From 05fd48427929fab6ee68337353e3d2fc221a2019 Mon Sep 17 00:00:00 2001 From: Qubasa Date: Fri, 12 Apr 2024 17:35:56 +0200 Subject: [PATCH 1/2] nginx: Add goaccess module for metrics --- modules/web01/default.nix | 1 + modules/web01/gitea/default.nix | 6 ++- modules/web01/goaccess.nix | 76 +++++++++++++++++++++++++++++++++ modules/web01/homepage.nix | 5 ++- 4 files changed, 85 insertions(+), 3 deletions(-) create mode 100644 modules/web01/goaccess.nix diff --git a/modules/web01/default.nix b/modules/web01/default.nix index 4c78c69..b4b7fba 100644 --- a/modules/web01/default.nix +++ b/modules/web01/default.nix @@ -3,6 +3,7 @@ ./borgbackup.nix ./clan-merge.nix ./gitea + ./goaccess.nix ./harmonia.nix ./homepage.nix ./postfix.nix diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index 25bd736..eb56bab 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -1,4 +1,6 @@ -{ pkgs, self, ... }: { +{ pkgs, lib, publog, self, ... }: + +{ imports = [ ./postgresql.nix @@ -35,7 +37,7 @@ settings.session.COOKIE_SECURE = true; }; - services.nginx.virtualHosts."git.clan.lol" = { + services.nginx.virtualHosts."git.clan.lol" = publog.publog { forceSSL = true; enableACME = true; # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance. diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix new file mode 100644 index 0000000..6be06e7 --- /dev/null +++ b/modules/web01/goaccess.nix @@ -0,0 +1,76 @@ +{ stdenv, lib, pkgs, ... }: +let + # make the logs for this host "public" so that they show up in e.g. metrics + publog = vhost: lib.attrsets.unionOfDisjoint vhost { + extraConfig = (vhost.extraConfig or "") + '' + access_log /var/log/nginx/public.log vcombined; + ''; + }; +in +{ + + publog.publog = publog; + + services.nginx.commonHttpConfig = '' + log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"'; + access_log /var/log/nginx/private.log vcombined; + ''; + + systemd.services.goaccess = { + description = "GoAccess server monitoring"; + serviceConfig = { + ExecStart = '' + ${pkgs.goaccess}/bin/goaccess \ + -f /var/log/nginx/public.log \ + --log-format=VCOMBINED \ + --real-time-html \ + --html-refresh=30 \ + --no-query-string \ + --anonymize-ip \ + --ignore-panel=HOSTS \ + --ws-url=wss://metrics.clan.lol:443/ws \ + --port=7890 \ + -o /var/www/goaccess/index.html + ''; + ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; + Type = "simple"; + Restart = "on-failure"; + RestartSec = "10s"; + + # hardening + WorkingDirectory = "/tmp"; + NoNewPrivileges = true; + PrivateTmp = true; + ProtectHome = "read-only"; + ProtectSystem = "strict"; + SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io"; + ReadOnlyPaths = "/"; + ReadWritePaths = [ "/proc/self" "/var/www/goaccess" ]; + PrivateDevices = "yes"; + ProtectKernelModules = "yes"; + ProtectKernelTunables = "yes"; + }; + after = [ "network.target" ]; + wantedBy = [ "multi-user.target" ]; + }; + + # server statistics + services.nginx.virtualHosts."metrics.clan.lol" = { + addSSL = true; + enableACME = true; + # inherit kTLS; + root = "/var/www/goaccess"; + + locations."