From 4cec4cdb7b7d6bbd6f445ce7defa324f7a614fe4 Mon Sep 17 00:00:00 2001
From: Jason Rothstein <fdragon@fdragon.org>
Date: Sat, 28 Mar 2020 15:47:29 -0500
Subject: [PATCH] Set Fedora policy to 90 days of compressed logs

---
 tasks/main.yml                           | 24 ++++++++++++++++++++++++
 templates/Fedora/29/etc/logrotate.conf   | 20 ++++++++++++++++++++
 templates/Fedora/29/etc/logrotate.d/btmp |  7 +++++++
 templates/Fedora/29/etc/logrotate.d/wtmp |  8 ++++++++
 templates/Fedora/30/etc/logrotate.conf   | 20 ++++++++++++++++++++
 templates/Fedora/30/etc/logrotate.d/btmp |  7 +++++++
 templates/Fedora/30/etc/logrotate.d/wtmp |  8 ++++++++
 templates/Fedora/31/etc/logrotate.conf   | 20 ++++++++++++++++++++
 templates/Fedora/31/etc/logrotate.d/btmp |  7 +++++++
 templates/Fedora/31/etc/logrotate.d/wtmp |  8 ++++++++
 vars/Fedora-29-x86_64.yml                |  4 ++++
 vars/Fedora-30-x86_64.yml                |  4 ++++
 vars/Fedora-31-x86_64.yml                |  5 ++++-
 13 files changed, 141 insertions(+), 1 deletion(-)
 create mode 100644 templates/Fedora/29/etc/logrotate.conf
 create mode 100644 templates/Fedora/29/etc/logrotate.d/btmp
 create mode 100644 templates/Fedora/29/etc/logrotate.d/wtmp
 create mode 100644 templates/Fedora/30/etc/logrotate.conf
 create mode 100644 templates/Fedora/30/etc/logrotate.d/btmp
 create mode 100644 templates/Fedora/30/etc/logrotate.d/wtmp
 create mode 100644 templates/Fedora/31/etc/logrotate.conf
 create mode 100644 templates/Fedora/31/etc/logrotate.d/btmp
 create mode 100644 templates/Fedora/31/etc/logrotate.d/wtmp

