From 7c5ca1188c263ec8a62a6599626bbafd57b7ce95 Mon Sep 17 00:00:00 2001 From: fruchti Date: Tue, 23 Dec 2025 17:36:27 +0100 Subject: [PATCH 1/5] Forgejo: Remove headers nginx complains about --- hosts/forgejo.nix | 2 -- 1 file changed, 2 deletions(-) diff --git a/hosts/forgejo.nix b/hosts/forgejo.nix index 6d9a789..b167449 100644 --- a/hosts/forgejo.nix +++ b/hosts/forgejo.nix @@ -130,8 +130,6 @@ in set_real_ip_from 127.0.0.1; set_real_ip_from ::1; real_ip_header proxy_protocol; - proxy_set_header X-Real-IP $proxy_protocol_addr; - proxy_set_header X-Fowarded-For $proxy_protocol_addr; access_log /var/log/nginx/access.${domain}.log combined_realip; ''; From ec4edd6ed318e31fcf7836317fa22c7b5148fb9e Mon Sep 17 00:00:00 2001 From: fruchti Date: Tue, 23 Dec 2025 17:37:26 +0100 Subject: [PATCH 2/5] Emitter: Add real-IP log formats for nginx --- hosts/Emitter.nix | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/hosts/Emitter.nix b/hosts/Emitter.nix index f3a0776..723142d 100644 --- a/hosts/Emitter.nix +++ b/hosts/Emitter.nix @@ -149,6 +149,14 @@ ''; }; + services.nginx = { + commonHttpConfig = '' + log_format combined_realip '$proxy_protocol_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; + log_format combined_vhost escape=none '$host: $remote_addr $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; + access_log /var/log/nginx/access.log combined_vhost; + ''; + }; + services.logrotate = { enable = true; settings.nginx = { From 3171db8a74360a0076036e19445288c7fe45c064 Mon Sep 17 00:00:00 2001 From: fruchti Date: Tue, 23 Dec 2025 17:37:48 +0100 Subject: [PATCH 3/5] Emitter: Enable goatcounter --- hosts/Emitter.nix | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/hosts/Emitter.nix b/hosts/Emitter.nix index 723142d..3fc55c9 100644 --- a/hosts/Emitter.nix +++ b/hosts/Emitter.nix @@ -149,6 +149,11 @@ ''; }; + services.goatcounter = { + enable = true; + proxy = true; + }; + services.nginx = { commonHttpConfig = '' log_format combined_realip '$proxy_protocol_addr - $remote_user [$time_local] "$request" $status $body_bytes_sent "$http_referer" "$http_user_agent"'; From 8685c9ddc99929381e81749fdcbc59b1396a895d Mon Sep 17 00:00:00 2001 From: fruchti Date: Tue, 23 Dec 2025 17:38:05 +0100 Subject: [PATCH 4/5] Emitter: Keep logs for 14 days --- hosts/Emitter.nix | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/hosts/Emitter.nix b/hosts/Emitter.nix index 3fc55c9..8f12e6e 100644 --- a/hosts/Emitter.nix +++ b/hosts/Emitter.nix @@ -165,7 +165,8 @@ services.logrotate = { enable = true; settings.nginx = { - rotate = 2; + frequency = "daily"; + rotate = 14; }; }; From e04e623deab13e1f738f933a722e6f32658da84d Mon Sep 17 00:00:00 2001 From: fruchti Date: Tue, 23 Dec 2025 17:46:35 +0100 Subject: [PATCH 5/5] Emitter: Make Rupert TLS upstream IPv6-only --- hosts/tls_sni.nix | 23 ++++++++++------------- 1 file changed, 10 insertions(+), 13 deletions(-) diff --git a/hosts/tls_sni.nix b/hosts/tls_sni.nix index b870e92..58e2195 100644 --- a/hosts/tls_sni.nix +++ b/hosts/tls_sni.nix @@ -3,31 +3,28 @@ services.nginx = { streamConfig = '' map $ssl_preread_server_name $target_backend { - md.gvfr.de rupert; - rupert.gvfr.de rupert; - default localserv; + default rupert; + md.gvfr.de rupert; + rupert.gvfr.de rupert; + git.25120.org localserv; } upstream rupert { - server rupert.gvfr.de:4431; + zone upstream_rupert 64k; + + server rupert.gvfr.de:4431 resolve; + resolver 9.9.9.9 ipv4=off ipv6=on; } upstream localserv { - server localhost:4431; + server 127.0.0.1:4431; } server { listen 443; ssl_preread on; - - # proxy_connect_timeout 1s; - # proxy_timeout 3s; - # resolver 1.1.1.1; - - proxy_pass $target_backend; - proxy_next_upstream off; - proxy_protocol on; + proxy_pass $target_backend; } '';