diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 5bb24a1..681375f 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -5,3 +5,4 @@ nginx_ssl_session_timeout: 10m
 nginx_ssl_ciphers: '{{ nginx_default_ssl_ciphers }}'
 nginx_log_syslog: true
 nginx_redirect_http_https: false
+nginx_keep_num_logs: 10
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 9005f3a..24657d3 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -91,3 +91,13 @@
   service:
     name: nginx
     enabled: yes
+
+- name: ensure logrotate is configured for nginx
+  template:
+    src: nginx.logrotate.j2
+    dest: /etc/logrotate.d/nginx
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - logrotate
diff --git a/roles/nginx/templates/nginx.logrotate.j2 b/roles/nginx/templates/nginx.logrotate.j2
new file mode 100644
index 0000000..522e191
--- /dev/null
+++ b/roles/nginx/templates/nginx.logrotate.j2
@@ -0,0 +1,13 @@
+/var/log/nginx/*.log {
+    create 0640 nginx root
+    daily
+    rotate {{ nginx_keep_num_logs }}
+    missingok
+    notifempty
+    compress
+    delaycompress
+    sharedscripts
+    postrotate
+        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
+    endscript
+}