/ws" = { + proxyPass = "http://127.0.0.1:7890"; + # XXX not sure how much of this is necessary + extraConfig = '' + proxy_http_version 1.1; + proxy_set_header Upgrade $http_upgrade; + proxy_set_header Connection $connection_upgrade; + proxy_buffering off; + proxy_read_timeout 7d; + ''; + }; + }; +} diff --git a/modules/web01/homepage.nix b/modules/web01/homepage.nix index a352c65..9c322f9 100644 --- a/modules/web01/homepage.nix +++ b/modules/web01/homepage.nix @@ -1,4 +1,6 @@ -{ config, pkgs, self, ... }: { +{ config, lib, pkgs, self, ... }: + +{ security.acme.defaults.email = "admins@clan.lol"; security.acme.acceptTerms = true; @@ -22,6 +24,7 @@ ]; services.nginx = { + virtualHosts."clan.lol" = { forceSSL = true; enableACME = true; From cf36395017b23a81bc41460c4fbd2cd3a2f7f4cf Mon Sep 17 00:00:00 2001 From: Qubasa Date: Sat, 13 Apr 2024 15:38:30 +0200 Subject: [PATCH 2/2] goaccess: Add goaccess.nix module --- modules/web01/gitea/default.nix | 12 ++++++++++-- modules/web01/goaccess.nix | 31 ++++++++++++++++--------------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index eb56bab..de2f9c3 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -1,5 +1,13 @@ -{ pkgs, lib, publog, self, ... }: +{ config, pkgs, lib, publog, self, ... }: +let + # make the logs for this host "public" so that they show up in e.g. metrics + publog = vhost: lib.attrsets.unionOfDisjoint vhost { + extraConfig = (vhost.extraConfig or "") + '' + access_log /var/log/nginx/public.log vcombined; + ''; + }; +in { imports = [ @@ -37,7 +45,7 @@ settings.session.COOKIE_SECURE = true; }; - services.nginx.virtualHosts."git.clan.lol" = publog.publog { + services.nginx.virtualHosts."git.clan.lol" = publog { forceSSL = true; enableACME = true; # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance. diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix index 6be06e7..bc9dcc7 100644 --- a/modules/web01/goaccess.nix +++ b/modules/web01/goaccess.nix @@ -1,15 +1,16 @@ { stdenv, lib, pkgs, ... }: + let - # make the logs for this host "public" so that they show up in e.g. metrics - publog = vhost: lib.attrsets.unionOfDisjoint vhost { - extraConfig = (vhost.extraConfig or "") + '' - access_log /var/log/nginx/public.log vcombined; - ''; - }; + domain = "metrics.gchq.icu"; in { - - publog.publog = publog; + users.users.goaccess = { + isSystemUser = true; + group = "nginx"; + createHome = true; + home = "/var/www/goaccess"; + homeMode = "0774"; + }; services.nginx.commonHttpConfig = '' log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"'; @@ -19,6 +20,8 @@ in systemd.services.goaccess = { description = "GoAccess server monitoring"; serviceConfig = { + User = "goaccess"; + Group = "nginx"; ExecStart = '' ${pkgs.goaccess}/bin/goaccess \ -f /var/log/nginx/public.log \ @@ -28,9 +31,9 @@ in --no-query-string \ --anonymize-ip \ --ignore-panel=HOSTS \ - --ws-url=wss://metrics.clan.lol:443/ws \ + --ws-url=wss://${domain}:443/ws \ --port=7890 \ - -o /var/www/goaccess/index.html + -o index.html ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Type = "simple"; @@ -38,7 +41,7 @@ in RestartSec = "10s"; # hardening - WorkingDirectory = "/tmp"; + WorkingDirectory = "/var/www/goaccess"; NoNewPrivileges = true; PrivateTmp = true; ProtectHome = "read-only"; @@ -54,16 +57,14 @@ in wantedBy = [ "multi-user.target" ]; }; - # server statistics - services.nginx.virtualHosts."metrics.clan.lol" = { + + services.nginx.virtualHosts."${domain}" = { addSSL = true; enableACME = true; - # inherit kTLS; root = "/var/www/goaccess"; locations."/ws" = { proxyPass = "http://127.0.0.1:7890"; - # XXX not sure how much of this is necessary extraConfig = '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade;