From 14d5caa4b4915f5271a057c48649d1825c6f7a14 Mon Sep 17 00:00:00 2001
From: josiah <me@jowj.net>
Date: Tue, 19 May 2020 17:19:17 -0500
Subject: [PATCH] Create syslog role and links / host entries.

---
 ansible/all.yml                               |  14 +++
 ansible/group_vars/all/main.yml               |  13 +++
 .../host_vars/larva.home.jowj.net/main.yml    |   3 +
 ansible/hosts.yml                             |   8 ++
 ansible/roles/syslog/defaults/main.yml        |  10 ++
 ansible/roles/syslog/handlers/main.yml        |   5 +
 ansible/roles/syslog/readme.org               |   6 +
 ansible/roles/syslog/tasks/main.yml           |  35 ++++++
 .../roles/syslog/templates/syslog-ng.conf.j2  | 106 ++++++++++++++++++
 9 files changed, 200 insertions(+)
 create mode 100644 ansible/host_vars/larva.home.jowj.net/main.yml
 create mode 100644 ansible/roles/syslog/defaults/main.yml
 create mode 100644 ansible/roles/syslog/handlers/main.yml
 create mode 100644 ansible/roles/syslog/readme.org
 create mode 100644 ansible/roles/syslog/tasks/main.yml
 create mode 100644 ansible/roles/syslog/templates/syslog-ng.conf.j2

diff --git a/ansible/all.yml b/ansible/all.yml
index c812441..9e7e7e3 100644
--- a/ansible/all.yml
+++ b/ansible/all.yml
@@ -16,6 +16,12 @@
     - { name: awfulAll, tags: ['awfulAll'] }
 
 
+- name: Configure home-net base packages
+  hosts: home
+  roles:
+    - { name: home-net, tags: ['base'] }
+
+
 - name: Deploy mediaserver
   hosts: mediaserver
   gather_facts: no
@@ -42,3 +48,11 @@
     - debug: msg="Deploying awful stack to cloud server"
   roles:
     - { name: test, tags: ['test'] }    
+
+- name: deploy syslog server
+  gather_facts: no  
+  hosts: syslog
+  tasks:
+    - debug: msg="Deploy syslog server to larva."
+  roles:
+    - { name: syslog, tags: ['syslog'] }      
diff --git a/ansible/group_vars/all/main.yml b/ansible/group_vars/all/main.yml
index e978558..1a97dca 100644
--- a/ansible/group_vars/all/main.yml
+++ b/ansible/group_vars/all/main.yml
@@ -1,5 +1,10 @@
 ---
 
+global_syslog_host: syslog.home.jowj.net
+global_syslog_netsys_port: "514"
+global_syslog_netcons_port: "5514"
+global_syslog_nettemp_port: "5515"
+
 remote_user: josiah
 gather_facts: True
 source_os: arch
@@ -70,3 +75,11 @@ NEXTCLOUD_ADMIN_PASSWORD: "{{ VAULT_NEXTCLOUD_ADMIN_PASSWORD }}"
 
