diff --git a/modules/web01/default.nix b/modules/web01/default.nix index 4c78c69..b4b7fba 100644 --- a/modules/web01/default.nix +++ b/modules/web01/default.nix @@ -3,6 +3,7 @@ ./borgbackup.nix ./clan-merge.nix ./gitea + ./goaccess.nix ./harmonia.nix ./homepage.nix ./postfix.nix diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index 25bd736..de2f9c3 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -1,4 +1,14 @@ -{ pkgs, self, ... }: { +{ config, pkgs, lib, publog, self, ... }: + +let + # make the logs for this host "public" so that they show up in e.g. metrics + publog = vhost: lib.attrsets.unionOfDisjoint vhost { + extraConfig = (vhost.extraConfig or "") + '' + access_log /var/log/nginx/public.log vcombined; + ''; + }; +in +{ imports = [ ./postgresql.nix @@ -35,7 +45,7 @@ settings.session.COOKIE_SECURE = true; }; - services.nginx.virtualHosts."git.clan.lol" = { + services.nginx.virtualHosts."git.clan.lol" = publog { forceSSL = true; enableACME = true; # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance. diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix new file mode 100644 index 0000000..bc9dcc7 --- /dev/null +++ b/modules/web01/goaccess.nix @@ -0,0 +1,77 @@ +{ stdenv, lib, pkgs, ... }: + +let + domain = "metrics.gchq.icu"; +in +{ + users.users.goaccess = { + isSystemUser = true; + group = "nginx"; + createHome = true; + home = "/var/www/goaccess"; + homeMode = "0774"; + }; + + services.nginx.commonHttpConfig = '' + log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"'; + access_log /var/log/nginx/private.log vcombined; + ''; + + systemd.services.goaccess = { + description = "GoAccess server monitoring"; + serviceConfig = { + User = "goaccess"; + Group = "nginx"; + ExecStart = '' + ${pkgs.goaccess}/bin/goaccess \ + -f /var/log/nginx/public.log \ + --log-format=VCOMBINED \ + --real-time-html \ + --html-refresh=30 \ + --no-query-string \ + --anonymize-ip \ + --ignore-panel=HOSTS \ + --ws-url=wss://${domain}:443/ws \ + --port=7890 \ + -o index.html + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Type = "simple"; + Restart = "on-failure"; + RestartSec = "10s"; + + # hardening + WorkingDirectory = "/var/www/goaccess"; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = "read-only"; + ProtectSystem = "strict"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io"; + ReadOnlyPaths = "/"; + ReadWritePaths = [ "/proc/self" "/var/www/goaccess" ]; + PrivateDevices = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + }; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + + services.nginx.virtualHosts."${domain}" = { + addSSL = true; + enableACME = true; + root = "/var/www/goaccess"; + + locations."/ws" = { + proxyPass = "http://127.0.0.1:7890"; + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_buffering off; + proxy_read_timeout 7d; + ''; + }; + }; +} diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index a352c65..9c322f9 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -1,4 +1,6 @@ -{ config, pkgs, self, ... }: { +{ config, lib, pkgs, self, ... }: + +{ security.acme.defaults.email = "admins@clan.lol"; security.acme.acceptTerms = true; @@ -22,6 +24,7 @@ ]; services.nginx = { + virtualHosts."clan.lol" = { forceSSL = true; enableACME = true;