README.md

@@ -26,6 +26,7 @@
 | Swap handling            |  ✅   |  ✅   |  ✅   |
 | Logrotate protection     |  ✅   |  ✅   |  ✅   |
 | Powertop auto-tune       |  ✅   |  ✅   |  ✅   |
+| API utilities            |  ✅   |  ✅   |  ✅   |
 
 ## 📂 Directory Structure
 
@@ -44,7 +45,8 @@ ansible_role_proxmox_provision/
 │   ├── powertop.yml        # powertop setup
 │   ├── repos.yml           # Repository setup
 │   ├── subscription.yml    # Subscription nag removal
-│   └── swap.yml            # Swap setup
+│   ├── swap.yml            # Swap setup
+│   └── utilities.yml  # API utilities installation
 ├── templates/         # Jinja2 templates
 └── vars/              # Non-overridable variables
     └── main.yml
@@ -114,10 +116,8 @@ See the [LICENSE](LICENSE) file for details.
 
 ## TODO
 
-⏳ Make the nag patch checksum-based (auto-repatch after upgrades)
 ⏳ add molecule tests to prove idempotency
 ⏳ make the patch handler trigger on pve-manager upgrades
-❌ Add kernel power-saving tunables ?
 🔄 Split into VE version–aware tags ?
 🕒 refactor  
 ✗ debug  

defaults/main.yml

@@ -12,5 +12,16 @@ proxmox_min_ram_mb_for_no_swap: 16384
 proxmox_enable_powertop: true
 
 # Logrotate
-proxmox_logrotate_maxsize: "100M"
-proxmox_logrotate_rotate: 7
+proxmox_logrotate_enabled: true
+
+proxmox_logrotate_rotate: 4
+proxmox_logrotate_maxsize: 100M
+proxmox_logrotate_frequency: daily
+
+proxmox_logrotate_compress: true
+proxmox_logrotate_delaycompress: true
+proxmox_logrotate_missingok: true
+proxmox_logrotate_notifempty: true
+
+# Destination override file
+proxmox_logrotate_file: /etc/logrotate.d/99-proxmox-custom

handlers/main.yml

@@ -15,6 +15,8 @@
   ansible.builtin.systemd_service:
     daemon_reexec: true
 
-- name: Logrotate reload
-  ansible.builtin.command: logrotate /etc/logrotate.conf
-  changed_when: false
+- name: Restart logrotate
+  ansible.builtin.service:
+    name: logrotate
+    state: restarted
+  become: true

tasks/logrotate.yml

@@ -1,111 +1,30 @@
 ---
-
-- name: logrotate | Configure all main Proxmox logs
-
-  vars:
-    proxmox_logrotate_files:
-      - /etc/logrotate.conf
-      - /etc/logrotate.d/pve
-      - /etc/logrotate.d/pve-firewall
-  loop: "{{ proxmox_logrotate_files }}"
-  loop_control:
-    loop_var: item
-
-  block:
-
-    - name: logrotate | Check if exists {{ item }}
-      ansible.builtin.stat:
-        path: "{{ item }}"
-      register: logrotate_file
-
-    - name: logrotate | Configure {{ item }}
-      when: logrotate_file.stat.exists
-      block:
-
-        - name: logrotate | Backup once {{ item }}
-          ansible.builtin.copy:
-            src: "{{ item }}"
-            dest: "{{ item }}.original"
-            owner: root
-            group: root
-            mode: "0644"
-            remote_src: true
-          args:
-            creates: "{{ item }}.original"
-
-        - name: logrotate | Ensure daily rotation
-          ansible.builtin.replace:
-            path: "{{ item }}"
-            regexp: '^\s*weekly'
-            replace: 'daily'
-          notify: Logrotate reload
-
-        - name: logrotate | Set rotate (number of retained logs)
-          ansible.builtin.lineinfile:
-            path: "{{ item }}"
-            regexp: '^(\s*rotate\s+).*'
-            line: '    rotate {{ proxmox_logrotate_rotate }}'
-            state: present
-            insertafter: '^\s*daily'
-          notify: Logrotate reload
-
-        - name: logrotate | Ensure maxsize is set
-          ansible.builtin.lineinfile:
-            path: "{{ item }}"
-            regexp: '^(\s*maxsize\s+).*'
-            line: '    maxsize {{ proxmox_logrotate_maxsize }}'
-            state: present
-            insertafter: '^\s*rotate'
-          notify: Logrotate reload
-
-        - name: logrotate | Ensure Compress
-          ansible.builtin.lineinfile:
-            path: "{{ item }}"
-            regexp: '^\s*compress\b'
-            line: '    compress'
-            state: present
-            insertafter: '^\s*maxsize'
-          notify: Logrotate reload
-
-        - name: logrotate | Ensure delaycompress
-          ansible.builtin.lineinfile:
-            path: "{{ item }}"
-            regexp: '^\s*delaycompress\b'
-            line: '    delaycompress'
-            state: present
-            insertafter: '^\s*compress'
-          notify: Logrotate reload
-
-# only for logrotate.conf
-
-- name: logrotate | Uncomment dateext if commented
-  ansible.builtin.replace:
-    path: /etc/logrotate.conf
-    regexp: '^\s*#\s*(dateext)\b'
-    replace: '\1'
-  notify: Logrotate reload
-
-- name: logrotate | Uncomment compress if commented
-  ansible.builtin.replace:
-    path: /etc/logrotate.conf
-    regexp: '^\s*#\s*(compress)\b'
-    replace: '\1'
-  notify: Logrotate reload
-
-- name: logrotate | Ensure missingok is present
-  ansible.builtin.lineinfile:
-    path: /etc/logrotate.conf
-    regexp: '^\s*missingok\b'
-    line: 'missingok'
+- name: logrotate | Ensure logrotate is installed
+  ansible.builtin.apt:
+    name: logrotate
     state: present
-    insertafter: EOF
-  notify: Logrotate reload
+    update_cache: yes
+  become: true
+  when: proxmox_logrotate_enabled
 
