Add logrotate configuration to rotate /var/log/messages

install.sh

@@ -141,4 +141,7 @@ install_data misc_systemd_units/user@.service.d/depend-on-remote-homes.conf \
 mkdir -p "$DESTDIR$sysconfdir/systemd/logind.conf.d"
 install_data misc_etc_files/systemd/logind.conf.d/disable_RemoveIPC.conf \
                                                           "$DESTDIR$sysconfdir/systemd/logind.conf.d/disable_RemoveIPC.conf"
+install_data logrotate/logrotate.conf                     "$DESTDIR$sysconfdir/logrotate.conf"
+install_data logrotate/logrotate.service                  "$DESTDIR$systemdunitdir/logrotate.service"
+install_data logrotate/logrotate.timer                    "$DESTDIR$systemdunitdir/logrotate.timer"
 exit

logrotate/logrotate.conf

@@ -0,0 +1,11 @@
+/var/log/messages {
+	dateext
+	dateformat .%Y-%m
+	dateyesterday
+	rotate 12
+	monthly
+	sharedscripts
+	postrotate
+		kill -HUP $(cat /var/run/rsyslogd.pid)
+	endscript
+}

logrotate/logrotate.service

@@ -0,0 +1,27 @@
+[Unit]
+Description=Rotate log files
+Documentation=man:logrotate(8) man:logrotate.conf(5)
+RequiresMountsFor=/var/log
+ConditionACPower=true
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/logrotate -v /etc/logrotate.conf
+
+# performance options
+Nice=19
+IOSchedulingClass=best-effort
+IOSchedulingPriority=7
+
+# hardening options
+#  details: https://www.freedesktop.org/software/systemd/man/systemd.exec.html
+#  no ProtectHome for userdir logs
+#  no PrivateNetwork for mail deliviery
+#  no ProtectKernelTunables for working SELinux with systemd older than 235
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateTmp=true
+ProtectControlGroups=true
+ProtectKernelModules=true
+ProtectSystem=full
+RestrictRealtime=true

logrotate/logrotate.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Daily rotation of log files
+Documentation=man:logrotate(8) man:logrotate.conf(5)
+
+[Timer]
+OnCalendar=daily
+AccuracySec=1h
+Persistent=true
+
+[Install]
+WantedBy=timers.target