From 15c58cce5ac128f56ba4b9fcb2f3312d6968b560 Mon Sep 17 00:00:00 2001 From: Alex Vandiver Date: Sun, 14 Mar 2021 23:11:16 -0700 Subject: [PATCH] puppet: Create new nginx logfiles as the zulip user, not as www-data. All of `/var/log/nginx/` is chown'd to `zulip` and the nginx processes themselves run as `nginx`, and would thus (on their own) create new logfiles as `zulip`. Having `logrotate` create them as the package default of `www-data` means that they are momentarily unreadable by the `zulip` user just after rotation, which can cause problems with logtail scripts. Commit the standard `nginx` logrotate configuration, but with the `zulip` user instead of the `www-data` user. --- puppet/zulip/files/logrotate/nginx | 18 ++++++++++++++++++ puppet/zulip/manifests/nginx.pp | 8 ++++++++ 2 files changed, 26 insertions(+) create mode 100644 puppet/zulip/files/logrotate/nginx diff --git a/puppet/zulip/files/logrotate/nginx b/puppet/zulip/files/logrotate/nginx new file mode 100644 index 0000000000..ad1d97af54 --- /dev/null +++ b/puppet/zulip/files/logrotate/nginx @@ -0,0 +1,18 @@ +/var/log/nginx/*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 0640 zulip adm + sharedscripts + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then \ + run-parts /etc/logrotate.d/httpd-prerotate; \ + fi \ + endscript + postrotate + invoke-rc.d nginx rotate >/dev/null 2>&1 + endscript +} diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp index a56ca5cc2e..8c123db297 100644 --- a/puppet/zulip/manifests/nginx.pp +++ b/puppet/zulip/manifests/nginx.pp @@ -93,6 +93,14 @@ class zulip::nginx { group => 'adm', mode => '0650', } + file { '/etc/logrotate.d/nginx': + ensure => file, + require => Package[$zulip::common::nginx], + owner => 'root', + group => 'root', + mode => '0644', + source => 'puppet:///modules/zulip/logrotate/nginx', + } $certbot_auto_renew = zulipconf('certbot', 'auto_renew', '') if $certbot_auto_renew == 'yes' {