Merge remote-tracking branch 'refs/remotes/origin/master'

r/apache: log errors to syslog by default
Logging to syslog will allow messages to be aggregated in the central server (Loki now, Victoria Logs eventually), so I don't have to SSH into the web server to check for errors.
2025-08-05 18:17:13 -05:00 · 2025-08-04 09:49:19 -05:00 · 2025-08-04 09:49:19 -05:00
8 changed files with 23 additions and 12 deletions
--- a/certs/websites/dustin.hatch.name.cer
+++ b/certs/websites/dustin.hatch.name.cer
@ -1 +0,0 @@
-../../.certs/acme.sh/dustin.hatch.name/fullchain.cer
--- a/certs/websites/dustin.hatch.name.key
+++ b/certs/websites/dustin.hatch.name.key
@ -1 +0,0 @@
-../../.certs/acme.sh/dustin.hatch.name/dustin.hatch.name.key
--- a/roles/apache/defaults/main.yml
+++ b/roles/apache/defaults/main.yml
@ -1,6 +1,7 @@
 apache_mpm: event
 apache_keep_num_logs: 4
 apache_max_log_size: 256M
+apache_error_log: syslog:daemon
 apache_ssl_protocol:
 - all
 - '-SSLv2'
--- a/roles/apache/tasks/main.yml
+++ b/roles/apache/tasks/main.yml
@ -5,6 +5,16 @@
  tags:
  - install

+- name: ensure global error log is configured
+  template:
+    src: errorlog.j2
+    dest: /etc/httpd/conf.d/00-errorlog.conf
+    owner: root
+    group: root
+    mode: u=rw,go=r
+  tags:
+  - apache-config
+
 - name: ensure http service keytab is in place
  copy:
    src={{ item }}
--- a/roles/apache/templates/errorlog.j2
+++ b/roles/apache/templates/errorlog.j2
@ -0,0 +1,5 @@
+{% if apache_error_log %}
+ErrorLog {{ apache_error_log }}
+{% else %}
+# Use the default ErrorLog value set in httpd.conf
+{% endif %}
--- a/roles/apache/templates/ssl.include.j2
+++ b/roles/apache/templates/ssl.include.j2
@ -1,7 +1,11 @@
 # Use separate log files for the SSL virtual host; note that LogLevel
 # is not inherited from httpd.conf.
-ErrorLog logs/ssl_error_log
-TransferLog logs/ssl_access_log
+{% if apache_ssl_error_log is defined %}
+ErrorLog {{ apache_ssl_error_log }}
+{% endif %}
+{% if apache_ssl_transferlog is defined %}
+TransferLog {{ apache_ssl_transferlog }}
+{% endif %}
 LogLevel warn

 #   SSL Engine Switch:
--- a/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
+++ b/roles/websites/dustin.hatch.name/files/dustin.hatch.name.httpd.conf
@ -1,4 +1,5 @@
 # vim: set ft=apache :
+MDomain dustin.hatch.name

 <VirtualHost _default_:80>
 ServerName dustin.hatch.name
@ -11,8 +12,6 @@ RewriteRule (.*) https://%{SERVER_NAME}$1 [R=301,L]
 ServerName dustin.hatch.name

 Include conf.d/ssl.include
-SSLCertificateKeyFile /etc/pki/tls/private/dustin.hatch.name.key
-SSLCertificateFile /etc/pki/tls/certs/dustin.hatch.name.cer

 <IfModule mod_headers.c>
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
--- a/websites.yml
+++ b/websites.yml
@ -10,12 +10,6 @@
    tags: formsubmit
  - role: websites/pyrocufflink.net
    tags: websites/pyrocufflink.net
-  - role: cert
-    cert_src: websites/dustin.hatch.name.cer
-    cert_dest: /etc/pki/tls/certs/dustin.hatch.name.cer
-    cert_key_src: websites/dustin.hatch.name.key
-    cert_key_dest: /etc/pki/tls/private/dustin.hatch.name.key
-    tags: websites/dustin.hatch.name
  - role: websites/dustin.hatch.name
    tags: websites/dustin.hatch.name
  - role: websites/ebonfire.com
				`@ -1 +0,0 @@`
				`../../.certs/acme.sh/dustin.hatch.name/fullchain.cer`