Getting started
Forward Secure Sealing
When the persistent logs are enabled, the debops.journald role
configures Forward Secure Sealing functionality of the Journal by default. The
verification keys are saved in the secret/journald/fss/
directories on
the Ansible Controller. The role can be used in an "alternative" mode where
Ansible checks the log integrity by running the command:
debops run service/journald --tags role::journald:fss:verify
With this tag, only the task that verifies the logs will be executed.
Example inventory
The debops.journald
role is included by default in the common.yml
DebOps playbook; you don't need to add hosts to any Ansible groups to enable
it.
Example playbook
If you are using this role without DebOps, here's an example Ansible playbook
that uses the debops.journald
role:
---
- name: Manage systemd journal service
collections: [ 'debops.debops', 'debops.roles01',
'debops.roles02', 'debops.roles03' ]
hosts: [ 'debops_all_hosts', 'debops_service_journald' ]
become: True
environment: '{{ inventory__environment | d({})
| combine(inventory__group_environment | d({}))
| combine(inventory__host_environment | d({})) }}'
roles:
- role: journald
tags: [ 'role::journald', 'skip::journald' ]