r/apache: log errors to syslog by default

Logging to syslog will allow messages to be aggregated in the central
server (Loki now, Victoria Logs eventually), so I don't have to SSH into
the web server to check for errors.

roles/apache/defaults/main.yml

@@ -1,6 +1,7 @@
 apache_mpm: event
 apache_keep_num_logs: 4
 apache_max_log_size: 256M
+apache_error_log: syslog:daemon
 apache_ssl_protocol:
 - all
 - '-SSLv2'

roles/apache/tasks/main.yml

@@ -5,6 +5,16 @@
   tags:
   - install
 
+- name: ensure global error log is configured
+  template:
+    src: errorlog.j2
+    dest: /etc/httpd/conf.d/00-errorlog.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - apache-config
+
 - name: ensure http service keytab is in place
   copy:
     src={{ item }}

roles/apache/templates/errorlog.j2

@@ -0,0 +1,5 @@
+{% if apache_error_log %}
+ErrorLog {{ apache_error_log }}
+{% else %}
+# Use the default ErrorLog value set in httpd.conf
+{% endif %}

roles/apache/templates/ssl.include.j2

@@ -1,7 +1,11 @@
 # Use separate log files for the SSL virtual host; note that LogLevel
 # is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
+{% if apache_ssl_error_log is defined %}
-TransferLog logs/ssl_access_log
+ErrorLog {{ apache_ssl_error_log }}
+{% endif %}
+{% if apache_ssl_transferlog is defined %}
+TransferLog {{ apache_ssl_transferlog }}
+{% endif %}
 LogLevel warn
 
 #   SSL Engine Switch: