2022-10-21 16:55:49 +00:00
|
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
|
|
# based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
|
2022-10-22 05:00:49 +00:00
|
|
|
# log-format setting can be derived with this tool if custom:
|
|
|
|
# - <https://github.com/stockrt/nginx2goaccess>
|
2022-10-24 07:16:42 +00:00
|
|
|
# config options:
|
|
|
|
# - <https://github.com/allinurl/goaccess/blob/master/config/goaccess.conf>
|
2022-10-22 05:00:49 +00:00
|
|
|
|
2022-10-21 16:55:49 +00:00
|
|
|
systemd.services.goaccess = {
|
|
|
|
description = "GoAccess server monitoring";
|
|
|
|
serviceConfig = {
|
|
|
|
ExecStart = ''
|
|
|
|
${pkgs.goaccess}/bin/goaccess \
|
2022-10-22 05:38:38 +00:00
|
|
|
-f /var/log/nginx/public.log \
|
2022-10-22 05:00:49 +00:00
|
|
|
--log-format=VCOMBINED \
|
2022-10-21 16:55:49 +00:00
|
|
|
--real-time-html \
|
2022-11-11 10:56:54 +00:00
|
|
|
--html-refresh=30 \
|
2022-10-24 07:16:42 +00:00
|
|
|
--no-query-string \
|
|
|
|
--anonymize-ip \
|
|
|
|
--ignore-panel=HOSTS \
|
2022-10-21 16:55:49 +00:00
|
|
|
--ws-url=wss://sink.uninsane.org:443/ws \
|
|
|
|
--port=7890 \
|
2024-04-26 08:47:09 +00:00
|
|
|
-o /var/lib/goaccess/index.html
|
2022-10-21 16:55:49 +00:00
|
|
|
'';
|
|
|
|
ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
|
|
|
|
Type = "simple";
|
|
|
|
Restart = "on-failure";
|
2022-12-10 13:28:46 +00:00
|
|
|
RestartSec = "10s";
|
2022-10-21 16:55:49 +00:00
|
|
|
|
|
|
|
# hardening
|
2024-04-26 08:47:09 +00:00
|
|
|
# TODO: run as `goaccess` user and add `goaccess` user to group `nginx`.
|
2022-10-21 16:55:49 +00:00
|
|
|
NoNewPrivileges = true;
|
2024-04-26 08:47:09 +00:00
|
|
|
PrivateDevices = "yes";
|
2022-10-21 16:55:49 +00:00
|
|
|
PrivateTmp = true;
|
|
|
|
ProtectHome = "read-only";
|
|
|
|
ProtectKernelModules = "yes";
|
|
|
|
ProtectKernelTunables = "yes";
|
2024-04-26 08:47:09 +00:00
|
|
|
ProtectSystem = "strict";
|
|
|
|
ReadOnlyPaths = [ "/var/log/nginx" ];
|
|
|
|
ReadWritePaths = [ "/proc/self" "/var/lib/goaccess" ];
|
|
|
|
StateDirectory = "goaccess";
|
|
|
|
SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
|
|
|
|
WorkingDirectory = "/var/lib/goaccess";
|
2022-10-21 16:55:49 +00:00
|
|
|
};
|
|
|
|
after = [ "network.target" ];
|
|
|
|
wantedBy = [ "multi-user.target" ];
|
|
|
|
};
|
2022-12-17 00:52:48 +00:00
|
|
|
|
|
|
|
# server statistics
|
|
|
|
services.nginx.virtualHosts."sink.uninsane.org" = {
|
|
|
|
addSSL = true;
|
|
|
|
enableACME = true;
|
|
|
|
# inherit kTLS;
|
2024-04-26 08:47:09 +00:00
|
|
|
root = "/var/lib/goaccess";
|
2022-12-17 00:52:48 +00:00
|
|
|
|
|
|
|
locations."/ws" = {
|
|
|
|
proxyPass = "http://127.0.0.1:7890";
|
|
|
|
# XXX not sure how much of this is necessary
|
|
|
|
extraConfig = ''
|
|
|
|
proxy_http_version 1.1;
|
|
|
|
proxy_set_header Upgrade $http_upgrade;
|
|
|
|
proxy_set_header Connection $connection_upgrade;
|
|
|
|
proxy_buffering off;
|
|
|
|
proxy_read_timeout 7d;
|
|
|
|
'';
|
|
|
|
};
|
|
|
|
};
|
2022-12-17 01:29:12 +00:00
|
|
|
|
2023-06-07 23:34:00 +00:00
|
|
|
sane.dns.zones."uninsane.org".inet.CNAME."sink" = "native";
|
2022-10-21 16:55:49 +00:00
|
|
|
}
|