servo: enable goaccess for metrics/monitoring

TODO: change the nginx log format to include virtualhost and enable goaccess to group by host
2022-10-21 09:55:49 -07:00
parent 7cc44f9455
commit e787dc29c6
4 changed files with 64 additions and 0 deletions
--- a/machines/servo/default.nix
+++ b/machines/servo/default.nix
@@ -13,6 +13,7 @@
    # for administering services
    pkgs.matrix-synapse
    pkgs.freshrss
+    pkgs.goaccess
  ];
  sane.impermanence.enable = true;
  sane.services.duplicity.enable = true;
--- a/machines/servo/services/default.nix
+++ b/machines/servo/services/default.nix
@@ -4,6 +4,7 @@
    ./ddns-he.nix
    ./freshrss.nix
    ./gitea.nix
+    ./goaccess.nix
    ./ipfs.nix
    ./jackett.nix
    ./jellyfin.nix
--- a/machines/servo/services/goaccess.nix
+++ b/machines/servo/services/goaccess.nix
@@ -0,0 +1,36 @@
+{ pkgs, ... }:
+{
+  # based on <https://bytes.fyi/real-time-goaccess-reports-with-nginx/>
+  systemd.services.goaccess = {
+    description = "GoAccess server monitoring";
+    serviceConfig = {
+      ExecStart = ''
+        ${pkgs.goaccess}/bin/goaccess \
+          -f /var/log/nginx/access.log \
+          --log-format=COMBINED \
+          --real-time-html \
+          --ws-url=wss://sink.uninsane.org:443/ws \
+          --port=7890 \
+          -o /var/lib/uninsane/sink/index.html
+      '';
+      ExecReload = "${pkgs.coreutils}/bin/kill -HUP $MAINPID";
+      Type = "simple";
+      Restart = "on-failure";
+
+      # hardening
+      WorkingDirectory = "/tmp";
+      NoNewPrivileges = true;
+      PrivateTmp = true;
+      ProtectHome = "read-only";
+      ProtectSystem = "strict";
+      SystemCallFilter = "~@clock @cpu-emulation @debug @keyring @memlock @module @mount @obsolete @privileged @reboot @resources @setuid @swap @raw-io";
+      ReadOnlyPaths = "/";
+      ReadWritePaths = [ "/proc/self" "/var/lib/uninsane/sink" ];
+      PrivateDevices = "yes";
+      ProtectKernelModules = "yes";
+      ProtectKernelTunables = "yes";
+    };
+    after = [ "network.target" ];
+    wantedBy = [ "multi-user.target" ];
+  };
+}
--- a/machines/servo/services/nginx.nix
+++ b/machines/servo/services/nginx.nix
@@ -57,6 +57,32 @@
    # };
  };

+  # server statistics
+  services.nginx.virtualHosts."sink.uninsane.org" = {
+    addSSL = true;
+    enableACME = true;
+    root = "/var/lib/uninsane/sink";
+
+    # we don't want goaccess to swallow its own metrics
+    extraConfig = ''
+      access_log /var/log/nginx/goaccess-access.log;
+      error_log /var/log/nginx/goaccess-error.log warn;
+    '';
+
+    locations."/ws" = {
+      proxyPass = "http://127.0.0.1:7890";
+      # XXX not sure how much of this is necessary
+      extraConfig = ''
+        proxy_http_version 1.1;
+        proxy_set_header Upgrade $http_upgrade;
+        proxy_set_header Connection $connection_upgrade;
+        proxy_buffering off;
+        proxy_read_timeout 7d;
+      '';
+    };
+
+  };
+
  # Pleroma server and web interface
  services.nginx.virtualHosts."fed.uninsane.org" = {
    addSSL = true;