-- name: logrotate | Ensure notifempty is present
-  ansible.builtin.lineinfile:
-    path: /etc/logrotate.conf
-    regexp: '^\s*notifempty\b'
-    line: 'notifempty'
-    state: present
-    insertafter: EOF
-  notify: Logrotate reload
+- name: logrotate | PVE logrotate policy
+  ansible.builtin.template:
+    src: pve-logrotate.j2
+    dest: "/etc/logrotate.d/99-pve-custom"
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  when: proxmox_logrotate_enabled
+  notify: Restart logrotate
+
+- name: logrotate | PVE-firewall logrotate policy
+  ansible.builtin.template:
+    src: pve-firewall-logrotate.j2
+    dest: "/etc/logrotate.d/99-pve-firewall-custom"
+    owner: root
+    group: root
+    mode: "0644"
+  become: true
+  when: proxmox_logrotate_enabled
+  notify: Restart logrotate

templates/pve-firewall-logrotate.j2

@@ -0,0 +1,25 @@
+# Managed by Ansible - Proxmox Logrotate Policy
+# Do not edit manually
+
+/var/log/pve-firewall.log { {
+        rotate {{ proxmox_logrotate_rotate }}
+        {{ proxmox_logrotate_frequency }}
+        maxsize {{ proxmox_logrotate_maxsize }}
+{% if proxmox_logrotate_compress %}
+        compress
+{% endif %}
+{% if proxmox_logrotate_delaycompress %}
+        delaycompress
+{% endif %}
+{% if proxmox_logrotate_missingok %}
+        missingok
+{% endif %}
+{% if proxmox_logrotate_notifempty %}
+        notifempty
+{% endif %}
+        sharedscripts
+        create 640 root adm
+        postrotate
+                invoke-rc.d pvefw-logger restart 2>/dev/null >/dev/null || true
+        endscript
+}

templates/pve-logrotate.j2

@@ -0,0 +1,26 @@
+# Managed by Ansible - Proxmox Logrotate Policy
+# Do not edit manually
+
+/var/log/pveproxy/access.log {
+        rotate {{ proxmox_logrotate_rotate }}
+        {{ proxmox_logrotate_frequency }}
+        maxsize {{ proxmox_logrotate_maxsize }}
+{% if proxmox_logrotate_compress %}
+        compress
+{% endif %}
+{% if proxmox_logrotate_delaycompress %}
+        delaycompress
+{% endif %}
+{% if proxmox_logrotate_missingok %}
+        missingok
+{% endif %}
+{% if proxmox_logrotate_notifempty %}
+        notifempty
+{% endif %}
+        create 640 www-data www-data
+        sharedscripts
+        postrotate
+                /bin/systemctl try-reload-or-restart pveproxy.service
+                /bin/systemctl try-reload-or-restart spiceproxy.service
+        endscript
+}