feat: rework logging and rotation rules

2025-11-15 00:18:01 +01:00 · 2025-11-15 00:18:01 +01:00 · 667bca796e
commit 667bca796e
parent 1d3af8dc45
8 changed files with 118 additions and 0 deletions
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@ -14,3 +14,12 @@ nginx_client_max_body_size: 100M
 # SSL configuration (volontarily omit TLSv1.2 here)
 nginx_ssl_protocols: TLSv1.3
 nginx_ssl_prefer_server_ciphers: true
+
+# Logging configuration
+# Backend: 'file' (traditional /var/log/nginx/*.log) or 'journald' (systemd journal)
+nginx_log_backend: journald
+
+# Logrotate configuration (only used when nginx_log_backend: file)
+nginx_logrotate_rotate: 14 # Keep 14 days of logs
+nginx_logrotate_frequency: daily # daily|weekly|monthly
+nginx_logrotate_compress: true # Compress rotated logs
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@ -5,6 +5,10 @@
    - "{{ ansible_facts['os_family'] }}.yml"
    - debian.yml

+- name: Set nginx_user if not already set
+  ansible.builtin.set_fact:
+    nginx_user: "{{ nginx_user | default('www-data') }}"
+
 - name: Install nginx
  ansible.builtin.package:
    name: nginx
@ -28,6 +32,21 @@
    validate: nginx -t -c %s
  notify: Reload nginx

+- name: Deploy logrotate configuration for nginx
+  ansible.builtin.template:
+    src: logrotate-nginx.j2
+    dest: /etc/logrotate.d/nginx
+    owner: root
+    group: root
+    mode: "0644"
+  when: nginx_log_backend == 'file'
+
+- name: Remove logrotate configuration when using journald
+  ansible.builtin.file:
+    path: /etc/logrotate.d/nginx
+    state: absent
+  when: nginx_log_backend == 'journald'
+
 - name: Allow HTTP traffic through firewall
  community.general.ufw:
    rule: allow
--- a/roles/nginx/templates/nginx.conf.j2
+++ b/roles/nginx/templates/nginx.conf.j2
@ -1,6 +1,10 @@
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
+{% if nginx_log_backend == 'journald' %}
+error_log syslog:server=unix:/dev/log,nohostname;
+{% else %}
 error_log /var/log/nginx/error.log;
+{% endif %}
 pid /run/nginx.pid;

 include /usr/share/nginx/modules/*.conf;
@ -14,7 +18,11 @@ http {
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

+{% if nginx_log_backend == 'journald' %}
+    access_log syslog:server=unix:/dev/log,nohostname main;
+{% else %}
    access_log  /var/log/nginx/access.log  main;
+{% endif %}

    sendfile            on;
    tcp_nopush          on;
--- a/roles/podman/defaults/main.yml
+++ b/roles/podman/defaults/main.yml
@ -15,6 +15,18 @@ podman_subnet: ""
 # Podman bridge gateway IP (typically .1 of the bridge network)
 # Used by services that need to bind to the bridge interface

+# OCI Runtime
+# crun (default, modern C runtime - fast) or runc (original Go runtime)
+podman_runtime: crun
+
+# Container logging configuration
+# Log driver: journald (systemd journal) or k8s-file (JSON files)
+podman_log_driver: journald
+
+# k8s-file driver settings (only used when podman_log_driver: k8s-file)
+podman_log_max_size: 10mb # Max size per log file before rotation
+podman_log_max_files: 5 # Max number of rotated log files to keep
+
 # Each network should define: name, subnet, gateway
 # podman_external_networks: []
 # Example:
--- a/roles/podman/tasks/main.yml
+++ b/roles/podman/tasks/main.yml
@ -4,6 +4,7 @@
    name:
      - podman
      - podman-compose
+      - crun
    state: present

 - name: Create projects directory
@ -22,6 +23,14 @@
    group: root
    mode: "0644"

