (journal_remote_src_ip | length > 0) | ternary('present','absent') }}"
+    rules: "-A INPUT -m state --state NEW -p tcp -m multiport --dports {{ journal_remote_port }} -s {{ journal_remote_src_ip | join(',') }} -j ACCEPT"
+  when: iptables_manage | default(True)
+  tags: [firewall,logs]
+
+- name: Disable journal-remote socket
+  service: name=systemd-journal-remote.socket state=stopped enabled=False
+  tags: logs
+
+- name: Start journal-remote
+  service: name=systemd-journal-remote state=started enabled=True
+  tags: logs
--- a/roles/journal_remote/templates/dehydrated_hook.sh.j2
+++ b/roles/journal_remote/templates/dehydrated_hook.sh.j2
@@ -0,0 +1,14 @@
+#!/bin/sh
+
+{% if journal_remote_letsencrypt_cert is defined %}
+mkdir -p /etc/systemd/journal-remote-tls
+chown systemd-journal-remote:systemd-journal-remote /etc/systemd/journal-remote-tls
+chmod 700 /etc/systemd/journal-remote-tls
+if [ -e /var/lib/dehydrated/certificates/certs/{{ journal_remote_letsencrypt_cert }}/privkey.pem ]; then
+  cp -f /var/lib/dehydrated/certificates/certs/{{ journal_remote_letsencrypt_cert }}/privkey.pem /etc/systemd/journal-remote-tls/
+  cp -f /var/lib/dehydrated/certificates/certs/{{ journal_remote_letsencrypt_cert }}/fullchain.pem /etc/systemd/journal-remote-tls/
+  chown systemd-journal-remote:systemd-journal-remote /etc/systemd/journal-remote-tls/*
+  chmod 600 /etc/systemd/journal-remote-tls/privkey.pem
+  /sbin/service systemd-journal-remote restart
+fi
+{% endif %}
--- a/roles/journal_remote/templates/journal-remote.conf.j2
+++ b/roles/journal_remote/templates/journal-remote.conf.j2
@@ -0,0 +1,14 @@
+[Remote]
+Seal={{ journal_remote_seal | ternary(True,False) }}
+SplitMode=host
+{% if (journal_remote_crt is defined and journal_remote_key is defined) or journal_remote_letsencrypt_cert is defined %}
+{% if journal_remote_crt is defined and journal_remote_key is defined %}
+ServerKeyFile={{ journal_remote_key }}
+ServerCertificateFile={{ journal_remote_cert }}
+TrustedCertificateFile={{ journal_remote_ca | default('/etc/pki/tls/cert.pem') }}
+{% else %}
+ServerKeyFile=/etc/systemd/journal-remote-tls/privkey.pem
+ServerCertificateFile=/etc/systemd/journal-remote-tls/fullchain.pem
+TrustedCertificateFile=/etc/systemd/journal-remote-tls/fullchain.pem
+{% endif %}
+{% endif %}
--- a/roles/journal_remote/templates/systemd-journal-remote.service.j2
+++ b/roles/journal_remote/templates/systemd-journal-remote.service.j2
@@ -0,0 +1,15 @@
+[Unit]
+Description=Journal Remote Sink Service
+Requires=systemd-journal-remote.socket
+
+[Service]
+ExecStart=/usr/lib/systemd/systemd-journal-remote \
+          --listen-{{ ((journal_remote_crt is defined and journal_remote_key is defined) or journal_remote_letsencrypt_cert is defined) | ternary('https','http') }}={{ journal_remote_port }} \
+          --output=/var/log/journal/remote/
+User=systemd-journal-remote
+Group=systemd-journal-remote
+PrivateTmp=yes
+PrivateDevices=yes
+
+[Install]
+WantedBy=multi-user.target