Vendor Galaxy Roles and Collections

ansible_collections/debops/debops/roles/rsyslog/COPYRIGHT

@@ -0,0 +1,19 @@
+debops.rsyslog - Manage syslog daemon using Ansible
+
+Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+Copyright (C) 2015-2020 DebOps <https://debops.org/>
+SPDX-License-Identifier: GPL-3.0-only
+
+This Ansible role is part of DebOps.
+
+DebOps is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License version 3, as
+published by the Free Software Foundation.
+
+DebOps is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with DebOps. If not, see https://www.gnu.org/licenses/.

ansible_collections/debops/debops/roles/rsyslog/meta/main.yml

@@ -0,0 +1,33 @@
+---
+# Copyright (C) 2015-2017 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2022 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# Ensure that custom Ansible plugins and modules included in the main DebOps
+# collection are available to roles in other collections.
+collections: [ 'debops.debops' ]
+
+dependencies: []
+
+galaxy_info:
+
+  author: 'Maciej Delmanowski'
+  description: 'Manage rsyslog configuration'
+  company: 'DebOps'
+  license: 'GPL-3.0-only'
+  min_ansible_version: '2.0.0'
+
+  platforms:
+
+    - name: 'Ubuntu'
+      versions: [ 'all' ]
+
+    - name: 'Debian'
+      versions: [ 'all' ]
+
+  galaxy_tags:
+    - system
+    - logging
+    - logs
+    - security
+    - audit

