squid: Add Netdata collectors

roles/squid/files/squid_logrotate.service

@@ -0,0 +1,34 @@
+[Unit]
+Description=Squid log rotation service
+After=network-online.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/sbin/squid -k rotate
+
+# Hardening
+CapabilityBoundingSet=CAP_SETUID CAP_SETGID CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE
+LockPersonality=true
+MemoryDenyWriteExecute=true
+PrivateDevices=true
+PrivateNetwork=true
+PrivateTmp=true
+ProcSubset=pid
+ProtectClock=true
+ProtectControlGroups=true
+ProtectHome=true
+ProtectHostname=true
+ProtectKernelLogs=true
+ProtectKernelModules=true
+ProtectKernelTunables=true
+ProtectProc=invisible
+ProtectSystem=full
+RestrictAddressFamilies=
+RestrictNamespaces=true
+RestrictRealtime=true
+RestrictSUIDSGID=true
+SystemCallArchitectures=native
+SystemCallErrorNumber=EPERM
+SystemCallFilter=@system-service
+SystemCallFilter=~@resources
+UMask=0077

roles/squid/files/squid_logrotate.timer

@@ -0,0 +1,11 @@
+[Unit]
+Description=Squid log rotation timer
+
+[Timer]
+OnBootSec=1min
+OnUnitInactiveSec=4h
+RandomizedDelaySec=5m
+AccuracySec=1m
+
+[Install]
+WantedBy=timers.target

roles/squid/handlers/main.yml

@@ -0,0 +1,8 @@
+---
+
+- name: Ensure Systemd Netdata service is restarted
+  ansible.builtin.systemd:
+    name: netdata
+    state: restarted
+  changed_when: false
+  listen: netdata_restarted

roles/squid/tasks/main.yml

@@ -9,6 +9,10 @@
   register: _
   until: _ is successful
 
+- name: Netdata configuration
+  ansible.builtin.include_tasks: netdata.yml
+  when: common_netdata_enable | bool
+
 - name: Ensure Squid configuration is present
   ansible.builtin.template:
     src: squid.conf.j2

roles/squid/tasks/netdata.yml

@@ -0,0 +1,36 @@
+---
+- name: Retrieve Netdata public unique ID
+  ansible.builtin.slurp:
+    src: /var/lib/netdata/registry/netdata.public.unique.id
+  register: _netdata_public_id
+
+- name: Ensure Netdata configuration directory is present
+  ansible.builtin.file:
+    path: /etc/netdata/go.d
+    state: directory
+    mode: '0755'
+
+- name: Ensure Netdata collectors are configured
+  ansible.builtin.template:
+    src: "netdata_{{ item }}.conf.j2"
+    dest: "/etc/netdata/go.d/{{ item }}.conf"
+    mode: '0644'
+  notify: netdata_restarted
+  with_items:
+    - squid
+    - squidlog
+
+- name: Ensure Squid log rotation service units are present
+  ansible.builtin.copy:
+    src: "{{ item }}"
+    dest: "/etc/systemd/system/{{ item }}"
+  with_items:
+    - squid_logrotate.service
+    - squid_logrotate.timer
+
+- name: Ensure Squid log rotation service is started and enabled at boot
+  ansible.builtin.systemd:
+    name: squid_logrotate.timer
+    state: started
+    enabled: true
+    daemon_reload: true

roles/squid/templates/netdata_squid.conf.j2

@@ -0,0 +1,3 @@
+jobs:
+  - name: local
+    url: http://[::1]:{{ squid_http_port }}

roles/squid/templates/netdata_squidlog.conf.j2

@@ -0,0 +1,3 @@
+jobs:
+- name: local
+  path: /var/run/squid/{{ _netdata_public_id.content | b64decode }}_access.log

roles/squid/templates/squid.conf.j2

@@ -115,3 +115,7 @@ refresh_pattern .               0       20%     4320
 # Logs configuration
 access_log syslog:user.info
 cache_log /dev/stdout
+{% if common_netdata_enable is defined -%}
+access_log daemon:/var/run/squid/{{ _netdata_public_id.content | b64decode }}_access.log squid
+logfile_rotate 1
+{%- endif %}