Getting started¶
Forward Secure Sealing¶
When the persistent logs are enabled, the debops.journald role
configures Forward Secure Sealing functionality of the Journal by default. The
verification keys are saved in the secret/journald/fss/
directories on
the Ansible Controller. The role can be used in an "alternative" mode where
Ansible checks the log integrity by running the command:
debops service/journald --tags role::journald:fss:verify
With this tag, only the task that verifies the logs will be executed.
Example inventory¶
The debops.journald
role is included by default in the common.yml
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook¶
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.journald
role:
---
- name: Manage systemd journal service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_journald' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: journald
tags: [ 'role::journald', 'skip::journald' ]
Ansible tags¶
You can use Ansible --tags
or --skip-tags
parameters to limit what
tasks are performed during Ansible run. This can be used after a host was first
configured to speed up playbook execution, when you are sure that most of the
configuration is already in the desired state.
Available role tags:
role::journald
- Main role tag, should be used in the playbook to execute all of the role tasks as well as role dependencies.
role::journald:fss:verify
- The role can be used with this tag to use the Forward Secure Sealing funtionality to verify the consistency of the logs stored on the host(s). No other tasks will be performed when this tag is used.