goaccess: Add goaccess.nix module

2024-04-13 15:38:30 +02:00 · 2024-04-13 15:38:30 +02:00 · cf36395017
commit cf36395017
parent 05fd484279
2 changed files with 26 additions and 17 deletions
--- a/modules/web01/gitea/default.nix
+++ b/modules/web01/gitea/default.nix
@ -1,5 +1,13 @@
-{ pkgs, lib, publog, self, ... }:
+{ config, pkgs, lib, publog, self, ... }:

+let
+  # make the logs for this host "public" so that they show up in e.g. metrics
+  publog = vhost: lib.attrsets.unionOfDisjoint vhost {
+    extraConfig = (vhost.extraConfig or "") + ''
+      access_log /var/log/nginx/public.log vcombined;
+    '';
+  };
+in
 {

  imports = [
@ -37,7 +45,7 @@
    settings.session.COOKIE_SECURE = true;
  };

-  services.nginx.virtualHosts."git.clan.lol" = publog.publog {
+  services.nginx.virtualHosts."git.clan.lol" = publog {
    forceSSL = true;
    enableACME = true;
    # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance.
--- a/modules/web01/goaccess.nix
+++ b/modules/web01/goaccess.nix
@ -1,15 +1,16 @@
 { stdenv, lib, pkgs, ... }:
+
 let
-  # make the logs for this host "public" so that they show up in e.g. metrics
-  publog = vhost: lib.attrsets.unionOfDisjoint vhost {
-    extraConfig = (vhost.extraConfig or "") + ''
-      access_log /var/log/nginx/public.log vcombined;
-    '';
-  };
+  domain = "metrics.gchq.icu";
 in
 {
-
-  publog.publog = publog;
+  users.users.goaccess = {
+    isSystemUser = true;
+    group = "nginx";
+    createHome = true;
+    home = "/var/www/goaccess";
+    homeMode = "0774";
+  };

  services.nginx.commonHttpConfig = ''
    log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"';
@ -19,6 +20,8 @@ in
  systemd.services.goaccess = {
    description = "GoAccess server monitoring";
    serviceConfig = {
+      User = "goaccess";
+      Group = "nginx";
      ExecStart = ''
        ${pkgs.goaccess}/bin/goaccess \
          -f /var/log/nginx/public.log \
@ -28,9 +31,9 @@ in
          --no-query-string \
          --anonymize-ip \
          --ignore-panel=HOSTS \
-          --ws-url=wss://metrics.clan.lol:443/ws \
+          --ws-url=wss://${domain}:443/ws \
          --port=7890 \
-          -o /var/www/goaccess/index.html
+          -o index.html
      '';
      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
      Type = "simple";
@ -38,7 +41,7 @@ in
      RestartSec = "10s";

      # hardening
-      WorkingDirectory = "/tmp";
+      WorkingDirectory = "/var/www/goaccess";
      NoNewPrivileges = true;
      PrivateTmp = true;
      ProtectHome = "read-only";
@ -54,16 +57,14 @@ in
    wantedBy = [ "multi-user.target" ];
  };

-  # server statistics
-  services.nginx.virtualHosts."metrics.clan.lol" = {
+
+  services.nginx.virtualHosts."${domain}" = {
    addSSL = true;
    enableACME = true;
-    # inherit kTLS;
    root = "/var/www/goaccess";

    locations."/ws" = {
      proxyPass = "http://127.0.0.1:7890";
-      # XXX not sure how much of this is necessary
      extraConfig = ''
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;