From 972957487234adead2374b8957d2104562788158 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?J=C3=B6rg=20Sachse?= <joerg.sachse@slub-dresden.de>
Date: Thu, 17 Nov 2022 13:16:00 +0100
Subject: [PATCH] feat: add cleanup service for old (15 days) validation logs

---
 tasks/install_validation_tools.yml            | 18 ++++++++++
 .../systemd/system/cleanup_daemon.timer.j2    | 10 ++++++
 .../system/cleanup_daemon_@.service.j2        | 36 +++++++++++++++++++
 3 files changed, 64 insertions(+)
 create mode 100644 templates/usr/local/lib/systemd/system/cleanup_daemon.timer.j2
 create mode 100644 templates/usr/local/lib/systemd/system/cleanup_daemon_@.service.j2

diff --git a/tasks/install_validation_tools.yml b/tasks/install_validation_tools.yml
index 7043aec..40b3442 100644
--- a/tasks/install_validation_tools.yml
+++ b/tasks/install_validation_tools.yml
@@ -121,6 +121,8 @@
     owner: "root"
     group: "root"
   loop:
+    - "cleanup_daemon_@.service"
+    - "cleanup_daemon.timer"
     - "validation_daemon_any@.service"
     - "validation_daemon_any.socket"
     - "validation_daemon_@.service"    # Daemon service
@@ -139,6 +141,22 @@
     - "save"
   changed_when: false
 
+- name: enable & start cleanup daemon
+  ansible.builtin.systemd:
+    unit: "{{ item.u }}"
+    daemon_reload: true
+    enabled: true
+    state: "{{ item.s | default(omit) }}"    # this can never be idempotent
+  loop:
+    - u: "cleanup_daemon.timer"
+      s: "restarted"
+    - u: "cleanup_daemon_@ddz.service"
+    - u: "cleanup_daemon_@digas.service"
+    - u: "cleanup_daemon_@fotothek.service"
+    - u: "cleanup_daemon_@mediathek.service"
+    - u: "cleanup_daemon_@save.service"
+  changed_when: false
+
 - name: enable & start validation Webservice
   ansible.builtin.systemd:
     name: "validation_daemon_any.{{ item }}"
diff --git a/templates/usr/local/lib/systemd/system/cleanup_daemon.timer.j2 b/templates/usr/local/lib/systemd/system/cleanup_daemon.timer.j2
new file mode 100644
index 0000000..c8e5e77
--- /dev/null
+++ b/templates/usr/local/lib/systemd/system/cleanup_daemon.timer.j2
@@ -0,0 +1,10 @@
+[Unit]
+Description=Cleanup Daemon for Validation Tool (%i)
+
+[Timer]
+Unit=cleanup_daemon_@.service
+Persistent=true
+OnCalendar=daily
+
+[Install]
+WantedBy=default.target
diff --git a/templates/usr/local/lib/systemd/system/cleanup_daemon_@.service.j2 b/templates/usr/local/lib/systemd/system/cleanup_daemon_@.service.j2
new file mode 100644
index 0000000..49bb34e
--- /dev/null
+++ b/templates/usr/local/lib/systemd/system/cleanup_daemon_@.service.j2
@@ -0,0 +1,36 @@
+[Unit]
+Description=Cleanup Daemon for Validation Tool (%i)
+After=network.target
+
+[Service]
+ExecStart=/bin/bash -c 'find "/mnt/lza_repair_%i/validate/results/" -type f -mtime +15 -exec rm {} \\;'
+ExecReload=/bin/kill -HUP $MAINPID
+KillMode=process
+Restart=on-failure
+User={{ vault_service_user }}
+Group={{ vault_service_group }}
+Type=simple
+
+### Security features
+# documented at https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+#ProtectSystem=strict
+#ProtectHome=read-only
+#ProtectHostname=true
+#ProtectClock=true
+#ProtectKernelTunables=true
+#ProtectKernelModules=true
+#ProtectKernelLogs=true
+#ProtectControlGroups=true
+#LockPersonality=true
+#MemoryDenyWriteExecute=true
+#RestrictRealtime=true
+#RestrictSUIDSGID=true
+## RemoveIPC=true
+## PrivateMounts=true
+## MountFlags=
+## SystemCallFilter is a Whitelist!!!
+#SystemCallFilter=@aio,@basic-io,@debug,@file-system,@network-io
+#SystemCallErrorNumber=1337
+
+[Install]
+WantedBy=multi-user.target
-- 
GitLab