modules/web01/gitea/default.nix

@@ -4,7 +4,7 @@ let
   # make the logs for this host "public" so that they show up in e.g. metrics
   publog = vhost: lib.attrsets.unionOfDisjoint vhost {
     extraConfig = (vhost.extraConfig or "") + ''
-      access_log /var/log/nginx/public.log vcombined;
+      access_log /var/log/nginx/public.log vcombined compression;
     '';
   };
 in

modules/web01/goaccess.nix

@@ -1,14 +1,27 @@
 { stdenv, lib, pkgs, ... }:
 
 let
-  domain = "metrics.gchq.icu";
+  domain = "metrics.clan.lol";
+  priv_goaccess = "/var/lib/goaccess";
+  pub_goaccess = "/var/www/goaccess";
+
+  user-agent-list = pkgs.writeText "browsers.list" ''
+    # List of browsers and their categories
+    # e.g., WORD delimited by tab(s) \t TYPE
+    # TYPE can be any type and it's not limited to the ones below.
+    github-actions-checkout	GitHubActions
+    git	Git
+    connect-go	Go
+    Go-http-client	Go
+    curl	Curl
+  '';
 in
 {
   users.users.goaccess = {
     isSystemUser = true;
     group = "nginx";
     createHome = true;
-    home = "/var/www/goaccess";
+    home = "${pub_goaccess}";
     homeMode = "0774";
   };
 
@@ -17,8 +30,18 @@ in
     access_log /var/log/nginx/private.log vcombined;
   '';
 
+  systemd.tmpfiles.rules = [
+    "d ${priv_goaccess} 0755 goaccess nginx -"
+    "d ${priv_goaccess}/db 0755 goaccess nginx -"
+    "d ${pub_goaccess} 0755 goaccess nginx -"
+  ];
+
+
+  # --browsers-file=/etc/goaccess/browsers.list
+  # https://raw.githubusercontent.com/allinurl/goaccess/master/config/browsers.list
   systemd.services.goaccess = {
     description = "GoAccess server monitoring";
+
     serviceConfig = {
       User = "goaccess";
       Group = "nginx";
@@ -26,14 +49,22 @@ in
         ${pkgs.goaccess}/bin/goaccess \
           -f /var/log/nginx/public.log \
           --log-format=VCOMBINED \
+          --ignore-crawlers \
+          --browsers-file=${user-agent-list} \
           --real-time-html \
+          --all-static-files \
           --html-refresh=30 \
+          --persist \
+          --restore \
+          --db-path=${priv_goaccess}/db \
           --no-query-string \
+          --unknowns-log=${priv_goaccess}/unknowns.log \
+          --invalid-requests=${priv_goaccess}/invalid-requests.log \
           --anonymize-ip \
           --ignore-panel=HOSTS \
           --ws-url=wss://${domain}:443/ws \
           --port=7890 \
-          -o index.html
+          -o "${pub_goaccess}/index.html"
       '';
       ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
       Type = "simple";
@@ -41,14 +72,14 @@ in
       RestartSec = "10s";
 
       # hardening
-      WorkingDirectory = "/var/www/goaccess";
+      WorkingDirectory = "${pub_goaccess}";
       NoNewPrivileges = true;
       PrivateTmp = true;
       ProtectHome = "read-only";
       ProtectSystem = "strict";
       SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
       ReadOnlyPaths = "/";
-      ReadWritePaths = [ "/proc/self" "/var/www/goaccess" ];
+      ReadWritePaths = [ "/proc/self" "${pub_goaccess}" "${priv_goaccess}" ];
       PrivateDevices = "yes";
       ProtectKernelModules = "yes";
       ProtectKernelTunables = "yes";
@@ -61,7 +92,7 @@ in
   services.nginx.virtualHosts."${domain}" = {
     addSSL = true;
     enableACME = true;
-    root = "/var/www/goaccess";
+    root = "${pub_goaccess}";
 
     locations."/ws" = {
       proxyPass = "http://127.0.0.1:7890";