ansible_collections/debops/debops/roles/rsyslog/tasks/main.yml

@@ -0,0 +1,169 @@
+---
+# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2015-2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+- name: Import custom Ansible plugins
+  ansible.builtin.import_role:
+    name: 'ansible_plugins'
+
+- name: Import DebOps global handlers
+  ansible.builtin.import_role:
+    name: 'global_handlers'
+
+- name: Manage rsyslog APT packages
+  ansible.builtin.apt:
+    name: '{{ (rsyslog__base_packages
+               + (rsyslog__tls_packages if (rsyslog__pki | bool) else [])
+               + rsyslog__packages) | flatten }}'
+    state: '{{ rsyslog__deploy_state }}'
+    purge: True
+  register: rsyslog__register_packages
+  until: rsyslog__register_packages is succeeded
+  when: rsyslog__enabled | bool and ansible_pkg_mgr == 'apt'
+
+- name: Make sure that Ansible local facts directory exists
+  ansible.builtin.file:
+    path: '/etc/ansible/facts.d'
+    state: 'directory'
+    mode: '0755'
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+
+- name: Save rsyslog local facts
+  ansible.builtin.template:
+    src: 'etc/ansible/facts.d/rsyslog.fact.j2'
+    dest: '/etc/ansible/facts.d/rsyslog.fact'
+    mode: '0755'
+  notify: [ 'Refresh host facts' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+  tags: [ 'meta::facts' ]
+
+- name: Update Ansible facts if they were modified
+  ansible.builtin.meta: 'flush_handlers'
+
+- name: Create required system group
+  ansible.builtin.group:
+    name: '{{ rsyslog__group }}'
+    state: 'present'
+    system: True
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool and rsyslog__group != 'root'
+
+- name: Create required system user
+  ansible.builtin.user:
+    name: '{{ rsyslog__user }}'
+    group: '{{ rsyslog__group }}'
+    groups: '{{ rsyslog__append_groups | join(",") | default(omit) }}'
+    append: True
+    home: '{{ rsyslog__home }}'
+    shell: '/bin/false'
+    state: 'present'
+    createhome: False
+    system: True
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool and rsyslog__user != 'root'
+
+- name: Fix directory permissions if needed
+  ansible.builtin.file:
+    path: '/var/spool/rsyslog'
+    owner: '{{ rsyslog__user }}'
+    group: '{{ rsyslog__file_group }}'
+    mode: '0700'
+  register: rsyslog__register_unprivileged_files
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool and rsyslog__user != 'root'
+
+- name: Update directory and file permissions
+  ansible.builtin.shell: |
+    [ ! -d {{ rsyslog__home }} ] \
+      || ( [ "$(stat -c '%G' {{ rsyslog__home }})" = "{{ rsyslog__group }}" ] \
+             || chown -v root:{{ rsyslog__group }} {{ rsyslog__home }} ; \
+           [ "$(stat -c '%a' {{ rsyslog__home }})" = "775" ] \
+             || chmod -v 775 {{ rsyslog__home }} )
+    for i in {{ rsyslog__default_logfiles | join(" ") }} ; do
+      [ ! -f ${i} ] || \
+        ( [ "$(stat -c '%U' ${i})" = "{{ rsyslog__file_owner }}" ] \
+        || chown -v {{ rsyslog__file_owner }}:{{ rsyslog__file_group }} ${i} )
+    done
+  register: rsyslog__register_file_permissions
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        rsyslog__unprivileged | bool
+  changed_when: rsyslog__register_file_permissions.stdout | d()
+  notify: [ 'Check and restart rsyslogd' ]
+
+- name: Create systemd-tmpfiles override
+  ansible.builtin.copy:
+    dest: '/etc/tmpfiles.d/rsyslog-var-log.conf'
+    mode: '0755'
+    content: 'z {{ rsyslog__home }} 0775 root {{ rsyslog__group }} -'
+  notify: [ 'Create temporary files' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        ansible_service_mgr == "systemd" and rsyslog__unprivileged | bool and
+        ansible_distribution == "Debian"
+
+- name: Divert main rsyslog configuration file
+  debops.debops.dpkg_divert:
+    path: '/etc/rsyslog.conf'
+    state: 'present'
+  notify: [ 'Check and restart rsyslogd' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+        ansible_pkg_mgr == 'apt'
+
+- name: Generate main rsyslog configuration
+  ansible.builtin.template:
+    src: 'etc/rsyslog.conf.j2'
+    dest: '/etc/rsyslog.conf'
+    mode: '0644'
+  notify: [ 'Check and restart rsyslogd' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+
+- name: Manage configuration file diversions
+  debops.debops.dpkg_divert:
+    path: '{{ "/etc/rsyslog.d/" + (item.divert_to | d(item.name)) }}'
+    state: '{{ "present"
+               if (item.state | d("present") not in ["absent", "ignore", "init"])
+               else "absent" }}'
+  loop: '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items
+            | selectattr("divert", "defined") | list
+            | selectattr("divert", "equalto", True) | list }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": (item.state | d("present"))} }}'
+  notify: [ 'Check and restart rsyslogd' ]
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+
+- name: Generate rsyslog configuration rules
+  ansible.builtin.template:
+    src: 'etc/rsyslog.d/template.conf.j2'
+    dest: '{{ "/etc/rsyslog.d/" + item.name }}'
+    owner: '{{ item.owner | d("root") }}'
+    group: '{{ item.group | d("root") }}'
+    mode:  '{{ item.mode | d("0644") }}'
+  loop: '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": (item.state | d("present"))} }}'
+  when: (rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+         item.state | d('present') not in ['absent', 'ignore', 'init'] and
+         (item.options | d() or item.raw | d()))
+  notify: [ 'Check and restart rsyslogd' ]
+
+- name: Remove custom config files when requested
+  ansible.builtin.file:
+    path: '{{ "/etc/rsyslog.d/" + item.name }}'
+    state: 'absent'
+  loop: '{{ rsyslog__combined_rules | flatten | debops.debops.parse_kv_items }}'
+  loop_control:
+    label: '{{ {"name": item.name, "state": (item.state | d("present"))} }}'
+  when: (rsyslog__enabled | bool and rsyslog__deploy_state != 'absent' and
+         (item.divert is undefined or not item.divert | bool) and
+         item.state | d('present') == 'absent')
+  notify: [ 'Check and restart rsyslogd' ]
+
+- name: Prepare cleanup during package removal
+  ansible.builtin.import_role:
+    name: 'dpkg_cleanup'
+  vars:
+    dpkg_cleanup__dependent_packages:
+      - '{{ rsyslog__dpkg_cleanup__dependent_packages }}'
+  when: rsyslog__enabled | bool and rsyslog__deploy_state != 'absent'
+  tags: [ 'role::dpkg_cleanup', 'skip::dpkg_cleanup',
+          'role::rsyslog:dpkg_cleanup' ]

ansible_collections/debops/debops/roles/rsyslog/templates/etc/ansible/facts.d/rsyslog.fact.j2

