From 760d9ee10c253537132b0834ec7947dd3e211430 Mon Sep 17 00:00:00 2001
From: Oliver Schmidt <os@flyingcircus.io>
Date: Thu, 4 Apr 2024 10:39:25 +0200
Subject: [PATCH] nginx: fix continued writes to rotated modsecurity log files

Because modsecurity is not re-opening its logfile after rotation and continues to write into the same file descriptor, we need to use `copytruncate`.
Better handling of that situation is stuck upstream for several years. https://github.com/owasp-modsecurity/ModSecurity-nginx/issues/121

We use the presence of `/var/log/modesc_*.log` as a heuristic for modsecurity being enabled, these files are now rotated with copytruncate.
All other nginx logs are still rotated by moving and reloading.
Note that, due to overlapping wildcard matches, this specific case got a higher logrotate match priority and needs an `ignoreduplicates`.

`copytruncate` is non-atomic and might loose some logs written between
copying and the truncation being done.

PL-132296
---
 nixos/services/nginx/default.nix | 17 ++++++++++++++---
 1 file changed, 14 insertions(+), 3 deletions(-)

diff --git a/nixos/services/nginx/default.nix b/nixos/services/nginx/default.nix
index d189faba3..d771f2405 100644
--- a/nixos/services/nginx/default.nix
+++ b/nixos/services/nginx/default.nix
@@ -469,16 +469,27 @@ in
         inherit virtualHosts;
       };
 
-      services.logrotate.settings = {
-        "/var/log/nginx/*.log" = {
+      services.logrotate.settings = let
+      commonRotate = {
           rotate = cfg.rotateLogs;
           create = "0644 ${nginxCfg.masterUser} nginx";
           su = "${nginxCfg.masterUser} nginx";
+        };
+        in {
+        "/var/log/nginx/modsec_*.log" = {
+          # need higher prio, because more-specific match.
+          # Our platform header options use priority 900, we need to chose a
+          # higher number here for using them.
+          ignoreduplicates = true;
+          priority = 901;
+          copytruncate = true;
+        } // commonRotate;
+        "/var/log/nginx/*.log" = {
           postrotate = ''
             systemctl kill nginx -s USR1 --kill-who=main || systemctl reload nginx
             chown ${nginxCfg.masterUser}:nginx /var/log/nginx/*
           '';
-        };
+        } // commonRotate;
       };
 
       # Z: Recursively change permissions if they already exist.