 # DO shit
 DO_AUTH_TOKEN: "{{ VAULT_DO_AUTH_TOKEN }}"
+
+# Syslog shit
+
+sysloghost_share_mountpoint: /syslog/
+
+sysloghost_netsys_port: "{{ global_syslog_netsys_port }}"
+sysloghost_netcons_port: "{{ global_syslog_netcons_port }}"
+sysloghost_nettemp_port: "{{ global_syslog_nettemp_port }}"
diff --git a/ansible/host_vars/larva.home.jowj.net/main.yml b/ansible/host_vars/larva.home.jowj.net/main.yml
new file mode 100644
index 0000000..03be501
--- /dev/null
+++ b/ansible/host_vars/larva.home.jowj.net/main.yml
@@ -0,0 +1,3 @@
+ansible_python_interpreter: /usr/bin/python3
+interactive: yes
+ansible_user: ubuntu
diff --git a/ansible/hosts.yml b/ansible/hosts.yml
index 651ff09..825a5d2 100644
--- a/ansible/hosts.yml
+++ b/ansible/hosts.yml
@@ -4,6 +4,10 @@ all:
       hosts:
         awful-1.awful.club:
           ansible_python_interpreter: /usr/local/bin/python3.7
+    home:
+      hosts:
+        hatchery.home.jowj.net:
+        larva.home.jowj.net:
     vpn:
       hosts:
         vpn.awful.club:
@@ -20,3 +24,7 @@ all:
       hosts:
         hatchery:
           ansible_python_interpreter: /usr/bin/python3
+    syslog:
+      hosts:
+        larva.home.jowj.net:
+          ansible_python_interpreter: /usr/bin/python3
diff --git a/ansible/roles/syslog/defaults/main.yml b/ansible/roles/syslog/defaults/main.yml
new file mode 100644
index 0000000..1409091
--- /dev/null
+++ b/ansible/roles/syslog/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+sysloghost_netsys_port: "514"
+sysloghost_netcons_port: "5514"
+sysloghost_nettemp_port: "5515"
+sysloghost_all_ports:
+  - "{{ sysloghost_netsys_port }}"
+  - "{{ sysloghost_netcons_port }}"
+  - "{{ sysloghost_nettemp_port }}"
+
+sysloghost_share_mountpoint: ""
diff --git a/ansible/roles/syslog/handlers/main.yml b/ansible/roles/syslog/handlers/main.yml
new file mode 100644
index 0000000..b3e5d6e
--- /dev/null
+++ b/ansible/roles/syslog/handlers/main.yml
@@ -0,0 +1,5 @@
+---
+- name: restart syslog-ng
+  service:
+    name: syslog-ng
+    state: restarted
diff --git a/ansible/roles/syslog/readme.org b/ansible/roles/syslog/readme.org
new file mode 100644
index 0000000..bc40632
--- /dev/null
+++ b/ansible/roles/syslog/readme.org
@@ -0,0 +1,6 @@
+* syslog role
+skeleton build out right now.
+
+** shit to fix
+- [ ] move away from NFS, but that's a wider problem
+- [ ] mount the synology as part of the play.
diff --git a/ansible/roles/syslog/tasks/main.yml b/ansible/roles/syslog/tasks/main.yml
new file mode 100644
index 0000000..ac8049a
--- /dev/null
+++ b/ansible/roles/syslog/tasks/main.yml
@@ -0,0 +1,35 @@
+---
+- name: Install syslog-ng etc
+  apt:
+    name:
+      - logrotate
+      - syslog-ng
+      - nsf-common # required for mounting the idiot nfs thing over idiot nfs, the worst fs.
+    state: latest
+
+
+- name: Configure firewall (Ubuntu)
+  block:
+  - name: Configure syslog UDP ports (Ubuntu)
+    ufw: port={{ item }} proto=udp rule=allow
+    with_items: "{{ sysloghost_all_ports }}"
+  - name: Configure syslog TCP ports (Ubuntu)
+    ufw: port={{ item }} proto=tcp rule=allow
+    with_items: "{{ sysloghost_all_ports }}"
+  when: ansible_distribution == "Ubuntu"
+
+- name: Apply syslog-ng configuration
+  template:
+    src: syslog-ng.conf.j2
+    dest: /etc/syslog-ng/syslog-ng.conf
+    owner: root
+    group: root
+    mode: "0644"
+  notify: restart syslog-ng
+
+  
+
+- name: Start syslog-ng
+  service:
+    name: syslog-ng
+    state: started
diff --git a/ansible/roles/syslog/templates/syslog-ng.conf.j2 b/ansible/roles/syslog/templates/syslog-ng.conf.j2
new file mode 100644
index 0000000..b7944bd
--- /dev/null
+++ b/ansible/roles/syslog/templates/syslog-ng.conf.j2
