From ac4531d818fa1cf645fd011258a189e5fd980b99 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?=
 <felix-antoine.fortin@calculquebec.ca>
Date: Fri, 29 May 2026 14:59:07 -0400
Subject: [PATCH 1/2] Fix issue where pki-tomcat debug log are daily rotate but
 not deleted

---
 site/profile/manifests/freeipa.pp | 33 +++++++++++++++++++------------
 1 file changed, 20 insertions(+), 13 deletions(-)

diff --git a/site/profile/manifests/freeipa.pp b/site/profile/manifests/freeipa.pp
index 0d01ffabc..bf4abdd30 100644
--- a/site/profile/manifests/freeipa.pp
+++ b/site/profile/manifests/freeipa.pp
@@ -525,19 +525,26 @@
   Service["dirsrv@${ds_domain}"] -> Service <| tag == 'profile::accounts' and title == 'mkhome' |>
   Service["dirsrv@${ds_domain}"] -> Service <| tag == 'profile::accounts' and title == 'mkproject' |>
 
-  logrotate::rule { 'pki-tomcat':
-    path         => '/var/log/pki/pki-tomcat/ca/*.log',
-    rotate       => 5,
-    ifempty      => false,
-    copytruncate => false,
-    olddir       => false,
-    size         => '5M',
-    compress     => true,
-    create       => true,
-    create_mode  => '0640',
-    create_owner => 'pkiuser',
-    create_group => 'pkiuser',
-    postrotate   => '/bin/systemctl restart pki-tomcatd@pki-tomcat.service > /dev/null 2>/dev/null || true',
+  # pki-tomcat does not use this file, but we create a dummy one so logrotate can clean all files
+  # older than 7 days.
+  file { '/var/log/pki/pki-tomcat/ca/debug.log':
+    ensure => file,
+    owner  => 'pkiuser',
+    group  => 'pkiuser',
+    requie => Exec['ipa-install'],
+  }
+
+  logrotate::rule { 'pki-tomcat-debug':
+    path       => '/var/log/pki/pki-tomcat/ca/debug.log',
+    rotate     => 7,
+    maxage     => 7,
+    missingok  => true,
+    dateext    => true,
+    dateformat => '.%Y-%m-%d',
+    extension  => '.log',
+    su         => true,
+    su_user    => 'pkiuser',
+    su_group   => 'pkiuser',
   }
 
   # httpd-core rpm installs /etc/logrotate.d/httpd with postrotate = /bin/systemctl reload httpd

From 329d23a37bf008e7529c94f740ddf0a4e18f67ef Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?F=C3=A9lix-Antoine=20Fortin?=
 <felix-antoine.fortin@calculquebec.ca>
Date: Fri, 29 May 2026 15:22:54 -0400
Subject: [PATCH 2/2] Replace pki-tomcat logrotate by cron job

---
 Puppetfile                        |  1 +
 site/profile/manifests/freeipa.pp | 31 +++++++++++--------------------
 2 files changed, 12 insertions(+), 20 deletions(-)

diff --git a/Puppetfile b/Puppetfile
index a119fea30..d59cb0bdd 100644
--- a/Puppetfile
+++ b/Puppetfile
@@ -12,6 +12,7 @@ mod 'puppet-augeasproviders_ssh', '6.0.0'
 mod 'puppet-augeasproviders_sysctl', '3.1.0'
 mod 'puppet-archive', '7.1.0'
 mod 'puppet-consul', '10.0.0'
+mod 'puppet-cron', '5.0.0'
 mod 'puppet-epel', '5.0.0'
 mod 'puppet-extlib', '7.0.0'
 mod 'puppet-fail2ban', '4.2.0'
diff --git a/site/profile/manifests/freeipa.pp b/site/profile/manifests/freeipa.pp
index bf4abdd30..bffc4f658 100644
--- a/site/profile/manifests/freeipa.pp
+++ b/site/profile/manifests/freeipa.pp
@@ -218,6 +218,7 @@
   Array[String] $hbac_services = ['sshd', 'jupyterhub-login'],
   Boolean $enable_mokey = true,
 ) {
+  include cron
 
   file { '/etc/ipa':
     ensure => directory,
@@ -525,26 +526,16 @@
   Service["dirsrv@${ds_domain}"] -> Service <| tag == 'profile::accounts' and title == 'mkhome' |>
   Service["dirsrv@${ds_domain}"] -> Service <| tag == 'profile::accounts' and title == 'mkproject' |>
 
-  # pki-tomcat does not use this file, but we create a dummy one so logrotate can clean all files
-  # older than 7 days.
-  file { '/var/log/pki/pki-tomcat/ca/debug.log':
-    ensure => file,
-    owner  => 'pkiuser',
-    group  => 'pkiuser',
-    requie => Exec['ipa-install'],
-  }
-
-  logrotate::rule { 'pki-tomcat-debug':
-    path       => '/var/log/pki/pki-tomcat/ca/debug.log',
-    rotate     => 7,
-    maxage     => 7,
-    missingok  => true,
-    dateext    => true,
-    dateformat => '.%Y-%m-%d',
-    extension  => '.log',
-    su         => true,
-    su_user    => 'pkiuser',
-    su_group   => 'pkiuser',
+  # pki-tomcat has its own log rotation mechanism, but it does not properly clean file older than 7 days.
+  cron::job { 'clean_pki-tomcat_ca_debuglog':
+    minute      => '49',
+    hour        => '3',
+    date        => '*',
+    month       => '*',
+    weekday     => '*',
+    user        => 'root',
+    command     => 'find /var/log/pki/pki-tomcat/ca -maxdepth 1 -name debug.*.log -mtime +7 -delete',
+    description => 'clean pki-tomcat debug logs',
   }
 
   # httpd-core rpm installs /etc/logrotate.d/httpd with postrotate = /bin/systemctl reload httpd