nginx: Add goaccess module for metrics

2024-04-12 17:35:56 +02:00 · 2024-04-12 17:35:56 +02:00 · 05fd484279
commit 05fd484279
parent b846584207
4 changed files with 85 additions and 3 deletions
--- a/modules/web01/default.nix
+++ b/modules/web01/default.nix
@ -3,6 +3,7 @@
    ./borgbackup.nix
    ./clan-merge.nix
    ./gitea
+    ./goaccess.nix
    ./harmonia.nix
    ./homepage.nix
    ./postfix.nix
--- a/modules/web01/gitea/default.nix
+++ b/modules/web01/gitea/default.nix
@ -1,4 +1,6 @@
-{ pkgs, self, ... }: {
+{ pkgs, lib, publog, self, ... }:
+
+{

  imports = [
    ./postgresql.nix
@ -35,7 +37,7 @@
    settings.session.COOKIE_SECURE = true;
  };

-  services.nginx.virtualHosts."git.clan.lol" = {
+  services.nginx.virtualHosts."git.clan.lol" = publog.publog {
    forceSSL = true;
    enableACME = true;
    # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance.
--- a/modules/web01/goaccess.nix
+++ b/modules/web01/goaccess.nix
@ -0,0 +1,76 @@
+{ stdenv, lib, pkgs, ... }:
+let
+  # make the logs for this host "public" so that they show up in e.g. metrics
+  publog = vhost: lib.attrsets.unionOfDisjoint vhost {
+    extraConfig = (vhost.extraConfig or "") + ''
+      access_log /var/log/nginx/public.log vcombined;
+    '';
+  };
+in
+{
+
+  publog.publog = publog;
+
+  services.nginx.commonHttpConfig = ''
+    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
+    access_log /var/log/nginx/private.log vcombined;
+  '';
+
+  systemd.services.goaccess = {
+    description = "GoAccess server monitoring";
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.goaccess}/bin/goaccess \
+          -f /var/log/nginx/public.log \
+          --log-format=VCOMBINED \
+          --real-time-html \
+          --html-refresh=30 \
+          --no-query-string \
+          --anonymize-ip \
+          --ignore-panel=HOSTS \
+          --ws-url=wss://metrics.clan.lol:443/ws \
+          --port=7890 \
+          -o /var/www/goaccess/index.html
+      '';
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Type = "simple";
+      Restart = "on-failure";
+      RestartSec = "10s";
+
+      # hardening
+      WorkingDirectory = "/tmp";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = "read-only";
+      ProtectSystem = "strict";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
+      ReadOnlyPaths = "/";
+      ReadWritePaths = [ "/proc/self" "/var/www/goaccess" ];
+      PrivateDevices = "yes";
+      ProtectKernelModules = "yes";
+      ProtectKernelTunables = "yes";
+    };
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+
+  # server statistics
+  services.nginx.virtualHosts."metrics.clan.lol" = {
+    addSSL = true;
+    enableACME = true;
+    # inherit kTLS;
+    root = "/var/www/goaccess";
+
+    locations."/ws" = {
+      proxyPass = "http://127.0.0.1:7890";
+      # XXX not sure how much of this is necessary
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_buffering off;
+        proxy_read_timeout 7d;
+      '';
+    };
+  };
+}
--- a/modules/web01/homepage.nix
+++ b/modules/web01/homepage.nix
@ -1,4 +1,6 @@
-{ config, pkgs, self, ... }: {
+{ config, lib, pkgs, self, ... }:
+
+{
  security.acme.defaults.email = "admins@clan.lol";
  security.acme.acceptTerms = true;

@ -22,6 +24,7 @@
  ];

  services.nginx = {
+
    virtualHosts."clan.lol" = {
      forceSSL = true;
      enableACME = true;