From bf1ed7d0641e8a5c382344d52b077e2c22d7e752 Mon Sep 17 00:00:00 2001
From: Sunil Mohan Adapa <sunil@medhas.org>
Date: Sun, 10 Jul 2022 08:11:23 -0700
Subject: [PATCH] apache: Redirect all logs to systemd journal

- Redirect with separate identifiers so that they can retrieved separately.

- Enable virtual host log format that include name of the domain accessed so
that that information is preserved.

- There is no need to increment the apache app's version number as it has been
incremented earlier in the patch series (for this release).

Tests:

- In a fresh container, setup succeeds. Default apache sites 000-default.conf
and default-ssl.conf are disabled. freedombox-default.conf is enabled. Apache
access logs and error logs are sent to systemd journal.

- Without the patch applied, create a container. Run setup and access Plinth
interface. Apply the patches. Apache setup is run. a2query -s default and
a2query -s 000-default show that sites are not enabled. a2query -s
freedombox-default shows that site is enabled. Apache access logs and error logs
are sent to systemd journal.

Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: James Valleroy <jvalleroy@mailbox.org>
---
 actions/apache                                |  5 +--
 .../apache2/conf-available/freedombox.conf    | 17 +++++++++
 .../sites-available/freedombox-default.conf   | 35 +++++++++++++++++++
 3 files changed, 55 insertions(+), 2 deletions(-)
 create mode 100644 data/etc/apache2/sites-available/freedombox-default.conf

diff --git a/actions/apache b/actions/apache
index e2554fc34..3a69648ff 100755
--- a/actions/apache
+++ b/actions/apache
@@ -168,11 +168,12 @@ def subcommand_setup(arguments):
         webserver.enable('javascript-common', kind='config')
 
         # default sites
-        webserver.enable('000-default', kind='site')
+        webserver.disable('000-default', kind='site')
         webserver.disable('default-tls', kind='site')
-        webserver.enable('default-ssl', kind='site')
+        webserver.disable('default-ssl', kind='site')
         webserver.disable('plinth', kind='site')
         webserver.disable('plinth-ssl', kind='site')
+        webserver.enable('freedombox-default', kind='site')
 
 
 # TODO: Check that the (name, kind) is a managed by FreedomBox before
diff --git a/data/etc/apache2/conf-available/freedombox.conf b/data/etc/apache2/conf-available/freedombox.conf
index f765b047f..d493cc0de 100644
--- a/data/etc/apache2/conf-available/freedombox.conf
+++ b/data/etc/apache2/conf-available/freedombox.conf
@@ -129,3 +129,20 @@ RedirectMatch "^/$" "/plinth"
 <IfModule mod_deflate.c>
   AddOutputFilterByType DEFLATE image/svg+xml
 </IfModule>
+
+##
+## Send all logs to systemd journal by default. This may be overridden per host
+## in <VirtualHost>. With all system logs in journald, it is possible to turn
+## off persistent logging to improve SD card lifetime and performance. It is
+## also easy to improve privacy by turning off logging altogether.
+##
+## - To obtain the old style access log run the following command (note that the
+## first field is the name of the virtual host accessed as Apache format logged
+## is vhost_combined):
+##   journalctl --identifier apache-access --output cat > access.log
+##
+## - To obtain the old style error log run the following command:
+##   journalctl --identifier apache-error --output cat > error.log
+##
+ErrorLog "|/usr/bin/systemd-cat --identifier=apache-error"
+CustomLog "|/usr/bin/systemd-cat --identifier=apache-access" vhost_combined
diff --git a/data/etc/apache2/sites-available/freedombox-default.conf b/data/etc/apache2/sites-available/freedombox-default.conf
new file mode 100644
index 000000000..ef08dffa7
--- /dev/null
+++ b/data/etc/apache2/sites-available/freedombox-default.conf
@@ -0,0 +1,35 @@
+## SPDX-License-Identifier: AGPL-3.0-or-later
+##
+## DO NOT EDIT. If you do, FreedomBox will not automatically upgrade.
+##
+## Apache configuration managed by FreedomBox. If customization is needed,
+## create a new configuration file with higher priority and override directives.
+##
+## Default apache sites default.conf and 000-default-ssl.conf will be disabled
+## for the sake of the following configuration. This is primarily to override
+## the logging directives (to allow default values to prevail).
+##
+
+# Keep this in sync with apache default 000-default.conf
+<VirtualHost *:80>
+    ServerAdmin webmaster@localhost
+    DocumentRoot /var/www/html
+</VirtualHost>
+
+# Keep this in sync with apache default default-ssl.conf
+<IfModule mod_ssl.c>
+    <VirtualHost _default_:443>
+        ServerAdmin webmaster@localhost
+        DocumentRoot /var/www/html
+
+        SSLEngine on
+        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+        <FilesMatch "\.(?:cgi|shtml|phtml|php)$">
+            SSLOptions +StdEnvVars
+        </FilesMatch>
+        <Directory /usr/lib/cgi-bin>
+            SSLOptions +StdEnvVars
+        </Directory>
+    </VirtualHost>
+</IfModule>