From a2e08c5baaae56bffcbaba5eee1ee7aea6426c7a Mon Sep 17 00:00:00 2001 From: RobHooper Date: Fri, 13 Feb 2026 12:16:44 +0000 Subject: [PATCH 01/10] refactor: rename fqdn config --- salt/apache/init.sls | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/salt/apache/init.sls b/salt/apache/init.sls index edc72ce0..7f9ee7d6 100644 --- a/salt/apache/init.sls +++ b/salt/apache/init.sls @@ -63,7 +63,7 @@ apache2-utils: # Ensure this configuration is loaded first. {{ apache('00-default', {'configuration': 'default', 'servername': ''}) }} -{{ apache('fqdn', {'configuration': 'default', 'servername': grains.fqdn}) }} +{{ apache('10-fqdn', {'configuration': 'default', 'servername': grains.fqdn}) }} {% if salt['pillar.get']('apache:modules:mod_autoindex:enabled') %} autoindex: From de01be8eacd5e6b04975d78049cbaeb0ed2dd08a Mon Sep 17 00:00:00 2001 From: RobHooper Date: Fri, 13 Feb 2026 12:17:26 +0000 Subject: [PATCH 02/10] feat: add separated apache site logs --- pillar/cms.sls | 1 + salt/apache/files/sites/_common.conf | 6 ++++++ salt/lib.sls | 11 +++++++++++ 3 files changed, 18 insertions(+) diff --git a/pillar/cms.sls b/pillar/cms.sls index 869fe88f..efee735a 100644 --- a/pillar/cms.sls +++ b/pillar/cms.sls @@ -28,6 +28,7 @@ backup: # Sites are configured in each CMS' Pillar file. apache: public_access: True + site_logs: True # Databases and users are configured in each CMS' Pillar file. mysql: diff --git a/salt/apache/files/sites/_common.conf b/salt/apache/files/sites/_common.conf index 9c34cd37..a8eae7a0 100644 --- a/salt/apache/files/sites/_common.conf +++ b/salt/apache/files/sites/_common.conf @@ -24,6 +24,12 @@ {#- https://github.com/icing/mod_md#tls-alpn-challenges #} Protocols h2 http/1.1 acme-tls/1 + {#- System-wide configuration files should be prefixed with numbers #} + {%- if pillar.apache.site_logs|default(False) and not name[0:1].isdigit() %} + ErrorLog {{ log_directory }}/error.log + CustomLog {{ log_directory }}/access.log vhost_combined + {%- endif %} + Include {{ includefile }} {%- elif not servername %} diff --git a/salt/lib.sls b/salt/lib.sls index fea3aef0..d96f2cd1 100644 --- a/salt/lib.sls +++ b/salt/lib.sls @@ -167,6 +167,7 @@ unset {{ setting_name }} in {{ filename }}: servername: {{ entry.servername }} serveraliases: {{ entry.serveraliases|default([])|yaml }} https: {{ entry.https|default(true) }} + log_directory: /var/log/apache2/{{ name }} - require: - file: /etc/apache2/sites-available/{{ name }}.conf.include - watch_in: @@ -190,6 +191,16 @@ add .htpasswd-{{ name }}-{{ username }}: - require: - pkg: apache2 {% endfor %} + +{% if pillar.apache.site_logs|default(False) and not name[0:1].isdigit() %} +/var/log/apache2/{{ name }}: + file.directory: + - user: root + - group: adm + - dir_mode: 755 + - require_in: + - file: /etc/apache2/sites-available/{{ name }}.conf +{% endif%} {% endmacro %} {# From 74a9a49722ebcd901b5df733cef90186e25fd02f Mon Sep 17 00:00:00 2001 From: RobHooper Date: Fri, 13 Feb 2026 14:01:20 +0000 Subject: [PATCH 03/10] feat: logrotate macro, add apache site log rotate conf --- salt/apache/init.sls | 6 +++++- salt/core/logrotate/files/apache-site-logs | 20 ++++++++++++++++++++ salt/core/logrotate/init.sls | 10 +++------- salt/lib.sls | 10 ++++++++++ 4 files changed, 38 insertions(+), 8 deletions(-) create mode 100644 salt/core/logrotate/files/apache-site-logs diff --git a/salt/apache/init.sls b/salt/apache/init.sls index 7f9ee7d6..cb997bdd 100644 --- a/salt/apache/init.sls +++ b/salt/apache/init.sls @@ -1,4 +1,4 @@ -{% from 'lib.sls' import apache, set_firewall, unset_firewall %} +{% from 'lib.sls' import apache, logrotate, set_firewall, unset_firewall %} {% if salt['pillar.get']('apache:public_access') %} {{ set_firewall('PUBLIC_HTTP') }} @@ -143,3 +143,7 @@ disable-conf-other-vhosts-access-log.conf: - onchanges: - file: /etc/systemd/system/apache2.service.d/customization.conf {% endif %} + +{% if pillar.apache.site_logs|default(False) %} +{{ logrotate("apache-site-logs") }} +{% endif %} diff --git a/salt/core/logrotate/files/apache-site-logs b/salt/core/logrotate/files/apache-site-logs new file mode 100644 index 00000000..352ca317 --- /dev/null +++ b/salt/core/logrotate/files/apache-site-logs @@ -0,0 +1,20 @@ +/var/log/apache2/*/*.log { + daily + missingok + rotate 14 + compress + delaycompress + notifempty + create 644 root adm + sharedscripts + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then + run-parts /etc/logrotate.d/httpd-prerotate + fi + endscript + postrotate + if pgrep -f ^/usr/sbin/apache2 > /dev/null; then + invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate + fi + endscript +} diff --git a/salt/core/logrotate/init.sls b/salt/core/logrotate/init.sls index 801b8117..a223825d 100644 --- a/salt/core/logrotate/init.sls +++ b/salt/core/logrotate/init.sls @@ -1,13 +1,9 @@ +{% from 'lib.sls' import logrotate %} + # Some configurations use `postrotate /usr/lib/rsyslog/rsyslog-rotate`, so rsyslog is required. include: - core.rsyslog {% for filename, entry in salt['pillar.get']('logrotate:conf', {})|items %} -/etc/logrotate.d/{{ filename }}: - file.managed: - - source: salt://core/logrotate/files/{{ entry.source }} -{% if 'context' in entry %} - - template: jinja - - context: {{ entry.context|yaml }} -{% endif %} +{{ logrotate(filename, entry) }} {% endfor %} diff --git a/salt/lib.sls b/salt/lib.sls index d96f2cd1..69940c4b 100644 --- a/salt/lib.sls +++ b/salt/lib.sls @@ -253,3 +253,13 @@ add .htpasswd-{{ name }}-{{ username }}: - watch_in: - module: nginx-reload {% endmacro %} + +{% macro logrotate(name, entry={}) %} +/etc/logrotate.d/{{ name }}: + file.managed: + - source: salt://core/logrotate/files/{{ entry.source|default(name) }} +{% if 'context' in entry %} + - template: jinja + - context: {{ entry.context|yaml }} +{% endif %} +{% endmacro %} From 3aa6a38ebb2294594335ec28b8c23d5f090a6730 Mon Sep 17 00:00:00 2001 From: "Bob H." <57331626+RobHooper@users.noreply.github.com> Date: Mon, 16 Feb 2026 12:51:14 +0000 Subject: [PATCH 04/10] Apply suggestions from code review Co-authored-by: James McKinney <26463+jpmckinney@users.noreply.github.com> --- salt/apache/files/sites/_common.conf | 2 +- salt/apache/init.sls | 2 +- salt/core/logrotate/files/apache-site-logs | 36 +++++++++++----------- 3 files changed, 20 insertions(+), 20 deletions(-) diff --git a/salt/apache/files/sites/_common.conf b/salt/apache/files/sites/_common.conf index a8eae7a0..e603ff4c 100644 --- a/salt/apache/files/sites/_common.conf +++ b/salt/apache/files/sites/_common.conf @@ -25,7 +25,7 @@ Protocols h2 http/1.1 acme-tls/1 {#- System-wide configuration files should be prefixed with numbers #} - {%- if pillar.apache.site_logs|default(False) and not name[0:1].isdigit() %} + {%- if pillar.apache.get('site_logs') and not name[:1].isdigit() %} ErrorLog {{ log_directory }}/error.log CustomLog {{ log_directory }}/access.log vhost_combined {%- endif %} diff --git a/salt/apache/init.sls b/salt/apache/init.sls index cb997bdd..2cbbbff7 100644 --- a/salt/apache/init.sls +++ b/salt/apache/init.sls @@ -145,5 +145,5 @@ disable-conf-other-vhosts-access-log.conf: {% endif %} {% if pillar.apache.site_logs|default(False) %} -{{ logrotate("apache-site-logs") }} +{{ logrotate('apache-site-logs') }} {% endif %} diff --git a/salt/core/logrotate/files/apache-site-logs b/salt/core/logrotate/files/apache-site-logs index 352ca317..6ab7f674 100644 --- a/salt/core/logrotate/files/apache-site-logs +++ b/salt/core/logrotate/files/apache-site-logs @@ -1,20 +1,20 @@ /var/log/apache2/*/*.log { - daily - missingok - rotate 14 - compress - delaycompress - notifempty - create 644 root adm - sharedscripts - prerotate - if [ -d /etc/logrotate.d/httpd-prerotate ]; then - run-parts /etc/logrotate.d/httpd-prerotate - fi - endscript - postrotate - if pgrep -f ^/usr/sbin/apache2 > /dev/null; then - invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate - fi - endscript + rotate 14 + daily + missingok + notifempty + compress + delaycompress + sharedscripts + create 644 root adm + prerotate + if [ -d /etc/logrotate.d/httpd-prerotate ]; then + run-parts /etc/logrotate.d/httpd-prerotate + fi + endscript + postrotate + if pgrep -f ^/usr/sbin/apache2 > /dev/null; then + invoke-rc.d apache2 reload 2>&1 | logger -t apache2.logrotate + fi + endscript } From 0bbc075786a84ef3831e9eba2a53cad5008159bf Mon Sep 17 00:00:00 2001 From: RobHooper Date: Mon, 16 Feb 2026 12:54:03 +0000 Subject: [PATCH 05/10] Apply suggestions from code review --- salt/apache/init.sls | 2 +- salt/lib.sls | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/salt/apache/init.sls b/salt/apache/init.sls index 2cbbbff7..378b2e9e 100644 --- a/salt/apache/init.sls +++ b/salt/apache/init.sls @@ -144,6 +144,6 @@ disable-conf-other-vhosts-access-log.conf: - file: /etc/systemd/system/apache2.service.d/customization.conf {% endif %} -{% if pillar.apache.site_logs|default(False) %} +{% if pillar.apache.get('site_logs') %} {{ logrotate('apache-site-logs') }} {% endif %} diff --git a/salt/lib.sls b/salt/lib.sls index 69940c4b..5eee7b2a 100644 --- a/salt/lib.sls +++ b/salt/lib.sls @@ -192,7 +192,7 @@ add .htpasswd-{{ name }}-{{ username }}: - pkg: apache2 {% endfor %} -{% if pillar.apache.site_logs|default(False) and not name[0:1].isdigit() %} +{% if pillar.apache.get('site_logs') and not name[:1].isdigit() %} /var/log/apache2/{{ name }}: file.directory: - user: root From ee971436af8be7e4c186618f9ce4e516e9956478 Mon Sep 17 00:00:00 2001 From: RobHooper Date: Wed, 18 Feb 2026 11:08:17 +0000 Subject: [PATCH 06/10] fix: pass filename to apache base config --- salt/apache/files/sites/_common.conf | 6 +++--- salt/lib.sls | 3 ++- 2 files changed, 5 insertions(+), 4 deletions(-) diff --git a/salt/apache/files/sites/_common.conf b/salt/apache/files/sites/_common.conf index e603ff4c..cb05525b 100644 --- a/salt/apache/files/sites/_common.conf +++ b/salt/apache/files/sites/_common.conf @@ -25,9 +25,9 @@ Protocols h2 http/1.1 acme-tls/1 {#- System-wide configuration files should be prefixed with numbers #} - {%- if pillar.apache.get('site_logs') and not name[:1].isdigit() %} - ErrorLog {{ log_directory }}/error.log - CustomLog {{ log_directory }}/access.log vhost_combined + {%- if pillar.apache.get('site_logs') and not filename[:1].isdigit() %} + ErrorLog {{ logdirectory }}/error.log + CustomLog {{ logdirectory }}/access.log vhost_combined {%- endif %} Include {{ includefile }} diff --git a/salt/lib.sls b/salt/lib.sls index 5eee7b2a..9a1f196e 100644 --- a/salt/lib.sls +++ b/salt/lib.sls @@ -167,7 +167,8 @@ unset {{ setting_name }} in {{ filename }}: servername: {{ entry.servername }} serveraliases: {{ entry.serveraliases|default([])|yaml }} https: {{ entry.https|default(true) }} - log_directory: /var/log/apache2/{{ name }} + filename: {{ name }} + logdirectory: /var/log/apache2/{{ name }} - require: - file: /etc/apache2/sites-available/{{ name }}.conf.include - watch_in: From 826bef8822f0c2e42eb54bd21cd1403973e4680b Mon Sep 17 00:00:00 2001 From: RobHooper Date: Wed, 18 Feb 2026 11:08:35 +0000 Subject: [PATCH 07/10] feat: configure fail2ban