feat(nginx): access_log options

2026-02-09 04:19:19 -08:00 · 2024-06-16 10:26:59 -07:00 · 2024-06-16 10:26:59 -07:00 · 37137017c2
commit 37137017c2
parent 398f947d22
5 changed files with 161 additions and 6 deletions
--- a/modules/nixos/nginx/log.nix
+++ b/modules/nixos/nginx/log.nix
@ -0,0 +1,138 @@
 let
  locationModule = {
    config,
    virtualHost,
    lib,
    ...
  }: {
    options = with lib.types; {
      /*
      accessLog = mkOption {
        type = submoduleWith {
          modules = [accessLogModule accessLogDefaults];
        };
      };
      */
    };
  };
  hostModule = {
    config,
    nixosConfig,
    xvars,
    gensokyo-zone,
    lib,
    ...
  }: let
    inherit (gensokyo-zone.lib) mapAlmostOptionDefaults;
    inherit (lib.options) mkOption;
    inherit (lib.modules) mkIf;
    inherit (nixosConfig.services) nginx;
    cfg = config.accessLog;
    accessLogDefaults = _: {
      config = mapAlmostOptionDefaults {
        inherit (nginx.accessLog) enable path format;
      };
    };
  in {
    options = with lib.types; {
      accessLog = mkOption {
        type = submoduleWith {
          modules = [accessLogModule accessLogDefaults];
        };
        default = {};
      };
      locations = mkOption {
        type = attrsOf (submoduleWith {
          modules = [locationModule];
          shorthandOnlyDefinesConfig = true;
        });
      };
    };
    config = {
      extraConfig = mkIf cfg.emit cfg.directive;
    };
  };
  accessLogModule = {
    config,
    lib,
    ...
  }: let
    inherit (lib.options) mkOption mkEnableOption;
    inherit (lib.modules) mkOptionDefault;
    defaultPath = "/var/log/nginx/access.log";
    defaultFormat = "combined";
  in {
    options = with lib.types; {
      enable =
        mkEnableOption "access_log"
        // {
          default = true;
        };
      path = mkOption {
        type = str;
        default = defaultPath;
      };
      format = mkOption {
        type = str;
        default = defaultFormat;
      };
      directive = mkOption {
        type = str;
      };
      emit = mkOption {
        internal = true;
        type = bool;
      };
    };
    config = let
      isDefault = config.enable && config.path == defaultPath && config.format == defaultFormat;
      directive =
        if config.enable
        then "access_log ${config.path} ${config.format};"
        else "access_log off;";
    in {
      emit = mkOptionDefault (!isDefault);
      directive = mkOptionDefault directive;
    };
  };
 in
  {
    config,
    gensokyo-zone,
    lib,
    ...
  }: let
    inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
    inherit (lib.options) mkOption;
    inherit (lib.modules) mkIf mkAfter;
    inherit (config.services) nginx;
    cfg = nginx.accessLog;
    accessLogService = _: {
      config.emit = mkAlmostOptionDefault false;
    };
  in {
    options.services.nginx = with lib.types; {
      accessLog = mkOption {
        type = submoduleWith {
          modules = [
            accessLogModule
            accessLogService
          ];
        };
        default = {};
      };
      virtualHosts = mkOption {
        type = attrsOf (submodule [hostModule]);
      };
    };
    config.services.nginx = {
      commonHttpConfig = mkIf cfg.emit (mkAfter cfg.directive);
      virtualHosts.localhost = mkIf nginx.statusPage {
        # nixos module already sets `extraConfig = "access_log off;"`
        accessLog = {
          enable = false;
          emit = false;
        };
      };
    };
  }
--- a/modules/nixos/nginx/proxied.nix
+++ b/modules/nixos/nginx/proxied.nix
@ -82,7 +82,7 @@ let
  }: let
    inherit (gensokyo-zone.lib) mkAlmostOptionDefault orderJustBefore unmerged;
    inherit (lib.options) mkOption;
-    inherit (lib.modules) mkIf mkOrder mkDefault;
+    inherit (lib.modules) mkIf mkMerge mkOrder mkDefault;
    inherit (nixosConfig.services) nginx;
    cfg = config.proxied;
  in {
@ -145,9 +145,14 @@ let
          port = mkAlmostOptionDefault nginx.proxied.listenPort;
        };
      };
-      extraConfig = mkIf (cfg.enabled && config.xvars.enable) (
+      accessLog = mkIf cfg.enabled {
-        mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;})
+        format = mkDefault "combined_proxied";
-      );
+      };
      extraConfig = mkMerge [
        (mkIf (cfg.enabled && config.xvars.enable) (
          mkOrder (orderJustBefore + 25) (xHeadersProxied {inherit xvars;})
        ))
      ];
    };
  };
 in
@ -160,7 +165,7 @@ in
  }: let
    inherit (gensokyo-zone.lib) mkAlmostOptionDefault;
    inherit (lib.options) mkOption mkEnableOption;
-    inherit (lib.modules) mkIf mkOptionDefault;
+    inherit (lib.modules) mkIf;
    inherit (lib.attrsets) attrValues;
    inherit (lib.lists) any;
    inherit (config.services) nginx;
@ -212,6 +217,12 @@ in
            '';
          };
        };
        commonHttpConfig = mkIf cfg.enable ''
          log_format combined_proxied '$x_remote_addr proxied $remote_user@$x_host [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';
        '';
      };
      networking.firewall.interfaces.lan = mkIf nginx.enable {
        allowedTCPPorts = mkIf cfg.enable [cfg.listenPort];
--- a/nixos/access/barcodebuddy.nix
+++ b/nixos/access/barcodebuddy.nix
@ -28,6 +28,7 @@ in {
      inherit serverName;
      proxied.enable = mkDefault true;
      local.denyGlobal = true;
      accessLog.enable = false;
    };
    barcodebuddy = {
      inherit name;
--- a/nixos/access/grocy.nix
+++ b/nixos/access/grocy.nix
@ -59,6 +59,7 @@ in {
        inherit serverName;
        proxied.enable = true;
        local.denyGlobal = true;
        accessLog.enable = false;
      };
      grocy = mkMerge [
        luaAuthHost
@ -101,6 +102,7 @@ in {
            enable = true;
            localSso.enable = true;
          };
          accessLog.enable = false;
        }
      ];
    };
--- a/nixos/nginx.nix
+++ b/nixos/nginx.nix
@ -33,11 +33,14 @@ in {
      #X-Content-Type-Options = "nosniff";
      #X-XSS-Protection = "1; mode=block";
    };
    accessLog.format = mkDefault "combined_host";
    commonHttpConfig = ''
      map $scheme $hsts_header {
          https   "max-age=31536000; includeSubdomains; preload";
      }
-      #proxy_cookie_path / "/; secure; HttpOnly; SameSite=strict";
+      log_format combined_host '$remote_addr - $remote_user@$host [$time_local] '
                    '"$request" $status $body_bytes_sent '
                    '"$http_referer" "$http_user_agent"';
    '';
    clientMaxBodySize = mkDefault "512m";
    virtualHosts.fallback = {