From cf36395017b23a81bc41460c4fbd2cd3a2f7f4cf Mon Sep 17 00:00:00 2001 From: Qubasa Date: Sat, 13 Apr 2024 15:38:30 +0200 Subject: [PATCH] goaccess: Add goaccess.nix module --- modules/web01/gitea/default.nix | 12 ++++++++++-- modules/web01/goaccess.nix | 31 ++++++++++++++++--------------- 2 files changed, 26 insertions(+), 17 deletions(-) diff --git a/modules/web01/gitea/default.nix b/modules/web01/gitea/default.nix index eb56bab..de2f9c3 100644 --- a/modules/web01/gitea/default.nix +++ b/modules/web01/gitea/default.nix @@ -1,5 +1,13 @@ -{ pkgs, lib, publog, self, ... }: +{ config, pkgs, lib, publog, self, ... }: +let + # make the logs for this host "public" so that they show up in e.g. metrics + publog = vhost: lib.attrsets.unionOfDisjoint vhost { + extraConfig = (vhost.extraConfig or "") + '' + access_log /var/log/nginx/public.log vcombined; + ''; + }; +in { imports = [ @@ -37,7 +45,7 @@ settings.session.COOKIE_SECURE = true; }; - services.nginx.virtualHosts."git.clan.lol" = publog.publog { + services.nginx.virtualHosts."git.clan.lol" = publog { forceSSL = true; enableACME = true; # The add_header directive is used to set the Content-Security-Policy header to allow embedding the Gitea instance in an iframe on the pad.lassul.us instance. diff --git a/modules/web01/goaccess.nix b/modules/web01/goaccess.nix index 6be06e7..bc9dcc7 100644 --- a/modules/web01/goaccess.nix +++ b/modules/web01/goaccess.nix @@ -1,15 +1,16 @@ { stdenv, lib, pkgs, ... }: + let - # make the logs for this host "public" so that they show up in e.g. metrics - publog = vhost: lib.attrsets.unionOfDisjoint vhost { - extraConfig = (vhost.extraConfig or "") + '' - access_log /var/log/nginx/public.log vcombined; - ''; - }; + domain = "metrics.gchq.icu"; in { - - publog.publog = publog; + users.users.goaccess = { + isSystemUser = true; + group = "nginx"; + createHome = true; + home = "/var/www/goaccess"; + homeMode = "0774"; + }; services.nginx.commonHttpConfig = '' log_format vcombined '$host:$server_port $remote_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referrer" "$http_user_agent"'; @@ -19,6 +20,8 @@ in systemd.services.goaccess = { description = "GoAccess server monitoring"; serviceConfig = { + User = "goaccess"; + Group = "nginx"; ExecStart = '' ${pkgs.goaccess}/bin/goaccess \ -f /var/log/nginx/public.log \ @@ -28,9 +31,9 @@ in --no-query-string \ --anonymize-ip \ --ignore-panel=HOSTS \ - --ws-url=wss://metrics.clan.lol:443/ws \ + --ws-url=wss://${domain}:443/ws \ --port=7890 \ - -o /var/www/goaccess/index.html + -o index.html ''; ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID"; Type = "simple"; @@ -38,7 +41,7 @@ in RestartSec = "10s"; # hardening - WorkingDirectory = "/tmp"; + WorkingDirectory = "/var/www/goaccess"; NoNewPrivileges = true; PrivateTmp = true; ProtectHome = "read-only"; @@ -54,16 +57,14 @@ in wantedBy = [ "multi-user.target" ]; }; - # server statistics - services.nginx.virtualHosts."metrics.clan.lol" = { + + services.nginx.virtualHosts."${domain}" = { addSSL = true; enableACME = true; - # inherit kTLS; root = "/var/www/goaccess"; locations."/ws" = { proxyPass = "http://127.0.0.1:7890"; - # XXX not sure how much of this is necessary extraConfig = '' proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade;