From 05fd48427929fab6ee68337353e3d2fc221a2019 Mon Sep 17 00:00:00 2001 From: Qubasa Date: Fri, 12 Apr 2024 17:35:56 +0200 Subject: [PATCH] nginx: Add goaccess module for metrics --- modules/web01/default.nix | 1 + modules/web01/gitea/default.nix | 6 ++- modules/web01/goaccess.nix | 76 +++++++++++++++++++++++++++++++++ modules/web01/homepage.nix | 5 ++- 4 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 modules/web01/goaccess.nix diff --git a/modules/web01/default.nix b/modules/web01/default.nix index 4c78c69..b4b7fba 100644 --- a/modules/web01/default.nix +++ b/modules/web01/default.nix @@ -3,6 +3,7 @@ ./borgbackup.nix ./clan-merge.nix ./gitea + ./goaccess.nix ./harmonia.nix ./homepage.nix ./postfix.nix diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index 25bd736..eb56bab 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -1,4 +1,6 @@ -{ pkgs, self, ... }: { +{ pkgs, lib, publog, self, ... }: + +{ imports = [ ./postgresql.nix @@ -35,7 +37,7 @@ settings.session.COOKIE_SECURE = true; }; - services.nginx.virtualHosts."git.clan.lol" = { + services.nginx.virtualHosts."git.clan.lol" = publog.publog { forceSSL = true; enableACME = true; # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance. diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix new file mode 100644 index 0000000..6be06e7 --- /dev/null +++ b/modules/web01/goaccess.nix @@ -0,0 +1,76 @@ +{ stdenv, lib, pkgs, ... }: +let + # make the logs for this host "public" so that they show up in e.g. metrics + publog = vhost: lib.attrsets.unionOfDisjoint vhost { + extraConfig = (vhost.extraConfig or "") + '' + access_log /var/log/nginx/public.log vcombined; + ''; + }; +in +{ + + publog.publog = publog; + + services.nginx.commonHttpConfig = '' + log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"'; + access_log /var/log/nginx/private.log vcombined; + ''; + + systemd.services.goaccess = { + description = "GoAccess server monitoring"; + serviceConfig = { + ExecStart = '' + ${pkgs.goaccess}/bin/goaccess \ + -f /var/log/nginx/public.log \ + --log-format=VCOMBINED \ + --real-time-html \ + --html-refresh=30 \ + --no-query-string \ + --anonymize-ip \ + --ignore-panel=HOSTS \ + --ws-url=wss://metrics.clan.lol:443/ws \ + --port=7890 \ + -o /var/www/goaccess/index.html + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Type = "simple"; + Restart = "on-failure"; + RestartSec = "10s"; + + # hardening + WorkingDirectory = "/tmp"; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = "read-only"; + ProtectSystem = "strict"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io"; + ReadOnlyPaths = "/"; + ReadWritePaths = [ "/proc/self" "/var/www/goaccess" ]; + PrivateDevices = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + }; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + # server statistics + services.nginx.virtualHosts."metrics.clan.lol" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + root = "/var/www/goaccess"; + + locations."/ws" = { + proxyPass = "http://127.0.0.1:7890"; + # XXX not sure how much of this is necessary + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_buffering off; + proxy_read_timeout 7d; + ''; + }; + }; +} diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index a352c65..9c322f9 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -1,4 +1,6 @@ -{ config, pkgs, self, ... }: { +{ config, lib, pkgs, self, ... }: + +{ security.acme.defaults.email = "admins@clan.lol"; security.acme.acceptTerms = true; @@ -22,6 +24,7 @@ ]; services.nginx = { + virtualHosts."clan.lol" = { forceSSL = true; enableACME = true;