From 34a231ce96a1185a690238549c648b76e94961e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Wed, 19 Mar 2025 16:09:55 +0100
Subject: [PATCH] fix: move_logs functionality (write permissions,
 service/timer names

---
 .../{move_old_logs.timer => move_old_logs_@.timer}   |  2 +-
 tasks/install_move_logs.yml                          | 12 ++++++++----
 .../lib/systemd/system/move_old_logs_@.service.j2    |  3 ++-
 3 files changed, 11 insertions(+), 6 deletions(-)
 rename files/usr/local/lib/systemd/system/{move_old_logs.timer => move_old_logs_@.timer} (85%)

diff --git a/files/usr/local/lib/systemd/system/move_old_logs.timer b/files/usr/local/lib/systemd/system/move_old_logs_@.timer
similarity index 85%
rename from files/usr/local/lib/systemd/system/move_old_logs.timer
rename to files/usr/local/lib/systemd/system/move_old_logs_@.timer
index 7969f7e..a5a3071 100644
--- a/files/usr/local/lib/systemd/system/move_old_logs.timer
+++ b/files/usr/local/lib/systemd/system/move_old_logs_@.timer
@@ -4,7 +4,7 @@ Description=timer for move_old_logs_@.service
 [Timer]
 # run once a year, on the 1st of January at 05:00:00am.
 OnCalendar=*-1-1 05:00:00
-Unit=move_old_logs_@.service
+Unit=move_old_logs_@%i.service
 
 [Install]
 WantedBy=default.target
diff --git a/tasks/install_move_logs.yml b/tasks/install_move_logs.yml
index b0e7266..ad2912f 100644
--- a/tasks/install_move_logs.yml
+++ b/tasks/install_move_logs.yml
@@ -13,7 +13,7 @@
     owner: "{{ item.owner | default('root') }}"
     group: "{{ item.group | default('root') }}"
   loop:
-    - path: "usr/local/lib/systemd/system/move_old_logs.timer"
+    - path: "usr/local/lib/systemd/system/move_old_logs_@.timer"
       mode: "0644"
     - path: "usr/local/bin/move_old_logs.sh"
       mode: "0755"
@@ -29,7 +29,7 @@
   notify: daemon-reload
 
 - name: enable move_old_logs services
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: "move_old_logs_@{{ item }}.service"
     daemon_reload: true
     enabled: true
@@ -39,7 +39,11 @@
     - "subapp_webservice"
 
 - name: start timer for moving old logs to archive (the service is triggered by the timer and doesn't need to be started separately)
-  ansible.builtin.systemd:
-    name: "move_old_logs.timer"
+  ansible.builtin.systemd_service:
+    name: "move_old_logs_@{{ item }}.timer"
     enabled: true
     state: started
+  loop:
+    - "disapp"
+    - "subapp"
+    - "subapp_webservice"
diff --git a/templates/usr/local/lib/systemd/system/move_old_logs_@.service.j2 b/templates/usr/local/lib/systemd/system/move_old_logs_@.service.j2
index 8bf3786..5925528 100644
--- a/templates/usr/local/lib/systemd/system/move_old_logs_@.service.j2
+++ b/templates/usr/local/lib/systemd/system/move_old_logs_@.service.j2
@@ -10,7 +10,8 @@ Group=root
 
 ### Security features
 # documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-ProtectSystem=strict
+# Do NOT set "ProtectSystem=strict", or you won't be able to move logs, as the entire file system hierarchy will be mounted RO.
+ProtectSystem=true
 ProtectHome=read-only
 ProtectHostname=true
 ProtectClock=true
-- 
GitLab