Getting started

Forward Secure Sealing

When the persistent logs are enabled, the debops.journald role configures Forward Secure Sealing functionality of the Journal by default. The verification keys are saved in the secret/journald/fss/ directories on the Ansible Controller. The role can be used in an "alternative" mode where Ansible checks the log integrity by running the command:

debops run service/journald --tags role::journald:fss:verify

With this tag, only the task that verifies the logs will be executed.

Example inventory

The debops.journald role is included by default in the common.yml DebOps playbook; you don't need to add hosts to any Ansible groups to enable it.

Example playbook

If you are using this role without DebOps, here's an example Ansible playbook that uses the debops.journald role:

---

- name: Manage systemd journal service
  collections: [ 'debops.debops', 'debops.roles01',
                 'debops.roles02', 'debops.roles03' ]
  hosts: [ 'debops_all_hosts', 'debops_service_journald' ]
  become: True

  environment: '{{ inventory__environment | d({})
                   | combine(inventory__group_environment | d({}))
                   | combine(inventory__host_environment  | d({})) }}'

  roles:

    - role: journald
      tags: [ 'role::journald', 'skip::journald' ]

Ansible tags

You can use Ansible --tags or --skip-tags parameters to limit what tasks are performed during Ansible run. This can be used after a host was first configured to speed up playbook execution, when you are sure that most of the configuration is already in the desired state.

Available role tags:

role::journald
Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
role::journald:fss:verify
The role can be used with this tag to use the Forward Secure Sealing funtionality to verify the consistency of the logs stored on the host(s). No other tasks will be performed when this tag is used.