+- name: Deploy Podman containers configuration
+  ansible.builtin.template:
+    src: containers.conf.j2
+    dest: /etc/containers/containers.conf
+    owner: root
+    group: root
+    mode: "0644"
+
 - name: Create external Podman networks
  containers.podman.podman_network:
    name: "{{ item.name }}"
--- a/roles/postgres/defaults/main.yml
+++ b/roles/postgres/defaults/main.yml
@ -26,3 +26,26 @@ postgres_effective_cache_size: 1GB
 postgres_maintenance_work_mem: 64MB
 postgres_work_mem: 4MB
 postgres_max_connections: 100
+
+# Logging configuration
+# Backend: 'journald' (systemd journal) or 'file' (traditional log files)
+postgres_log_backend: journald
+
+# Logging settings (apply to both backends)
+postgres_log_min_duration_statement: -1 # -1 disables, 0 logs all, >0 logs slow queries (ms)
+postgres_log_line_prefix: "%m [%p] %q%u@%d " # timestamp [pid] user@database
+postgres_log_timezone: UTC
+
+# File backend settings (only used when postgres_log_backend: file)
+postgres_log_destination: stderr # stderr|csvlog|syslog
+postgres_logging_collector: "on" # Enable log file collection
+postgres_log_directory: log # Relative to data directory
+postgres_log_filename: postgresql-%Y-%m-%d_%H%M%S.log
+postgres_log_rotation_age: 1d # Rotate after this time (0 disables)
+postgres_log_rotation_size: 100MB # Rotate after this size (0 disables)
+postgres_log_truncate_on_rotation: "off" # Overwrite old log files with same name
+
+# Logrotate configuration (only used when postgres_log_backend: file)
+postgres_logrotate_rotate: 14 # Keep 14 days of logs
+postgres_logrotate_frequency: daily # daily|weekly|monthly
+postgres_logrotate_compress: true # Compress rotated logs
--- a/roles/postgres/tasks/main.yml
+++ b/roles/postgres/tasks/main.yml
@ -73,6 +73,21 @@
    enabled: true
    state: started

+- name: Deploy logrotate configuration for PostgreSQL
+  ansible.builtin.template:
+    src: logrotate-postgresql.j2
+    dest: /etc/logrotate.d/postgresql
+    owner: root
+    group: root
+    mode: "0644"
+  when: postgres_log_backend == 'file'
+
+- name: Remove logrotate configuration when using journald
+  ansible.builtin.file:
+    path: /etc/logrotate.d/postgresql
+    state: absent
+  when: postgres_log_backend == 'journald'
+
 - name: Set PostgreSQL admin user password
  community.postgresql.postgresql_user:
    name: "{{ postgres_admin_user }}"
--- a/roles/postgres/templates/custom.conf.j2
+++ b/roles/postgres/templates/custom.conf.j2
@ -11,3 +11,26 @@ effective_cache_size = {{ postgres_effective_cache_size }}
 maintenance_work_mem = {{ postgres_maintenance_work_mem }}
 work_mem = {{ postgres_work_mem }}
 max_connections = {{ postgres_max_connections }}
+
+# Logging configuration
+{% if postgres_log_backend == 'journald' %}
+# Log to systemd journal via stderr (journald captures it automatically)
+log_destination = 'stderr'
+logging_collector = off
+{% else %}
+# Log to files
+log_destination = '{{ postgres_log_destination }}'
+logging_collector = {{ postgres_logging_collector }}
+log_directory = '{{ postgres_log_directory }}'
+log_filename = '{{ postgres_log_filename }}'
+log_rotation_age = {{ postgres_log_rotation_age }}
+log_rotation_size = {{ postgres_log_rotation_size }}
+log_truncate_on_rotation = {{ postgres_log_truncate_on_rotation }}
+{% endif %}
+
+# Logging details (applies to both backends)
+log_line_prefix = '{{ postgres_log_line_prefix }}'
+log_timezone = '{{ postgres_log_timezone }}'
+{% if postgres_log_min_duration_statement >= 0 %}
+log_min_duration_statement = {{ postgres_log_min_duration_statement }}
+{% endif %}