fix: apparmor config typo

2025-11-15 00:17:04 +01:00 · 2025-11-15 00:17:04 +01:00 · 9c10116dcb
commit 9c10116dcb
parent 3ab48b93a6
2 changed files with 113 additions and 7 deletions
--- a/roles/nginx/README.md
+++ b/roles/nginx/README.md
@ -10,6 +10,8 @@ This Ansible role installs and configures Nginx as a reverse proxy for web appli
 - SSL/TLS configuration
 - Modular vhost configuration via `/etc/nginx/conf.d/`
 - Zero-downtime reloads
+- Configurable logging backend (journald or traditional files)
+- Automatic logrotate configuration for file-based logging

 ## Requirements

@ -24,6 +26,29 @@ See `defaults/main.yml` for all available variables and their default values.

 The role provides sensible defaults for worker processes, connection limits, upload sizes, compression, and SSL/TLS settings. Override as needed in your inventory.

+### Logging Configuration
+
+```yaml
+# Logging backend: 'journald' (systemd journal) or 'file' (traditional logs)
+nginx_log_backend: journald  # Default: journald
+
+# Logrotate settings (only used when nginx_log_backend: file)
+nginx_logrotate_rotate: 14        # Keep 14 days of logs
+nginx_logrotate_frequency: daily  # daily|weekly|monthly
+nginx_logrotate_compress: true    # Compress rotated logs
+```
+
+**journald backend (default):**
+- Logs sent to systemd journal via syslog
+- Centralized with other system logs
+- Managed by systemd-journald (size limits, retention, compression)
+- View with: `journalctl -u nginx`
+
+**file backend:**
+- Traditional `/var/log/nginx/*.log` files
+- Automatic logrotate configuration deployed
+- Useful for external log aggregation tools
+
 ## Dependencies

 None.
@ -133,20 +158,76 @@ This pattern allows for independent service deployments:

 ## Log Management

-Nginx logs are written to:
+### Journald Backend (Default)
+
+When `nginx_log_backend: journald`, logs are sent to systemd journal:
+
+```bash
+# View all nginx logs
+journalctl -u nginx -f
+
+# Last 100 lines
+journalctl -u nginx -n 100
+
+# Filter by priority (error, warning, info)
+journalctl -u nginx -p err
+
+# Time range
+journalctl -u nginx --since "1 hour ago"
+
+# Export to file
+journalctl -u nginx > nginx-logs.txt
+```
+
+**Benefits:**
+- Centralized with all system logs
+- Automatic rotation/compression via systemd-journald
+- Structured metadata (timestamps, priorities)
+- No separate logrotate configuration needed
+
+### File Backend
+
+When `nginx_log_backend: file`, logs are written to:
 - `/var/log/nginx/access.log` - Access logs
 - `/var/log/nginx/error.log` - Error logs

-These are also captured by systemd journal:
 ```bash
-# View nginx logs
-journalctl -u nginx -f
-
 # View traditional log files
 tail -f /var/log/nginx/access.log
 tail -f /var/log/nginx/error.log
 ```

+Logrotate is automatically configured to:
+- Rotate daily (configurable)
+- Keep 14 days (configurable)
+- Compress old logs
+- Reload nginx gracefully after rotation
+
+### Switching Backends
+
+To switch from journald to file logging:
+
+```yaml
+- hosts: servers
+  roles:
+    - role: nginx
+      vars:
+        nginx_log_backend: file
+        nginx_logrotate_rotate: 30  # Keep 30 days
+```
+
+To switch back to journald:
+
+```yaml
+- hosts: servers
+  roles:
+    - role: nginx
+      vars:
+        nginx_log_backend: journald
+```
+
+The role automatically removes logrotate config when using journald.
+
 ## Configuration Validation

 The role automatically validates nginx configuration before applying changes using `nginx -t`.
--- a/roles/unbound/tasks/main.yml
+++ b/roles/unbound/tasks/main.yml
@ -25,8 +25,33 @@
  ansible.builtin.copy:
    dest: /etc/apparmor.d/usr.sbin.unbound
    content: |
-      /etc/unbound/** r,
-      /var/lib/unbound/** rwk,
+      #include <tunables/global>
+
+      /usr/sbin/unbound {
+        #include <abstractions/base>
+        #include <abstractions/nameservice>
+
+        capability net_bind_service,
+        capability setgid,
+        capability setuid,
+        capability sys_chroot,
+        capability sys_resource,
+
+        /etc/unbound/** r,
+        /var/lib/unbound/** rwk,
+        /run/unbound.pid rw,
+        /usr/sbin/unbound mr,
+
+        # Allow reading system certificates
+        /etc/ssl/certs/** r,
+        /usr/share/ca-certificates/** r,
+
+        # Allow network access
+        network inet dgram,
+        network inet6 dgram,
+        network inet stream,
+        network inet6 stream,
+      }
    owner: root
    group: root
    mode: "0644"