From 24228953b00824a2cf6060399887eba8d2becfbc Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 24 Apr 2022 11:35:51 -0500
Subject: [PATCH] r/samba-dc: Configure logrotate for KDC

The KDC service, as managed by Samba, continuously logs to two files
that need to be rotated.  The upstream configuration for logrotate only
manages one of these files, and does not correctly signal the service
after rotating, as it expects the service to be managed by systemd
instead of Samba.  As such, we need to adjust the configuration to
handle both files and send SIGHUP directly to the process.
---
 roles/samba-dc/files/krb5kdc.logrotate.conf | 9 +++++++++
 roles/samba-dc/tasks/main.yml               | 8 ++++++++
 2 files changed, 17 insertions(+)
 create mode 100644 roles/samba-dc/files/krb5kdc.logrotate.conf

diff --git a/roles/samba-dc/files/krb5kdc.logrotate.conf b/roles/samba-dc/files/krb5kdc.logrotate.conf
new file mode 100644
index 0000000..d4abbd3
--- /dev/null
+++ b/roles/samba-dc/files/krb5kdc.logrotate.conf
@@ -0,0 +1,9 @@
+/var/log/krb5kdc.log /var/log/samba/mit_kdc.log {
+    missingok
+    notifempty
+    monthly
+    rotate 2
+    postrotate
+        pkill -HUP krb5kdc || true
+    endscript
+}
diff --git a/roles/samba-dc/tasks/main.yml b/roles/samba-dc/tasks/main.yml
index 309f755..9e5bc9a 100644
--- a/roles/samba-dc/tasks/main.yml
+++ b/roles/samba-dc/tasks/main.yml
@@ -117,3 +117,11 @@
     samba-tool domain exportkeytab /etc/krb5.keytab
     --principal=host/{{ ansible_fqdn }}
     creates=/etc/krb5.keytab
+
+- name: ensure logroate is configured for samba kdc
+  copy:
+    src: krb5kdc.logrotate.conf
+    dest: /etc/logrotate.d/krb5kdc
+    mode: u=rw,go=r
+  tags:
+  - logrotate