feat: rework logging and rotation rules

roles/nginx/defaults/main.yml

@@ -14,3 +14,12 @@ nginx_client_max_body_size: 100M
 # SSL configuration (volontarily omit TLSv1.2 here)
 nginx_ssl_protocols: TLSv1.3
 nginx_ssl_prefer_server_ciphers: true
+
+# Logging configuration
+# Backend: 'file' (traditional /var/log/nginx/*.log) or 'journald' (systemd journal)
+nginx_log_backend: journald
+
+# Logrotate configuration (only used when nginx_log_backend: file)
+nginx_logrotate_rotate: 14 # Keep 14 days of logs
+nginx_logrotate_frequency: daily # daily|weekly|monthly
+nginx_logrotate_compress: true # Compress rotated logs

roles/nginx/tasks/main.yml

@@ -5,6 +5,10 @@
     - "{{ ansible_facts['os_family'] }}.yml"
     - debian.yml
 
+- name: Set nginx_user if not already set
+  ansible.builtin.set_fact:
+    nginx_user: "{{ nginx_user | default('www-data') }}"
+
 - name: Install nginx
   ansible.builtin.package:
     name: nginx
@@ -28,6 +32,21 @@
     validate: nginx -t -c %s
   notify: Reload nginx
 
+- name: Deploy logrotate configuration for nginx
+  ansible.builtin.template:
+    src: logrotate-nginx.j2
+    dest: /etc/logrotate.d/nginx
+    owner: root
+    group: root
+    mode: "0644"
+  when: nginx_log_backend == 'file'
+
+- name: Remove logrotate configuration when using journald
+  ansible.builtin.file:
+    path: /etc/logrotate.d/nginx
+    state: absent
+  when: nginx_log_backend == 'journald'
+
 - name: Allow HTTP traffic through firewall
   community.general.ufw:
     rule: allow

roles/nginx/templates/nginx.conf.j2

@@ -1,6 +1,10 @@
 user {{ nginx_user }};
 worker_processes {{ nginx_worker_processes }};
+{% if nginx_log_backend == 'journald' %}
+error_log syslog:server=unix:/dev/log,nohostname;
+{% else %}
 error_log /var/log/nginx/error.log;
+{% endif %}
 pid /run/nginx.pid;
 
 include /usr/share/nginx/modules/*.conf;
@@ -14,7 +18,11 @@ http {
                       '$status $body_bytes_sent "$http_referer" '
                       '"$http_user_agent" "$http_x_forwarded_for"';
 
+{% if nginx_log_backend == 'journald' %}
+    access_log syslog:server=unix:/dev/log,nohostname main;
+{% else %}
     access_log  /var/log/nginx/access.log  main;
+{% endif %}
 
     sendfile            on;
     tcp_nopush          on;