diff --git a/tasks/main.yml b/tasks/main.yml
index 8b8036f..68fd6b3 100644
--- a/tasks/main.yml
+++ b/tasks/main.yml
@@ -41,6 +41,30 @@
     - 'ensure_log_rotation.service_facts'
 - name: 'flush handlers'
   meta: 'flush_handlers'
+- name: 'ensure configuration'
+  when:
+    - ansible_system == 'Linux'
+    - ensure_log_rotation is defined
+    - ensure_log_rotation.template_list is defined
+    - ensure_log_rotation.template_list is iterable
+  template:
+    attributes: '{{ item.attributes | default(omit) }}'
+    backup: '{{ item.backup | default(omit) }}'
+    dest: '{{ item.dest }}'
+    follow: '{{ item.follow | default(omit) }}'
+    force: '{{ item.force | default(omit) }}'
+    group: '{{ item.group | default(omit) }}'
+    mode: '{{ item.mode | default(omit) }}'
+    owner: '{{ item.owner | default(omit) }}'
+    selevel: '{{ item.selevel | default(omit) }}'
+    serole: '{{ item.serole | default(omit) }}'
+    setype: '{{ item.setype | default(omit) }}'
+    seuser: '{{ item.seuser | default(omit) }}'
+    src: '{{ item.src | default(omit) }}'
+    validate: '{{ item.validate | default(omit) }}'
+  loop: '{{ ensure_log_rotation.template_list }}'
+  loop_control:
+    label: '{{ item.dest }}'
 - name: 'ensure services'
   when:
     - ansible_system == 'Linux'
diff --git a/templates/Fedora/29/etc/logrotate.conf b/templates/Fedora/29/etc/logrotate.conf
new file mode 100644
index 0000000..54b6e97
--- /dev/null
+++ b/templates/Fedora/29/etc/logrotate.conf
@@ -0,0 +1,20 @@
+# see "man logrotate" for details
+# rotate log files weekly
+daily
+
+# keep 4 weeks worth of backlogs
+rotate 90
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+# uncomment this if you want your log files compressed
+compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may be also be configured here.
diff --git a/templates/Fedora/29/etc/logrotate.d/btmp b/templates/Fedora/29/etc/logrotate.d/btmp
new file mode 100644
index 0000000..0aa1ae1
--- /dev/null
+++ b/templates/Fedora/29/etc/logrotate.d/btmp
@@ -0,0 +1,7 @@
+# no packages own btmp -- we'll rotate it here
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
diff --git a/templates/Fedora/29/etc/logrotate.d/wtmp b/templates/Fedora/29/etc/logrotate.d/wtmp
new file mode 100644
index 0000000..cc8a151
--- /dev/null
+++ b/templates/Fedora/29/etc/logrotate.d/wtmp
@@ -0,0 +1,8 @@
+# no packages own wtmp -- we'll rotate it here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    minsize 1M
+    rotate 1
+}
diff --git a/templates/Fedora/30/etc/logrotate.conf b/templates/Fedora/30/etc/logrotate.conf
new file mode 100644
index 0000000..54b6e97
--- /dev/null
+++ b/templates/Fedora/30/etc/logrotate.conf
@@ -0,0 +1,20 @@
+# see "man logrotate" for details
+# rotate log files weekly
+daily
+
+# keep 4 weeks worth of backlogs
+rotate 90
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+# uncomment this if you want your log files compressed
+compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may be also be configured here.
diff --git a/templates/Fedora/30/etc/logrotate.d/btmp b/templates/Fedora/30/etc/logrotate.d/btmp
new file mode 100644
index 0000000..0aa1ae1
--- /dev/null
+++ b/templates/Fedora/30/etc/logrotate.d/btmp
@@ -0,0 +1,7 @@
+# no packages own btmp -- we'll rotate it here
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
diff --git a/templates/Fedora/30/etc/logrotate.d/wtmp b/templates/Fedora/30/etc/logrotate.d/wtmp
new file mode 100644
index 0000000..cc8a151
--- /dev/null
+++ b/templates/Fedora/30/etc/logrotate.d/wtmp
@@ -0,0 +1,8 @@
+# no packages own wtmp -- we'll rotate it here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    minsize 1M
+    rotate 1
+}
diff --git a/templates/Fedora/31/etc/logrotate.conf b/templates/Fedora/31/etc/logrotate.conf
new file mode 100644
index 0000000..54b6e97
--- /dev/null
+++ b/templates/Fedora/31/etc/logrotate.conf
@@ -0,0 +1,20 @@
+# see "man logrotate" for details
+# rotate log files weekly
+daily
+
+# keep 4 weeks worth of backlogs
+rotate 90
+
+# create new (empty) log files after rotating old ones
+create
+
+# use date as a suffix of the rotated file
+dateext
+
+# uncomment this if you want your log files compressed
+compress
+
+# packages drop log rotation information into this directory
+include /etc/logrotate.d
+
+# system-specific logs may be also be configured here.
diff --git a/templates/Fedora/31/etc/logrotate.d/btmp b/templates/Fedora/31/etc/logrotate.d/btmp
new file mode 100644
index 0000000..0aa1ae1
--- /dev/null
+++ b/templates/Fedora/31/etc/logrotate.d/btmp
@@ -0,0 +1,7 @@
+# no packages own btmp -- we'll rotate it here
+/var/log/btmp {
+    missingok
+    monthly
+    create 0660 root utmp
+    rotate 1
+}
diff --git a/templates/Fedora/31/etc/logrotate.d/wtmp b/templates/Fedora/31/etc/logrotate.d/wtmp
new file mode 100644
index 0000000..cc8a151
--- /dev/null
+++ b/templates/Fedora/31/etc/logrotate.d/wtmp
@@ -0,0 +1,8 @@
+# no packages own wtmp -- we'll rotate it here
+/var/log/wtmp {
+    missingok
+    monthly
+    create 0664 root utmp
+    minsize 1M
+    rotate 1
+}
diff --git a/vars/Fedora-29-x86_64.yml b/vars/Fedora-29-x86_64.yml
index 2ac1e8c..d36c574 100644
--- a/vars/Fedora-29-x86_64.yml
+++ b/vars/Fedora-29-x86_64.yml
@@ -4,4 +4,8 @@ package_list:
   - { name: 'logrotate', state: 'present' }
 service_list:
   - { name: 'logrotate.timer', state: 'started', enabled: 'yes' }
+template_list:
+  - { dest: '/etc/logrotate.conf', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.conf' }
+  - { dest: '/etc/logrotate.d/btmp', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.d/btmp' }
+  - { dest: '/etc/logrotate.d/wtmp', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.d/wtmp' }
 
diff --git a/vars/Fedora-30-x86_64.yml b/vars/Fedora-30-x86_64.yml
index 2ac1e8c..d36c574 100644
--- a/vars/Fedora-30-x86_64.yml
+++ b/vars/Fedora-30-x86_64.yml
@@ -4,4 +4,8 @@ package_list:
   - { name: 'logrotate', state: 'present' }
 service_list:
   - { name: 'logrotate.timer', state: 'started', enabled: 'yes' }
+template_list:
+  - { dest: '/etc/logrotate.conf', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.conf' }
+  - { dest: '/etc/logrotate.d/btmp', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.d/btmp' }
+  - { dest: '/etc/logrotate.d/wtmp', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.d/wtmp' }
 
diff --git a/vars/Fedora-31-x86_64.yml b/vars/Fedora-31-x86_64.yml
index 2ac1e8c..14f305c 100644
--- a/vars/Fedora-31-x86_64.yml
+++ b/vars/Fedora-31-x86_64.yml
@@ -4,4 +4,7 @@ package_list:
   - { name: 'logrotate', state: 'present' }
 service_list:
   - { name: 'logrotate.timer', state: 'started', enabled: 'yes' }
-
+template_list:
+  - { dest: '/etc/logrotate.conf', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.conf' }
+  - { dest: '/etc/logrotate.d/btmp', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.d/btmp' }
+  - { dest: '/etc/logrotate.d/wtmp', force: 'yes', group: 'root', mode: '0644', owner: 'root', src: '{{ ansible_distribution }}/{{ ansbile_distribution_major_version }}/etc/logortate.d/wtmp' }