diff --git a/letsencrypt/hooks/log_rotate-relation-joined b/letsencrypt/hooks/log_rotate-relation-joined
new file mode 100755
index 0000000..ec57cb6
--- /dev/null
+++ b/letsencrypt/hooks/log_rotate-relation-joined
@@ -0,0 +1,53 @@
+#!/bin/bash
+
+## Should be executable N time in a row with same result.
+
+. lib/common
+
+set -e
+
+LOGS=/var/log/letsencrypt
+
+## XXXvlab: hum it seems apache logging is run as root, so well...
+# logs_creds=$(cached_cmd_on_base_image apache "stat -c '%u %g' '$LOGS'") || {
+#     debug "Failed to query for www-data gid in ${DARKYELLOW}apache${NORMAL} base image."
+#     return 1
+# }
+
+rotated_count=$(relation-get rotated-count 2>/dev/null) || true
+rotated_count=${rotated_count:-52}
+
+## Here, we rely on ``delaycompress`` option and the fact that letsencrypt is
+## run-once type of service to ensure logrotation will play it safely with the
+## log writing process.
+
+## XXXvlab: a lot of this intelligence should be moved away into ``logrotate`` charm
+DST="$CONFIGSTORE/$TARGET_SERVICE_NAME/etc/logrotate.d/$SERVICE_NAME"
+file_put "$DST" <<EOF
+/var/log/docker/$SERVICE_NAME/letsencrypt.log
+ {
+    weekly
+    missingok
+    dateext
+    dateyesterday
+    dateformat _%Y-%m-%d
+    extension .log
+    rotate $rotated_count
+    compress
+    delaycompress
+    notifempty
+    create 640 root root
+    sharedscripts
+}
+EOF
+
+config-add "\
+services:
+  $MASTER_TARGET_SERVICE_NAME:
+    volumes:
+      - $DST:/etc/logrotate.d/docker-${SERVICE_NAME}:ro
+      - $SERVICE_DATASTORE$LOGS:/var/log/docker/$SERVICE_NAME:rw
+  $MASTER_BASE_SERVICE_NAME:
+    volumes:
+      - $SERVICE_DATASTORE$LOGS:$LOGS:rw
+"