Fix logrotate duplicate entries error in privacy role

The privacy role was creating logrotate configs that duplicated the default
Ubuntu rsyslog logrotate rules, causing deployment failures with errors like
'duplicate log entry for /var/log/syslog'.

Changes:
- Disable default rsyslog logrotate config before applying privacy configs
- Consolidate system log rotation into single config file
- Add missingok flag to handle logs that may not exist on all systems
- Remove forced immediate rotation that was triggering the error

This ensures privacy-enhanced log rotation works without conflicts.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>

README.md

@@ -8,7 +8,7 @@ See our [release announcement](https://blog.trailofbits.com/2016/12/12/meet-algo
 
 ## Features
 
-* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256)
+* Supports only IKEv2 with strong crypto (AES-GCM, SHA2, and P-256) for iOS, MacOS, and Linux
 * Supports [WireGuard](https://www.wireguard.com/) for all of the above, in addition to Android and Windows 11
 * Generates .conf files and QR codes for iOS, macOS, Android, and Windows WireGuard clients
 * Generates Apple profiles to auto-configure iOS and macOS devices for IPsec - no client software required

roles/privacy/tasks/log_rotation.yml

@@ -2,6 +2,16 @@
 # Aggressive log rotation configuration for privacy
 # Reduces log retention time and implements more frequent rotation
 
+- name: Check if default rsyslog logrotate config exists
+  stat:
+    path: /etc/logrotate.d/rsyslog
+  register: rsyslog_logrotate
+
+- name: Disable default rsyslog logrotate to prevent conflicts
+  command: mv /etc/logrotate.d/rsyslog /etc/logrotate.d/rsyslog.disabled
+  when: rsyslog_logrotate.stat.exists
+  changed_when: rsyslog_logrotate.stat.exists
+
 - name: Configure aggressive logrotate for system logs
   template:
     src: privacy-logrotate.j2
@@ -46,6 +56,5 @@
     owner: root
     group: root
 
-- name: Force immediate log rotation to apply new settings
+# Note: We don't force immediate rotation as it can cause conflicts
-  command: /usr/sbin/logrotate -f /etc/logrotate.conf
+# The new settings will apply on the next scheduled rotation
-  changed_when: false

roles/privacy/templates/privacy-logrotate.j2

@@ -1,12 +1,17 @@
 # Privacy-enhanced logrotate configuration
 # This configuration enforces aggressive log rotation for privacy
 # Generated by Algo VPN privacy role
+# Replaces the default rsyslog logrotate configuration
 
+# Main system logs (may not all exist on every system)
 /var/log/syslog
 /var/log/messages
 /var/log/daemon.log
 /var/log/debug
 /var/log/user.log
+/var/log/mail.log
+/var/log/mail.err
+/var/log/mail.warn
 {
     # Rotate {{ privacy_log_rotation.rotate_count }} times before deletion
     rotate {{ privacy_log_rotation.rotate_count }}
@@ -28,6 +33,9 @@
     delaycompress
     {% endif %}
     
+    # Missing files are ok (not all systems have all logs)
+    missingok
+    
     # Don't rotate if empty
     notifempty
     
@@ -40,8 +48,6 @@
     # Execute after rotation
     postrotate
         # Send SIGHUP to rsyslog
-        if [ -f /var/run/rsyslogd.pid ]; then
+        /usr/bin/killall -HUP rsyslogd 2>/dev/null || true
-            kill -HUP `cat /var/run/rsyslogd.pid`
-        fi
     endscript
 }