feat: deploy service to move old SubApp logfiles from previous to log archive

76f71d28 · Jörg Sachse · 54bbae6b · 76f71d28 · 76f71d28 · 76f71d28
Commit 76f71d28 authored 3 years ago by Jörg Sachse
--- a/files/etc/systemd/user/move_old_logs.timer
+++ b/files/etc/systemd/user/move_old_logs.timer
+[Unit]
+Description=timer for move_old_logs.service
+[Timer]
+# run once a year, on the 1st of January at 05:00:00am.
+OnCalendar=*-1-1 05:00:00
+Unit=move_old_logs.service
--- a/files/move_old_logs.sh
+++ b/files/move_old_logs.sh
+#!/usr/bin/env bash
+# This script is intended to be run regularly and move logfiles from previous
+# years to an archive directory. Logfiles from the current year are NOT moved,
+# so they can be easily found.
+START_YEAR="2015"
+CURRENT_YEAR="$( date +%Y )"
+PREVIOUS_YEAR="$(( CURRENT_YEAR - 1 ))"
+cd "/var/log/subapp/${HOSTNAME}/" || exit 1
+# create directories for old logfiles
+for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do
+	mkdir -p "old/${YEAR}"
+done
+# move all old logfiles
+for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do
+	mv "Protokoll_SLUBArchiv_Erfolgreich-${YEAR}*.log" "old/${YEAR}/"
+	mv "Protokoll_SLUBArchiv_FEHLER-${YEAR}*.log" "old/${YEAR}/"
+	mv "sips.log.${YEAR}-*.lz" "old/${YEAR}/"
+	mv "subapp.log.${YEAR}-*.lz" "old/${YEAR}/"
+	mv "webservice.log.${YEAR}-*.lz" "old/${YEAR}/"
+done
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -42,3 +42,6 @@
 - name: create PIDfiles
  command: systemd-tmpfiles --create
+- name: daemon-reload
+  systemd:
+    daemon_reload: true
--- a/tasks/install_move_logs.yml
+++ b/tasks/install_move_logs.yml
+---
+- name: install timer and script for moving old logs to archive
+  ansible.builtin.copy:
+    src: "{{ item.path }}"
+    dest: "/{{ item.path }}"
+    mode: "{{ item.mode }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+  loop:
+    - path: "etc/systemd/user/move_old_logs.timer"
+      mode: "0644"
+    - path: "usr/local/bin/move_old_logs.sh"
+      mode: "0755"
+  notify: daemon-reload
+- name: install service for moving old logs to archive
+  ansible.builtin.template:
+    src: "etc/systemd/user/move_old_logs.service.j2"
+    dest: "/etc/systemd/user/move_old_logs.service"
+    mode: 0755
+    owner: "root"
+    group: "root"
+  notify: daemon-reload
+- name: enable timer for moving old logs to archive
+  ansible.builtin.systemd:
+    name: "move_old_logs.timer"
+    state: started
+    enabled: true
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -65,6 +65,10 @@
  import_tasks: "install_ta_tools.yml"
  tags: [ta, apt]
+- name: install scripts and services for moving old logs to archive
+  import_tasks: "install_move_logs.yml"
+  tags: [log, cleanup]
 - name: cleanup remainders of METS-based SubApp
  import_tasks: cleanup_legacy.yml
  tags: [cleanup]

--- a/templates/etc/systemd/user/move_old_logs.service.j2
+++ b/templates/etc/systemd/user/move_old_logs.service.j2
+[Unit]
+Description=move_old_logs.sh
+After=remote-fs.target
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/move_old_logs.sh
+User={{ vault_subapp_user }}
+Group={{ vault_subapp_group }}
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+ProtectSystem=strict
+ProtectHome=read-only
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@debug,@file-system
+#SystemCallErrorNumber=1337
+[Install]
+WantedBy=multi-user.target