fix: move_logs functionality (write permissions, service/timer names

files/usr/local/lib/systemd/system/move_old_logs.timer → files/usr/local/lib/systemd/system/move_old_logs_@.timer

@@ -4,7 +4,7 @@ Description=timer for move_old_logs_@.service
 [Timer]
 # run once a year, on the 1st of January at 05:00:00am.
 OnCalendar=*-1-1 05:00:00
-Unit=move_old_logs_@.service
+Unit=move_old_logs_@%i.service
 
 [Install]
 WantedBy=default.target

tasks/install_move_logs.yml

@@ -13,7 +13,7 @@
     owner: "{{ item.owner | default('root') }}"
     group: "{{ item.group | default('root') }}"
   loop:
-    - path: "usr/local/lib/systemd/system/move_old_logs.timer"
+    - path: "usr/local/lib/systemd/system/move_old_logs_@.timer"
       mode: "0644"
     - path: "usr/local/bin/move_old_logs.sh"
       mode: "0755"
@@ -29,7 +29,7 @@
   notify: daemon-reload
 
 - name: enable move_old_logs services
-  ansible.builtin.systemd:
+  ansible.builtin.systemd_service:
     name: "move_old_logs_@{{ item }}.service"
     daemon_reload: true
     enabled: true
@@ -39,7 +39,11 @@
     - "subapp_webservice"
 
 - name: start timer for moving old logs to archive (the service is triggered by the timer and doesn't need to be started separately)
-  ansible.builtin.systemd:
-    name: "move_old_logs.timer"
+  ansible.builtin.systemd_service:
+    name: "move_old_logs_@{{ item }}.timer"
     enabled: true
     state: started
+  loop:
+    - "disapp"
+    - "subapp"
+    - "subapp_webservice"

templates/usr/local/lib/systemd/system/move_old_logs_@.service.j2

@@ -10,7 +10,8 @@ Group=root
 
 ### Security features
 # documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
-ProtectSystem=strict
+# Do NOT set "ProtectSystem=strict", or you won't be able to move logs, as the entire file system hierarchy will be mounted RO.
+ProtectSystem=true
 ProtectHome=read-only
 ProtectHostname=true
 ProtectClock=true