Add storage override for journald

Signed-off-by: Knut Ahlers <knut@ahlers.me>

Makefile

@@ -3,6 +3,7 @@ default:
 apply-playbook:
 	ansible-playbook \
 		--diff \
+		--extra-vars "pacman_action=test" \
 		--inventory base/usr/share/luzifer/base-setup/inventory \
 		base/usr/share/luzifer/base-setup/playbook.yaml
 
@@ -10,5 +11,6 @@ test-playbook:
 	ansible-playbook \
 		--check \
 		--diff \
+		--extra-vars "pacman_action=test" \
 		--inventory base/usr/share/luzifer/base-setup/inventory \
 		base/usr/share/luzifer/base-setup/playbook.yaml

PKGBUILD

@@ -7,7 +7,7 @@ pkgname=(
   luzifer-gui
   luzifer-lenovo-gui
 )
-pkgver=0.13.0
+pkgver=0.13.1
 pkgrel=1
 pkgdesc='System configuration for @luzifer systems'
 arch=(any)

base/usr/share/luzifer/base-setup/roles/security/files/sysctl.conf

@@ -18,3 +18,7 @@ net.ipv6.conf.default.accept_redirects = 0
 # CNSPEC: Ensure secure ICMP redirects are not accepted
 net.ipv4.conf.all.secure_redirects = 0
 net.ipv4.conf.default.secure_redirects = 0
+
+# CNSPEC: Ensure packet redirect sending is disabled
+net.ipv4.conf.all.send_redirects = 0
+net.ipv4.conf.default.send_redirects = 0

base/usr/share/luzifer/base-setup/roles/security/tasks/main.yaml

@@ -57,4 +57,19 @@
     mode: '0640'
     owner: root
 
+- name: Create journald override dir
+  file:
+    dest: /etc/systemd/journald.conf.d
+    state: directory
+
+- name: Configure journald to store persistent logs
+  copy:
+    content: |
+      [Journal]
+      # CSPEC: Ensure journald is configured to write logfiles to persistent disk
+      Storage=persistent
+    dest: /etc/systemd/journald.conf.d/10-luzifer-base-store-persistent.conf
+    mode: '0644'
+    owner: root
+
 ...