---
# file: roles/common/task/logging.yml

- name: restrict dmesg access to only root
  sysctl:
    name: kernel.dmesg_restrict
    value: '1'
    state: present
    sysctl_set: true
    sysctl_file: "{{ common_sysctl_file }}"
  tags:
    - security
    - sysctl

- name: ensure system journal is a system-log-daemon with our package
  apt:
    name: systemd-journal-persistent
    state: present
  when:
    - ansible_distribution_major_version|int(default=99) < 11
    - journal_persistent_with_package
  tags:
    - syslog
    - journal

- name: ensure systemd journal is persistent
  file:
    path: /var/log/journal
    state: directory
  when:
    - ansible_distribution_major_version|int(default=99) < 11
    - not journal_persistent_with_package
  notify:
    - configure journal directory
  tags:
    - syslog
    - journal

- name: ensure rsyslog is absent without broken dependecies
  apt:
    name: rsyslog
    state: absent
    purge: true
    dpkg_options: "force-confdef,force-confold,force-depends"
  when:
    - syslogserver is not defined or syslogserver.split(":")[0] != ansible_fqdn
  tags:
    - syslog

- name: create systemd-journald config directory
  file:
    path: /etc/systemd/journald.conf.d
    state: directory
    mode: '0755'
  tags:
    - config
    - syslog

- name: configure journal size and time limits
  template:
    src: size.conf.j2
    dest: /etc/systemd/journald.conf.d/size.conf
    mode: '0644'
  notify: restart systemd-journald
  tags:
    - config
    - syslog
    - service

- name: ensure our logrotate.conf is present
  template:
    src: logrotate.conf.j2
    dest: /etc/logrotate.conf
    owner: root
    group: root
    mode: '0644'
  tags:
    - syslog