From f348a125865a693a19e1dd022b631bdc730cc9ad Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Fri, 4 Jul 2025 09:15:52 +0200
Subject: [PATCH 1/5] Emitter: Ping Rupert twice before backup

---
 hosts/Emitter.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/Emitter.nix b/hosts/Emitter.nix
index 2db269a..8c896e4 100644
--- a/hosts/Emitter.nix
+++ b/hosts/Emitter.nix
@@ -100,7 +100,7 @@
                     set -e
                     echo "Ensuring rupert.gvfr.de is up."
                     ${pkgs.dig}/bin/nslookup rupert.gvfr.de
-                    ${pkgs.unixtools.ping}/bin/ping -c1 rupert.gvfr.de >/dev/null
+                    ${pkgs.unixtools.ping}/bin/ping -c2 rupert.gvfr.de
                     echo "Opening SSH tunnel."
                     ${pkgs.openssh}/bin/ssh -6 -i /secrets/id_burp_remote -o IdentitiesOnly=yes -o ExitOnForwardFailure=yes -L 4971:localhost:4971 burp-remote@rupert.gvfr.de -f true
                     echo "Beginning backup operation."

From a9e5a7e83d3bb7127868d2739cb63ad3e38cc0d5 Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Fri, 4 Jul 2025 09:19:28 +0200
Subject: [PATCH 2/5] Emitter: Enable nginx log rotation

---
 hosts/Emitter.nix | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/hosts/Emitter.nix b/hosts/Emitter.nix
index 8c896e4..a9c3ff2 100644
--- a/hosts/Emitter.nix
+++ b/hosts/Emitter.nix
@@ -144,6 +144,13 @@
 
     services.postgresql.package = pkgs.postgresql_13;
 
+    services.logrotate = {
+        enable = true;
+        settings.nginx = {
+            rotate = 2;
+        };
+    };
+
     # This value determines the NixOS release from which the default
     # settings for stateful data, like file locations and database versions
     # on your system were taken. It’s perfectly fine and recommended to leave

From 469fcbcbe8a007140be8c8708529bb07da900a17 Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Fri, 4 Jul 2025 09:21:57 +0200
Subject: [PATCH 3/5] TLS SNI: Use proxy protocol

---
 hosts/tls_sni.nix | 32 +++++++++++++++++++++++++++++---
 1 file changed, 29 insertions(+), 3 deletions(-)

diff --git a/hosts/tls_sni.nix b/hosts/tls_sni.nix
index be9ce62..b870e92 100644
--- a/hosts/tls_sni.nix
+++ b/hosts/tls_sni.nix
@@ -9,7 +9,7 @@
             }
 
             upstream rupert {
-                server rupert.gvfr.de:443;
+                server rupert.gvfr.de:4431;
             }
 
             upstream localserv {
@@ -18,16 +18,42 @@
 
             server {
                 listen 443;
+                ssl_preread on;
 
                 # proxy_connect_timeout 1s;
                 # proxy_timeout 3s;
                 # resolver 1.1.1.1;
 
                 proxy_pass $target_backend;
-                ssl_preread on;
+                proxy_next_upstream off;
+
+                proxy_protocol on;
             }
         '';
 
-        defaultSSLListenPort = 4431;
+        defaultListen = [
+            {
+                addr = "0.0.0.0";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "[::0]";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+            {
+                addr = "[::0]";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+        ];
     };
 }

From c62cb63dbc73f8ddc620b0d1520d4ceec5b2e441 Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Fri, 4 Jul 2025 09:22:30 +0200
Subject: [PATCH 4/5] Forgejo: Log with real IP address

---
 hosts/forgejo.nix | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/hosts/forgejo.nix b/hosts/forgejo.nix
index 6b2145d..831e4b5 100644
--- a/hosts/forgejo.nix
+++ b/hosts/forgejo.nix
@@ -126,6 +126,14 @@ in
             extraConfig = ''
                 # Maximum upload file size for git-lfs
                 client_max_body_size 100M;
+
+                set_real_ip_from 127.0.0.1;
+                set_real_ip_from ::1;
+                real_ip_header proxy_protocol;
+                proxy_set_header X-Real-IP $proxy_protocol_addr;
+                proxy_set_header X-Fowarded-For $proxy_protocol_addr;
+
+                access_log /var/log/nginx/access.${domain}.log combined_realip;
             '';
         };
     };

From 11b3dd292731d09c0d1d8fb73baca6bf9000c2b0 Mon Sep 17 00:00:00 2001
From: fruchti <fruchti@gvfr.de>
Date: Fri, 4 Jul 2025 09:22:50 +0200
Subject: [PATCH 5/5] Forgejo: Enable AWstats

---
 hosts/forgejo.nix | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/hosts/forgejo.nix b/hosts/forgejo.nix
index 831e4b5..6d9a789 100644
--- a/hosts/forgejo.nix
+++ b/hosts/forgejo.nix
@@ -135,6 +135,19 @@ in
 
                 access_log /var/log/nginx/access.${domain}.log combined_realip;
             '';
+            locations."/awstats/" = {
+                basicAuthFile = "/secrets/webstats_auth";
+            };
+        };
+    };
+
+    services.awstats = {
+        enable = true;
+        updateAt = "hourly";
+        configs."${domain}" = {
+            logFile = "/var/log/nginx/access.${domain}.log";
+            domain = domain;
+            webService.enable = true;
         };
     };