for new apache log dir --- salt/core/fail2ban/files/jail.local | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/salt/core/fail2ban/files/jail.local b/salt/core/fail2ban/files/jail.local index fe0f6e08..4b3da7a3 100644 --- a/salt/core/fail2ban/files/jail.local +++ b/salt/core/fail2ban/files/jail.local @@ -13,6 +13,16 @@ logpath = /var/log/apache2/access.log maxretry = 10 findtime = 1m bantime = 1h + +{% if pillar.apache.get('site_logs') %} +[apache-custom-site-logs] +enabled = true +filter = apache-auth +port = http,https +logpath = /var/log/apache2/*/*.log +maxretry = 10 +findtime = 1m +{%- endif %} {%- endif %} {%- if salt['pillar.get']('postgres:public_access') %} From f2de522feee6a1e69dd5de3bbab76ae184c4610d Mon Sep 17 00:00:00 2001 From: RobHooper Date: Wed, 18 Feb 2026 11:31:05 +0000 Subject: [PATCH 08/10] docs: record site_logs function --- docs/develop/update/apache.rst | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/docs/develop/update/apache.rst b/docs/develop/update/apache.rst index b5ef235b..4cdb43d3 100644 --- a/docs/develop/update/apache.rst +++ b/docs/develop/update/apache.rst @@ -209,6 +209,19 @@ The service should now be available at its ``https://`` web address. curl https://SERVERNAME/.httpd/certificate-status +Split site logs +--------------- + +Add to your server's Pillar file: + +.. code-block:: yaml + + apache: + site_logs: True + +This will configure sites to log to their own log file in ``/var/log/apache2/sitename/access.log``. + + .. _apache-modules: Enable Apache modules From 8de52d81de746e74172a912fe71414037ad469e6 Mon Sep 17 00:00:00 2001 From: RobHooper Date: Wed, 18 Feb 2026 11:31:23 +0000 Subject: [PATCH 09/10] feat: use filename over logdirectory --- salt/apache/files/sites/_common.conf | 4 ++-- salt/lib.sls | 1 - 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/salt/apache/files/sites/_common.conf b/salt/apache/files/sites/_common.conf index cb05525b..f08517d1 100644 --- a/salt/apache/files/sites/_common.conf +++ b/salt/apache/files/sites/_common.conf @@ -26,8 +26,8 @@ {#- System-wide configuration files should be prefixed with numbers #} {%- if pillar.apache.get('site_logs') and not filename[:1].isdigit() %} - ErrorLog {{ logdirectory }}/error.log - CustomLog {{ logdirectory }}/access.log vhost_combined + ErrorLog /var/log/apache2/{{ filename }}/error.log + CustomLog /var/log/apache2/{{ filename }}/access.log vhost_combined {%- endif %} Include {{ includefile }} diff --git a/salt/lib.sls b/salt/lib.sls index 9a1f196e..c5119c34 100644 --- a/salt/lib.sls +++ b/salt/lib.sls @@ -168,7 +168,6 @@ unset {{ setting_name }} in {{ filename }}: serveraliases: {{ entry.serveraliases|default([])|yaml }} https: {{ entry.https|default(true) }} filename: {{ name }} - logdirectory: /var/log/apache2/{{ name }} - require: - file: /etc/apache2/sites-available/{{ name }}.conf.include - watch_in: From 7ff7b580c5734241cb510d2529a7e09ff11b87c2 Mon Sep 17 00:00:00 2001 From: James McKinney <26463+jpmckinney@users.noreply.github.com> Date: Wed, 18 Feb 2026 10:13:35 -0500 Subject: [PATCH 10/10] docs(nit): Remove extra newline and clarify substitution text. --- docs/develop/update/apache.rst | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/docs/develop/update/apache.rst b/docs/develop/update/apache.rst index 4cdb43d3..24dd9bff 100644 --- a/docs/develop/update/apache.rst +++ b/docs/develop/update/apache.rst @@ -219,8 +219,7 @@ Add to your server's Pillar file: apache: site_logs: True -This will configure sites to log to their own log file in ``/var/log/apache2/sitename/access.log``. - +This will configure sites to use their own log file in ``/var/log/apache2/{site}/access.log``. .. _apache-modules: