---
- name: Bastionhost | rsyslog forwarding | Ensure rsyslog-gnutls is installed
  ansible.builtin.package:
    name: rsyslog-gnutls
    state: present

- name: Bastionhost | rsyslog forwarding | Configure forwarding for SSH logs
  ansible.builtin.copy:
    dest: /etc/rsyslog.d/60-forward-ssh-logs.conf
    owner: root
    group: root
    mode: '0644'
    content: |
      # This file is managed by Ansible
      # Forward sshd logs to a remote log server

      # Define the template for forwarding
      template(name="RSYSLOG_SyslogProtocol23Format" type="string" string="<%PRI%>%PROTOCOL-VERSION% %TIMESTAMP:::date-rfc3339% %HOSTNAME% %APP-NAME% %PROCID% %MSGID% %STRUCTURED-DATA% %msg%\n")

      # Setup forwarding action
      action(
          type="omfwd"
          target="{{ log_forwarding_target }}"
          port="{{ log_forwarding_port | default(6514) }}"
          protocol="tcp"
          template="RSYSLOG_SyslogProtocol23Format"
          StreamDriver="gtls"
          StreamDriverMode="1" # Run in TLS-only mode
          StreamDriverAuthMode="x509/name"
      )

      # Filter for sshd messages and apply the action
      if $programname == 'sshd' then {
          call-action
      }
  notify: restart rsyslog
  when:
    - log_forwarding_target is defined
    - log_forwarding_permitted_peer is defined
    - log_forwarding_ca_cert is defined
    - log_forwarding_cert is defined
    - log_forwarding_key is defined