From 829c04332ddc9b9075827ee88a16863d8e37772d Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Sun, 29 Sep 2024 11:20:29 -0500
Subject: [PATCH] r/nginx: Configure logrotate

The default `logrotate` configuration for _nginx_ may not be appropriate
for high-volume servers.  The `nginx_keep_num_logs` variable is now
available to control how many days of logs are kept.
---
 roles/nginx/defaults/main.yml            |  1 +
 roles/nginx/tasks/main.yml               | 10 ++++++++++
 roles/nginx/templates/nginx.logrotate.j2 | 13 +++++++++++++
 3 files changed, 24 insertions(+)
 create mode 100644 roles/nginx/templates/nginx.logrotate.j2

diff --git a/roles/nginx/defaults/main.yml b/roles/nginx/defaults/main.yml
index 5bb24a1..681375f 100644
--- a/roles/nginx/defaults/main.yml
+++ b/roles/nginx/defaults/main.yml
@@ -5,3 +5,4 @@ nginx_ssl_session_timeout: 10m
 nginx_ssl_ciphers: '{{ nginx_default_ssl_ciphers }}'
 nginx_log_syslog: true
 nginx_redirect_http_https: false
+nginx_keep_num_logs: 10
diff --git a/roles/nginx/tasks/main.yml b/roles/nginx/tasks/main.yml
index 9005f3a..24657d3 100644
--- a/roles/nginx/tasks/main.yml
+++ b/roles/nginx/tasks/main.yml
@@ -91,3 +91,13 @@
   service:
     name: nginx
     enabled: yes
+
+- name: ensure logrotate is configured for nginx
+  template:
+    src: nginx.logrotate.j2
+    dest: /etc/logrotate.d/nginx
+    mode: u=rw,go=r
+    owner: root
+    group: root
+  tags:
+  - logrotate
diff --git a/roles/nginx/templates/nginx.logrotate.j2 b/roles/nginx/templates/nginx.logrotate.j2
new file mode 100644
index 0000000..522e191
--- /dev/null
+++ b/roles/nginx/templates/nginx.logrotate.j2
@@ -0,0 +1,13 @@
+/var/log/nginx/*.log {
+    create 0640 nginx root
+    daily
+    rotate {{ nginx_keep_num_logs }}
+    missingok
+    notifempty
+    compress
+    delaycompress
+    sharedscripts
+    postrotate
+        /bin/kill -USR1 `cat /run/nginx.pid 2>/dev/null` 2>/dev/null || true
+    endscript
+}