Forgejo: Enable AWstats

hosts/Emitter.nix

@@ -100,7 +100,7 @@
                     set -e
                     echo "Ensuring rupert.gvfr.de is up."
                     ${pkgs.dig}/bin/nslookup rupert.gvfr.de
-                    ${pkgs.unixtools.ping}/bin/ping -c1 rupert.gvfr.de >/dev/null
+                    ${pkgs.unixtools.ping}/bin/ping -c2 rupert.gvfr.de
                     echo "Opening SSH tunnel."
                     ${pkgs.openssh}/bin/ssh -6 -i /secrets/id_burp_remote -o IdentitiesOnly=yes -o ExitOnForwardFailure=yes -L 4971:localhost:4971 burp-remote@rupert.gvfr.de -f true
                     echo "Beginning backup operation."
@@ -144,6 +144,13 @@
 
     services.postgresql.package = pkgs.postgresql_13;
 
+    services.logrotate = {
+        enable = true;
+        settings.nginx = {
+            rotate = 2;
+        };
+    };
+
     # This value determines the NixOS release from which the default
     # settings for stateful data, like file locations and database versions
     # on your system were taken. It’s perfectly fine and recommended to leave

hosts/forgejo.nix

@@ -126,7 +126,28 @@ in
             extraConfig = ''
                 # Maximum upload file size for git-lfs
                 client_max_body_size 100M;
+
+                set_real_ip_from 127.0.0.1;
+                set_real_ip_from ::1;
+                real_ip_header proxy_protocol;
+                proxy_set_header X-Real-IP $proxy_protocol_addr;
+                proxy_set_header X-Fowarded-For $proxy_protocol_addr;
+
+                access_log /var/log/nginx/access.${domain}.log combined_realip;
             '';
+            locations."/awstats/" = {
+                basicAuthFile = "/secrets/webstats_auth";
+            };
+        };
+    };
+
+    services.awstats = {
+        enable = true;
+        updateAt = "hourly";
+        configs."${domain}" = {
+            logFile = "/var/log/nginx/access.${domain}.log";
+            domain = domain;
+            webService.enable = true;
         };
     };
 

hosts/tls_sni.nix

@@ -9,7 +9,7 @@
             }
 
             upstream rupert {
-                server rupert.gvfr.de:443;
+                server rupert.gvfr.de:4431;
             }
 
             upstream localserv {
@@ -18,16 +18,42 @@
 
             server {
                 listen 443;
+                ssl_preread on;
 
                 # proxy_connect_timeout 1s;
                 # proxy_timeout 3s;
                 # resolver 1.1.1.1;
 
                 proxy_pass $target_backend;
-                ssl_preread on;
+                proxy_next_upstream off;
+
+                proxy_protocol on;
             }
         '';
 
-        defaultSSLListenPort = 4431;
+        defaultListen = [
+            {
+                addr = "0.0.0.0";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "[::0]";
+                port = 80;
+                ssl = false;
+            }
+            {
+                addr = "0.0.0.0";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+            {
+                addr = "[::0]";
+                port = 4431;
+                ssl = true;
+                proxyProtocol = true;
+            }
+        ];
     };
 }