@@ -0,0 +1,106 @@
+@version:3.25
+@include "scl.conf"
+
+# syslog-ng configuration file.
+# See syslog-ng(8) and syslog-ng.conf(5) for more information.
+# Note: it also sources additional configuration files (*.conf)
+#       located in /etc/syslog-ng/conf.d/
+
+
+#
+# Options
+#
+options {
+    flush_lines (0);
+    time_reopen (10);
+    log_fifo_size (1000);
+    chain_hostnames (off);
+    use_dns (no);
+    use_fqdn (no);
+    create_dirs (yes);
+    keep_hostname (yes);
+};
+
+
+#
+# Sources
+#
+
+# Local system logs
+source s_sys { system(); internal(); };
+
+# Remote system logs, standard syslog ports on TCP/UDP
+source s_netsys  { udp(port({{ sysloghost_netsys_port }})); tcp(port({{ sysloghost_netsys_port }})); };
+
+# Remote netconsole logs, Linux kernel messages over the network
+source s_netcons { udp(port({{ sysloghost_netcons_port }})); tcp(port({{ sysloghost_netcons_port }})); };
+
+# Remote temporal logs, stuff that might log often and be archived for only a short time
+source s_nettemp { udp(port({{ sysloghost_nettemp_port }})); tcp(port({{ sysloghost_nettemp_port }})); };
+
+
+#
+# Destinations
+#
+destination d_cons { file("/dev/console"); };
+destination d_mesg { file("/var/log/messages"); };
+destination d_auth { file("/var/log/secure"); };
+destination d_mail { file("/var/log/maillog" flush_lines(10)); };
+destination d_spol { file("/var/log/spooler"); };
+destination d_boot { file("/var/log/boot.log"); };
+destination d_cron { file("/var/log/cron"); };
+destination d_kern { file("/var/log/kern"); };
+destination d_localall { file("/var/log/localall.log"); };
+destination d_mlal { usertty("*"); };
+
+destination d_nas_syslog { file("{{ sysloghost_share_mountpoint }}/$HOST.syslog.log.$R_YEAR$R_MONTH$R_DAY"); };
+destination d_nas_netcons { file("{{ sysloghost_share_mountpoint }}/$HOST.netconsole.log.$R_YEAR$R_MONTH$R_DAY"); };
+destination d_nas_localtest { file("/var/log/all.log.$R_YEAR$R_MONTH$R_DAY"); };
+destination d_nas_nettemp { file("{{ sysloghost_share_mountpoint }}/$HOST.temporal.log.$R_YEAR$R_MONTH$R_DAY"); };
+
+
+#
+# Filters
+#
+filter f_kernel     { facility(kern); };
+filter f_default    { level(info..emerg) and
+                        not (facility(mail)
+                        or facility(authpriv) 
+                        or facility(cron)); };
+filter f_auth       { facility(authpriv); };
+filter f_mail       { facility(mail); };
+filter f_emergency  { level(emerg); };
+filter f_news       { facility(uucp) or
+                        (facility(news) 
+                        and level(crit..emerg)); };
+filter f_boot   { facility(local7); };
+filter f_cron   { facility(cron); };
+
+
+#
+# Logs
+#
+#log { source(s_sys); filter(f_kernel); destination(d_cons); };
+log { source(s_sys); filter(f_kernel); destination(d_kern); };
+log { source(s_sys); filter(f_default); destination(d_mesg); };
+log { source(s_sys); filter(f_auth); destination(d_auth); };
+log { source(s_sys); filter(f_mail); destination(d_mail); };
+log { source(s_sys); filter(f_emergency); destination(d_mlal); };
+log { source(s_sys); filter(f_news); destination(d_spol); };
+log { source(s_sys); filter(f_boot); destination(d_boot); };
+log { source(s_sys); filter(f_cron); destination(d_cron); };
+
+log { source(s_sys); destination(d_localall); destination(d_nas_syslog); };
+log { source(s_netsys); destination(d_nas_syslog); };
+log { source(s_netcons); destination(d_nas_netcons); };
+log { source(s_nettemp); destination(d_nas_nettemp); };
+
+
+#
+# Other
+#
+# Source additional configuration files (.conf extension only)
+@include "/etc/syslog-ng/conf.d/*.conf"
+
+
+# vim:ft=syslog-ng:ai:si:ts=4:sw=4:et: