4o1x5/infrastructure
4o1x5/infrastructure
Archived
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity
This repository has been archived on 2024-08-30. You can view files and clone it, but cannot push or open issues or pull requests.
infrastructure/hosts/carbon/services/nginx.nix
2005 9216cbbf62 🚀 big update: 
added logging to all nginx routes
added loki, promtail to scrape nginx logs
turned i2pd back on,
updated my websites version
upgraded all hosts to 24.05
forgejo added bigger limit to upload limit due to docker images
privacy frontends:
    added priviblur
    libreddit -> redlib
    added biblioreads

ddns-updater, changed credentials but there is a bug with porkbun
added penpot
brought back anonymousoverflow
added readme privacy respecting frontends
2024-06-03 02:06:02 +02:00

119 lines
5.2 KiB
Nix
Raw Blame History

{ pkgs, inputs, config, ... }:
let
# define logging format in json
# https://grafana.com/grafana/dashboards/12559-loki-nginx-service-mesh-json-version/
log_format = ''
log_format json_analytics escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"pid": "$pid", ' # process pid
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"remote_port": "$remote_port", ' # client port
'"time_local": "$time_local", '
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"request": "$request", ' # full path no arguments if the request
'"request_uri": "$request_uri", ' # full path and arguments if the request
'"args": "$args", ' # args
'"status": "$status", ' # response status code
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"http_referer": "$http_referer", ' # HTTP referer
'"http_user_agent": "$http_user_agent", ' # user agent
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"http_host": "$http_host", ' # the request Host: header
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spend receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"request_method": "$request_method", ' # request method
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio", '
'"http_cf_ray": "$http_cf_ray",'
'"geoip_country_code": "$geoip2_data_country_code"'
'}';
'';
# geoip2 module to get countries from addresses
geoip2 = ''
geoip2 /etc/GeoLite2-Country.mmdb {
auto_reload 5m;
$geoip2_metadata_country_build metadata build_epoch;
$geoip2_data_country_code default=US source=$remote_addr country iso_code;
$geoip2_data_country_name country names en;
}
geoip2 /etc/GeoLite2-City.mmdb {
$geoip2_data_city_name default=London city names en;
}
'';
in
{
services.nginx = {
enable = true;
additionalModules = [ pkgs.nginxModules.geoip2 ];
# add logging to config
commonHttpConfig = ''
${geoip2}
${log_format}
'';
#access_log /var/log/nginx/json_access.log json_analytics;
# ^^ adds logging to every host
virtualHosts = {
"www.${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = pkgs.callPackage ../services/website/default.nix { };
};
extraConfig = ''
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
"${config.networking.domain}" = {
forceSSL = true;
enableACME = true;
locations."/" = {
root = pkgs.callPackage ../services/website/default.nix { };
};
extraConfig = ''
error_page 404 /404.html;
deny 3.1.202.244;
deny 170.64.219.93;
deny 91.215.85.43;
client_max_body_size 900M;
access_log /var/log/nginx/$server_name-access.log json_analytics;
'';
};
};
};
security.acme = {
acceptTerms = true;
defaults.email = "admin+acme@4o1x5.dev";
};
}
Reference in a new issue View git blame Copy permalink