Fix logrotate duplicate entries error in privacy role

The privacy role was creating logrotate configs that duplicated the default Ubuntu rsyslog logrotate rules, causing deployment failures with errors like 'duplicate log entry for /var/log/syslog'. Changes: - Disable default rsyslog logrotate config before applying privacy configs - Consolidate system log rotation into single config file - Add missingok flag to handle logs that may not exist on all systems - Remove forced immediate rotation that was triggering the error This ensures privacy-enhanced log rotation works without conflicts. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
2025-09-03 10:33:13 +02:00 · 2025-08-17 15:23:09 -04:00 · 2025-08-17 15:23:09 -04:00 · 837a35f52f
commit 837a35f52f
parent 8dc7b958b3
3 changed files with 22 additions and 7 deletions
--- a/README.md
+++ b/README.md
@ -8,7 +8,7 @@ See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo

 ## Features

-* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256)
+* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, MacOS, and Linux
 * Supports [WireGuard](https://www.wireguard.com/) for all of the above, in addition to Android and Windows 11
 * Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
 * Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required
--- a/roles/privacy/tasks/log_rotation.yml
+++ b/roles/privacy/tasks/log_rotation.yml
@ -2,6 +2,16 @@
 # Aggressive log rotation configuration for privacy
 # Reduces log retention time and implements more frequent rotation

+- name: Check if default rsyslog logrotate config exists
+  stat:
+    path: /etc/logrotate.d/rsyslog
+  register: rsyslog_logrotate
+
+- name: Disable default rsyslog logrotate to prevent conflicts
+  command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
+  when: rsyslog_logrotate.stat.exists
+  changed_when: rsyslog_logrotate.stat.exists
+
 - name: Configure aggressive logrotate for system logs
  template:
    src: privacy-logrotate.j2
@ -46,6 +56,5 @@
    owner: root
    group: root

- name: Force immediate log rotation to apply new settings
-  command: /usr/sbin/logrotate -f /etc/logrotate.conf
-  changed_when: false
+# Note: We don't force immediate rotation as it can cause conflicts
+# The new settings will apply on the next scheduled rotation
--- a/roles/privacy/templates/privacy-logrotate.j2
+++ b/roles/privacy/templates/privacy-logrotate.j2
@ -1,12 +1,17 @@
 # Privacy-enhanced logrotate configuration
 # This configuration enforces aggressive log rotation for privacy
 # Generated by Algo VPN privacy role
+# Replaces the default rsyslog logrotate configuration

+# Main system logs (may not all exist on every system)
 /var/log/syslog
 /var/log/messages
 /var/log/daemon.log
 /var/log/debug
 /var/log/user.log
+/var/log/mail.log
+/var/log/mail.err
+/var/log/mail.warn
 {
    # Rotate {{ privacy_log_rotation.rotate_count }} times before deletion
    rotate {{ privacy_log_rotation.rotate_count }}
@ -28,6 +33,9 @@
    delaycompress
    {% endif %}
    
+    # Missing files are ok (not all systems have all logs)
+    missingok
+    
    # Don't rotate if empty
    notifempty
    
@ -40,8 +48,6 @@
    # Execute after rotation
    postrotate
        # Send SIGHUP to rsyslog
-        if [ -f /var/run/rsyslogd.pid ]; then
-            kill -HUP `cat /var/run/rsyslogd.pid`
-        fi
+        /usr/bin/killall -HUP rsyslogd 2>/dev/null || true
    endscript
 }