Forgejo: Enable AWstats

Forgejo: Log with real IP address
TLS SNI: Use proxy protocol
2025-07-04 09:22:50 +02:00 · 2025-07-04 09:22:30 +02:00 · 2025-07-04 09:21:57 +02:00 · 2025-07-04 09:19:28 +02:00 · 2025-07-04 09:15:52 +02:00
3 changed files with 58 additions and 4 deletions
--- a/hosts/Emitter.nix
+++ b/hosts/Emitter.nix
@ -100,7 +100,7 @@
                    set -e
                    echo "Ensuring rupert.gvfr.de is up."
                    ${pkgs.dig}/bin/nslookup rupert.gvfr.de
-                    ${pkgs.unixtools.ping}/bin/ping -c1 rupert.gvfr.de >/dev/null
+                    ${pkgs.unixtools.ping}/bin/ping -c2 rupert.gvfr.de
                    echo "Opening SSH tunnel."
                    ${pkgs.openssh}/bin/ssh -6 -i /secrets/id_burp_remote -o IdentitiesOnly=yes -o ExitOnForwardFailure=yes -L 4971:localhost:4971 burp-remote@rupert.gvfr.de -f true
                    echo "Beginning backup operation."
@ -144,6 +144,13 @@
    services.postgresql.package = pkgs.postgresql_13;
    services.logrotate = {
        enable = true;
        settings.nginx = {
            rotate = 2;
        };
    };
    # This value determines the NixOS release from which the default
    # settings for stateful data, like file locations and database versions
    # on your system were taken. It’s perfectly fine and recommended to leave
--- a/hosts/forgejo.nix
+++ b/hosts/forgejo.nix
@ -126,7 +126,28 @@ in
            extraConfig = ''
                # Maximum upload file size for git-lfs
                client_max_body_size 100M;
                set_real_ip_from 127.0.0.1;
                set_real_ip_from ::1;
                real_ip_header proxy_protocol;
                proxy_set_header X-Real-IP $proxy_protocol_addr;
                proxy_set_header X-Fowarded-For $proxy_protocol_addr;
                access_log /var/log/nginx/access.${domain}.log combined_realip;
            '';
            locations."/awstats/" = {
                basicAuthFile = "/secrets/webstats_auth";
            };
        };
    };
    services.awstats = {
        enable = true;
        updateAt = "hourly";
        configs."${domain}" = {
            logFile = "/var/log/nginx/access.${domain}.log";
            domain = domain;
            webService.enable = true;
        };
    };
--- a/hosts/tls_sni.nix
+++ b/hosts/tls_sni.nix
@ -9,7 +9,7 @@
            }
            upstream rupert {
-                server rupert.gvfr.de:443;
+                server rupert.gvfr.de:4431;
            }
            upstream localserv {
@ -18,16 +18,42 @@
            server {
                listen 443;
                ssl_preread on;
                # proxy_connect_timeout 1s;
                # proxy_timeout 3s;
                # resolver 1.1.1.1;
                proxy_pass $target_backend;
-                ssl_preread on;
+                proxy_next_upstream off;
                proxy_protocol on;
            }
        '';
-        defaultSSLListenPort = 4431;
+        defaultListen = [
            {
                addr = "0.0.0.0";
                port = 80;
                ssl = false;
            }
            {
                addr = "[::0]";
                port = 80;
                ssl = false;
            }
            {
                addr = "0.0.0.0";
                port = 4431;
                ssl = true;
                proxyProtocol = true;
            }
            {
                addr = "[::0]";
                port = 4431;
                ssl = true;
                proxyProtocol = true;
            }
        ];
    };
 }
Author	SHA1	Message	Date
fruchti	11b3dd2927	Forgejo: Enable AWstats	2025-07-04 09:22:50 +02:00
fruchti	c62cb63dbc	Forgejo: Log with real IP address	2025-07-04 09:22:30 +02:00
fruchti	469fcbcbe8	TLS SNI: Use proxy protocol	2025-07-04 09:21:57 +02:00
fruchti	a9e5a7e83d	Emitter: Enable nginx log rotation	2025-07-04 09:19:28 +02:00
fruchti	f348a12586	Emitter: Ping Rupert twice before backup	2025-07-04 09:15:52 +02:00