@@ -0,0 +1,35 @@
+#!{{ ansible_python['executable'] }}
+# -*- coding: utf-8 -*-
+
+# Copyright (C) 2020 Maciej Delmanowski <drybjed@gmail.com>
+# Copyright (C) 2020 DebOps <https://debops.org/>
+# SPDX-License-Identifier: GPL-3.0-only
+
+# {{ ansible_managed }}
+
+from __future__ import print_function
+from json import loads, dumps
+import subprocess
+import os
+
+
+def cmd_exists(cmd):
+    return any(
+        os.access(os.path.join(path, cmd), os.X_OK)
+        for path in os.environ["PATH"].split(os.pathsep)
+    )
+
+
+output = {'installed': cmd_exists('rsyslogd')}
+
+try:
+    version_stdout = subprocess.check_output(
+            ["rsyslogd", "-v"]
+            ).decode('utf-8').strip()
+    for line in version_stdout.split('\n'):
+        if line.lower().startswith('rsyslogd '):
+            output['version'] = line.split()[1].rstrip(',')
+except Exception:
+    pass
+
+print(dumps(output, sort_keys=True, indent=4))

ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.conf.j2

@@ -0,0 +1,49 @@
+{# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+#  /etc/rsyslog.conf	Configuration file for rsyslog.
+#
+#			For more information see
+#			/usr/share/doc/rsyslog-doc/html/rsyslog_conf.html
+{% for section in rsyslog__combined_configuration_sections | debops.debops.parse_kv_config %}
+{%   if section.name | d() and section.state | d('present') not in [ 'absent', 'init', 'ignore' ] %}
+{%     set section_config = (rsyslog__combined_configuration | debops.debops.parse_kv_config
+                             | selectattr("section", "equalto", section.name) | list) %}
+{%     if section_config | d() %}
+{%       if section.state != 'hidden' %}
+{%         if ('present' in (section_config | map(attribute='state') | list)) %}
+{%           set section_title = (' ' + ((section.title | d(section.name)) | upper) + ' ') %}
+{%           set section_width = section_title | length + 8 %}
+{{           '' }}
+{{           '' }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           ("{:#^" + section_width | string + "}").format(section_title) }}
+{{           ("{:#^" + section_width | string + "}").format('#') }}
+{{           '' }}
+{%         endif %}
+{%       else %}
+{{         '' }}
+{%       endif %}
+{%       for element in section_config %}
+{%         if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%           if element.comment | d() %}
+{%             if not loop.first %}
+{{               '' }}
+{%             endif %}
+{{             element.comment | regex_replace('\n$', '') | comment }}
+{%           endif %}
+{%           if element.raw | d() %}
+{%             if element.state | d('present') == 'comment' %}
+{{               '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%             else %}
+{{               '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%             endif %}
+{%           endif %}
+{%         endif %}
+{%       endfor %}
+{%     endif %}
+{%   endif %}
+{% endfor %}

ansible_collections/debops/debops/roles/rsyslog/templates/etc/rsyslog.d/template.conf.j2

@@ -0,0 +1,32 @@
+{# Copyright (C) 2015-2020 Maciej Delmanowski <drybjed@gmail.com>
+ # Copyright (C) 2015-2020 DebOps <https://debops.org/>
+ # SPDX-License-Identifier: GPL-3.0-only
+ #}
+# {{ ansible_managed }}
+
+{% if item.comment | d() %}
+{{   item.comment | regex_replace('\n$', '') | comment }}
+{% endif %}
+{% if item.raw | d() %}
+{%   if item.state | d('present') == 'comment' %}
+{{     '{}'.format(item.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%   else %}
+{{     '{}'.format(item.raw | regex_replace('\n$', '')) }}
+{%   endif %}
+{% elif item.options | d() %}
+{%   for element in item.options %}
+{%     if element.state | d('present') not in [ 'absent', 'ignore', 'init' ] %}
+{%       if element.comment | d() %}
+{%         if not loop.first %}
+
+{%         endif %}
+{{         element.comment | regex_replace('\n$', '') | comment }}
+{%       endif %}
+{%       if element.state | d('present') == 'comment' %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '') | comment(prefix='', decoration='#', postfix='')) -}}
+{%       else %}
+{{         '{}'.format(element.raw | regex_replace('\n$', '')) }}
+{%       endif %}
+{%     endif %}
+{%   endfor %}
+{% endif %}