From 76f71d28f77327b5e74a3bda46aa60b35c2f1aea Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <Joerg.Sachse@slub-dresden.de>
Date: Tue, 22 Mar 2022 12:02:32 +0100
Subject: [PATCH] feat: deploy service to move old SubApp logfiles from
 previous to log archive

---
 files/etc/systemd/user/move_old_logs.timer    |  6 ++++
 files/move_old_logs.sh                        | 25 ++++++++++++++
 handlers/main.yml                             |  3 ++
 tasks/install_move_logs.yml                   | 29 ++++++++++++++++
 tasks/main.yml                                |  4 +++
 .../etc/systemd/user/move_old_logs.service.j2 | 33 +++++++++++++++++++
 6 files changed, 100 insertions(+)
 create mode 100644 files/etc/systemd/user/move_old_logs.timer
 create mode 100644 files/move_old_logs.sh
 create mode 100644 tasks/install_move_logs.yml
 create mode 100644 templates/etc/systemd/user/move_old_logs.service.j2

diff --git a/files/etc/systemd/user/move_old_logs.timer b/files/etc/systemd/user/move_old_logs.timer
new file mode 100644
index 0000000..f0b9b83
--- /dev/null
+++ b/files/etc/systemd/user/move_old_logs.timer
@@ -0,0 +1,6 @@
+[Unit]
+Description=timer for move_old_logs.service
+[Timer]
+# run once a year, on the 1st of January at 05:00:00am.
+OnCalendar=*-1-1 05:00:00
+Unit=move_old_logs.service
diff --git a/files/move_old_logs.sh b/files/move_old_logs.sh
new file mode 100644
index 0000000..141043f
--- /dev/null
+++ b/files/move_old_logs.sh
@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+
+# This script is intended to be run regularly and move logfiles from previous
+# years to an archive directory. Logfiles from the current year are NOT moved,
+# so they can be easily found.
+
+START_YEAR="2015"
+CURRENT_YEAR="$( date +%Y )"
+PREVIOUS_YEAR="$(( CURRENT_YEAR - 1 ))"
+
+cd "/var/log/subapp/${HOSTNAME}/" || exit 1
+
+# create directories for old logfiles
+for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do
+	mkdir -p "old/${YEAR}"
+done
+
+# move all old logfiles
+for YEAR in ${START_YEAR}..${PREVIOUS_YEAR}; do
+	mv "Protokoll_SLUBArchiv_Erfolgreich-${YEAR}*.log" "old/${YEAR}/"
+	mv "Protokoll_SLUBArchiv_FEHLER-${YEAR}*.log" "old/${YEAR}/"
+	mv "sips.log.${YEAR}-*.lz" "old/${YEAR}/"
+	mv "subapp.log.${YEAR}-*.lz" "old/${YEAR}/"
+	mv "webservice.log.${YEAR}-*.lz" "old/${YEAR}/"
+done
diff --git a/handlers/main.yml b/handlers/main.yml
index 18dca89..d6cd015 100644
--- a/handlers/main.yml
+++ b/handlers/main.yml
@@ -42,3 +42,6 @@
 - name: create PIDfiles
   command: systemd-tmpfiles --create
 
+- name: daemon-reload
+  systemd:
+    daemon_reload: true
diff --git a/tasks/install_move_logs.yml b/tasks/install_move_logs.yml
new file mode 100644
index 0000000..2998513
--- /dev/null
+++ b/tasks/install_move_logs.yml
@@ -0,0 +1,29 @@
+---
+- name: install timer and script for moving old logs to archive
+  ansible.builtin.copy:
+    src: "{{ item.path }}"
+    dest: "/{{ item.path }}"
+    mode: "{{ item.mode }}"
+    owner: "{{ item.owner | default('root') }}"
+    group: "{{ item.group | default('root') }}"
+  loop:
+    - path: "etc/systemd/user/move_old_logs.timer"
+      mode: "0644"
+    - path: "usr/local/bin/move_old_logs.sh"
+      mode: "0755"
+  notify: daemon-reload
+
+- name: install service for moving old logs to archive
+  ansible.builtin.template:
+    src: "etc/systemd/user/move_old_logs.service.j2"
+    dest: "/etc/systemd/user/move_old_logs.service"
+    mode: 0755
+    owner: "root"
+    group: "root"
+  notify: daemon-reload
+
+- name: enable timer for moving old logs to archive
+  ansible.builtin.systemd:
+    name: "move_old_logs.timer"
+    state: started
+    enabled: true
diff --git a/tasks/main.yml b/tasks/main.yml
index fd82728..192bd59 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -65,6 +65,10 @@
   import_tasks: "install_ta_tools.yml"
   tags: [ta, apt]
 
+- name: install scripts and services for moving old logs to archive
+  import_tasks: "install_move_logs.yml"
+  tags: [log, cleanup]
+
 - name: cleanup remainders of METS-based SubApp
   import_tasks: cleanup_legacy.yml
   tags: [cleanup]
diff --git a/templates/etc/systemd/user/move_old_logs.service.j2 b/templates/etc/systemd/user/move_old_logs.service.j2
new file mode 100644
index 0000000..86f890d
--- /dev/null
+++ b/templates/etc/systemd/user/move_old_logs.service.j2
@@ -0,0 +1,33 @@
+[Unit]
+Description=move_old_logs.sh
+After=remote-fs.target
+
+[Service]
+Type=simple
+ExecStart=/usr/local/bin/move_old_logs.sh
+User={{ vault_subapp_user }}
+Group={{ vault_subapp_group }}
+
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+ProtectSystem=strict
+ProtectHome=read-only
+ProtectHostname=true
+ProtectClock=true
+ProtectKernelTunables=true
+ProtectKernelModules=true
+ProtectKernelLogs=true
+ProtectControlGroups=true
+LockPersonality=true
+MemoryDenyWriteExecute=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@debug,@file-system
+#SystemCallErrorNumber=1337
+
+[Install]
+WantedBy=multi-user.target
-- 
GitLab