diff --git a/modules/nixos/nginx/log.nix b/modules/nixos/nginx/log.nix new file mode 100644 index 00000000..d097b14b --- /dev/null +++ b/modules/nixos/nginx/log.nix @@ -0,0 +1,138 @@ +let + locationModule = { + config, + virtualHost, + lib, + ... + }: { + options = with lib.types; { + /* + accessLog = mkOption { + type = submoduleWith { + modules = [accessLogModule accessLogDefaults]; + }; + }; + */ + }; + }; + hostModule = { + config, + nixosConfig, + xvars, + gensokyo-zone, + lib, + ... + }: let + inherit (gensokyo-zone.lib) mapAlmostOptionDefaults; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf; + inherit (nixosConfig.services) nginx; + cfg = config.accessLog; + accessLogDefaults = _: { + config = mapAlmostOptionDefaults { + inherit (nginx.accessLog) enable path format; + }; + }; + in { + options = with lib.types; { + accessLog = mkOption { + type = submoduleWith { + modules = [accessLogModule accessLogDefaults]; + }; + default = {}; + }; + locations = mkOption { + type = attrsOf (submoduleWith { + modules = [locationModule]; + shorthandOnlyDefinesConfig = true; + }); + }; + }; + config = { + extraConfig = mkIf cfg.emit cfg.directive; + }; + }; + accessLogModule = { + config, + lib, + ... + }: let + inherit (lib.options) mkOption mkEnableOption; + inherit (lib.modules) mkOptionDefault; + defaultPath = "/var/log/nginx/access.log"; + defaultFormat = "combined"; + in { + options = with lib.types; { + enable = + mkEnableOption "access_log" + // { + default = true; + }; + path = mkOption { + type = str; + default = defaultPath; + }; + format = mkOption { + type = str; + default = defaultFormat; + }; + directive = mkOption { + type = str; + }; + emit = mkOption { + internal = true; + type = bool; + }; + }; + config = let + isDefault = config.enable && config.path == defaultPath && config.format == defaultFormat; + directive = + if config.enable + then "access_log ${config.path} ${config.format};" + else "access_log off;"; + in { + emit = mkOptionDefault (!isDefault); + directive = mkOptionDefault directive; + }; + }; +in + { + config, + gensokyo-zone, + lib, + ... + }: let + inherit (gensokyo-zone.lib) mkAlmostOptionDefault; + inherit (lib.options) mkOption; + inherit (lib.modules) mkIf mkAfter; + inherit (config.services) nginx; + cfg = nginx.accessLog; + accessLogService = _: { + config.emit = mkAlmostOptionDefault false; + }; + in { + options.services.nginx = with lib.types; { + accessLog = mkOption { + type = submoduleWith { + modules = [ + accessLogModule + accessLogService + ]; + }; + default = {}; + }; + virtualHosts = mkOption { + type = attrsOf (submodule [hostModule]); + }; + }; + config.services.nginx = { + commonHttpConfig = mkIf cfg.emit (mkAfter cfg.directive); + virtualHosts.localhost = mkIf nginx.statusPage { + # nixos module already sets `extraConfig = "access_log off;"` + accessLog = { + enable = false; + emit = false; + }; + }; + }; + } diff --git a/modules/nixos/nginx/proxied.nix b/modules/nixos/nginx/proxied.nix index abb1740a..c704c9a9 100644 --- a/modules/nixos/nginx/proxied.nix +++ b/modules/nixos/nginx/proxied.nix @@ -82,7 +82,7 @@ let }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault orderJustBefore unmerged; inherit (lib.options) mkOption; - inherit (lib.modules) mkIf mkOrder mkDefault; + inherit (lib.modules) mkIf mkMerge mkOrder mkDefault; inherit (nixosConfig.services) nginx; cfg = config.proxied; in { @@ -145,9 +145,14 @@ let port = mkAlmostOptionDefault nginx.proxied.listenPort; }; }; - extraConfig = mkIf (cfg.enabled && config.xvars.enable) ( - mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;}) - ); + accessLog = mkIf cfg.enabled { + format = mkDefault "combined_proxied"; + }; + extraConfig = mkMerge [ + (mkIf (cfg.enabled && config.xvars.enable) ( + mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;}) + )) + ]; }; }; in @@ -160,7 +165,7 @@ in }: let inherit (gensokyo-zone.lib) mkAlmostOptionDefault; inherit (lib.options) mkOption mkEnableOption; - inherit (lib.modules) mkIf mkOptionDefault; + inherit (lib.modules) mkIf; inherit (lib.attrsets) attrValues; inherit (lib.lists) any; inherit (config.services) nginx; @@ -212,6 +217,12 @@ in ''; }; }; + commonHttpConfig = mkIf cfg.enable '' + log_format combined_proxied '$x_remote_addr proxied $remote_user@$x_host [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; + + ''; }; networking.firewall.interfaces.lan = mkIf nginx.enable { allowedTCPPorts = mkIf cfg.enable [cfg.listenPort]; diff --git a/nixos/access/barcodebuddy.nix b/nixos/access/barcodebuddy.nix index 9d3d5a88..cfa05387 100644 --- a/nixos/access/barcodebuddy.nix +++ b/nixos/access/barcodebuddy.nix @@ -28,6 +28,7 @@ in { inherit serverName; proxied.enable = mkDefault true; local.denyGlobal = true; + accessLog.enable = false; }; barcodebuddy = { inherit name; diff --git a/nixos/access/grocy.nix b/nixos/access/grocy.nix index 964b5741..1c59a428 100644 --- a/nixos/access/grocy.nix +++ b/nixos/access/grocy.nix @@ -59,6 +59,7 @@ in { inherit serverName; proxied.enable = true; local.denyGlobal = true; + accessLog.enable = false; }; grocy = mkMerge [ luaAuthHost @@ -101,6 +102,7 @@ in { enable = true; localSso.enable = true; }; + accessLog.enable = false; } ]; }; diff --git a/nixos/nginx.nix b/nixos/nginx.nix index 123f1c25..3ee22486 100644 --- a/nixos/nginx.nix +++ b/nixos/nginx.nix @@ -33,11 +33,14 @@ in { #X-Content-Type-Options = "nosniff"; #X-XSS-Protection = "1; mode=block"; }; + accessLog.format = mkDefault "combined_host"; commonHttpConfig = '' map $scheme $hsts_header { https "max-age=31536000; includeSubdomains; preload"; } - #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict"; + log_format combined_host '$remote_addr - $remote_user@$host [$time_local] ' + '"$request" $status $body_bytes_sent ' + '"$http_referer" "$http_user_agent"'; ''; clientMaxBodySize = mkDefault "512m"; virtualHosts.fallback = {