Apache user logs

pillar/cms.sls

@@ -28,6 +28,7 @@ backup:
 # Sites are configured in each CMS' Pillar file.
 apache:
   public_access: True
+  site_logs: True
 
 # Databases and users are configured in each CMS' Pillar file.
 mysql:

salt/apache/files/sites/_common.conf

@@ -24,6 +24,12 @@
     {#- https://github.com/icing/mod_md#tls-alpn-challenges #}
     Protocols h2 http/1.1 acme-tls/1
 
+    {#- System-wide configuration files should be prefixed with numbers #}
+    {%- if pillar.apache.site_logs|default(False) and not name[0:1].isdigit() %}
+    ErrorLog  {{ log_directory }}/error.log
+    CustomLog {{ log_directory }}/access.log vhost_combined
+    {%- endif %}
+
     Include {{ includefile }}
     {%- elif not servername %}
 

salt/apache/init.sls

@@ -1,4 +1,4 @@
-{% from 'lib.sls' import apache, set_firewall, unset_firewall %}
+{% from 'lib.sls' import apache, logrotate, set_firewall, unset_firewall %}
 
 {% if salt['pillar.get']('apache:public_access') %}
   {{ set_firewall('PUBLIC_HTTP') }}
@@ -63,7 +63,7 @@ apache2-utils:
 
 # Ensure this configuration is loaded first.
 {{ apache('00-default', {'configuration': 'default', 'servername': ''}) }}
-{{ apache('fqdn', {'configuration': 'default', 'servername': grains.fqdn}) }}
+{{ apache('10-fqdn', {'configuration': 'default', 'servername': grains.fqdn}) }}
 
 {% if salt['pillar.get']('apache:modules:mod_autoindex:enabled') %}
 autoindex:
@@ -143,3 +143,7 @@ disable-conf-other-vhosts-access-log.conf:
     - onchanges:
       - file: /etc/systemd/system/apache2.service.d/customization.conf
 {% endif %}
+
+{% if pillar.apache.site_logs|default(False) %}
+{{ logrotate("apache-site-logs") }}
+{% endif %}

salt/core/logrotate/files/apache-site-logs

@@ -0,0 +1,20 @@
+/var/log/apache2/*/*.log {
+	daily
+	missingok
+	rotate 14
+	compress
+	delaycompress
+	notifempty
+	create 644 root adm
+	sharedscripts
+	prerotate
+	if [ -d /etc/logrotate.d/httpd-prerotate ]; then
+		run-parts /etc/logrotate.d/httpd-prerotate
+	fi
+	endscript
+	postrotate
+	if pgrep -f ^/usr/sbin/apache2 > /dev/null; then
+		invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate
+	fi
+	endscript
+}

salt/core/logrotate/init.sls

@@ -1,13 +1,9 @@
+{% from 'lib.sls' import logrotate %}
+
 # Some configurations use `postrotate /usr/lib/rsyslog/rsyslog-rotate`, so rsyslog is required.
 include:
   - core.rsyslog
 
 {% for filename, entry in salt['pillar.get']('logrotate:conf', {})|items %}
-/etc/logrotate.d/{{ filename }}:
-  file.managed:
-    - source: salt://core/logrotate/files/{{ entry.source }}
-{% if 'context' in entry %}
-    - template: jinja
-    - context: {{ entry.context|yaml }}
-{% endif %}
+{{ logrotate(filename, entry) }}
 {% endfor %}

salt/lib.sls

@@ -167,6 +167,7 @@ unset {{ setting_name }} in {{ filename }}:
         servername: {{ entry.servername }}
         serveraliases: {{ entry.serveraliases|default([])|yaml }}
         https: {{ entry.https|default(true) }}
+        log_directory: /var/log/apache2/{{ name }}
     - require:
       - file: /etc/apache2/sites-available/{{ name }}.conf.include
     - watch_in:
@@ -190,6 +191,16 @@ add .htpasswd-{{ name }}-{{ username }}:
     - require:
       - pkg: apache2
 {% endfor %}
+
+{% if pillar.apache.site_logs|default(False) and not name[0:1].isdigit() %}
+/var/log/apache2/{{ name }}:
+  file.directory:
+    - user: root
+    - group: adm
+    - dir_mode: 755
+    - require_in:
+      - file: /etc/apache2/sites-available/{{ name }}.conf
+{% endif%}
 {% endmacro %}
 
 {#
@@ -242,3 +253,13 @@ add .htpasswd-{{ name }}-{{ username }}:
     - watch_in:
       - module: nginx-reload
 {% endmacro %}
+
+{% macro logrotate(name, entry={}) %}
+/etc/logrotate.d/{{ name }}:
+  file.managed:
+    - source: salt://core/logrotate/files/{{ entry.source|default(name) }}
+{% if 'context' in entry %}
+    - template: jinja
+    - context: {{ entry.context|yaml }}
+{% endif %}
+{% endmacro %}