1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
|
{ config, ... }:
let
nixpkgs = import <nixpkgs> {};
in
{
mkNginxConfig = name: ''
access_log /var/log/nginx/${name}.access.log json;
error_log /var/log/nginx/${name}.error.log;
'';
# Returns the default nginx logrotate settings for a specific virtual host.
mkNginxAccessLogrotateSettings = name: {
ignoreduplicates = true; # ignore any following matches (otherwise we get a 'duplicate log entry' error)
priority = 100; # default is 1000, smaller values are inserted first
files = [ "/var/log/nginx/${name}.access.log" ];
frequency = "weekly";
su = "${config.services.nginx.user} ${config.services.nginx.group}";
rotate = 26;
compress = true;
delaycompress = true;
postrotate = "[ ! -f /var/run/nginx/nginx.pid ] || kill -USR1 `cat /var/run/nginx/nginx.pid`";
};
commonHttpConfig = ''
map $request_uri $request_uri_path {
"~^(?P<path>[^?]*)(\?.*)?$" $path;
}
log_format json escape=json '{'
'"msec": "$msec", ' # request unixtime in seconds with a milliseconds resolution
'"remote_addr": "$remote_addr", ' # client IP
'"remote_user": "$remote_user", ' # client HTTP username
'"method": "$request_method", '
'"path": "$request_uri_path", '
'"args": "$args", '
'"status": "$status", ' # response status code
'"user_agent": "$http_user_agent", '
'"body_bytes_sent": "$body_bytes_sent", ' # the number of body bytes exclude headers sent to a client
'"request_time": "$request_time", ' # request processing time in seconds with msec resolution
'"http_host": "$http_host", ' # the request Host: header
'"http_referer": "$http_referer", ' # HTTP referer
'"http_x_forwarded_for": "$http_x_forwarded_for", ' # http_x_forwarded_for
'"connection": "$connection", ' # connection serial number
'"connection_requests": "$connection_requests", ' # number of requests made in connection
'"request_id": "$request_id", ' # the unique request id
'"request_length": "$request_length", ' # request length (including headers and body)
'"time_iso8601": "$time_iso8601", ' # local time in the ISO 8601 standard format
'"bytes_sent": "$bytes_sent", ' # the number of bytes sent to a client
'"server_name": "$server_name", ' # the name of the vhost serving the request
'"upstream": "$upstream_addr", ' # upstream backend server for proxied requests
'"upstream_connect_time": "$upstream_connect_time", ' # upstream handshake time incl. TLS
'"upstream_header_time": "$upstream_header_time", ' # time spent receiving upstream headers
'"upstream_response_time": "$upstream_response_time", ' # time spend receiving upstream body
'"upstream_response_length": "$upstream_response_length", ' # upstream response length
'"upstream_cache_status": "$upstream_cache_status", ' # cache HIT/MISS where applicable
'"ssl_protocol": "$ssl_protocol", ' # TLS protocol
'"ssl_cipher": "$ssl_cipher", ' # TLS cipher
'"scheme": "$scheme", ' # http or https
'"server_protocol": "$server_protocol", ' # request protocol, like HTTP/1.1 or HTTP/2.0
'"pipe": "$pipe", ' # "p" if request was pipelined, "." otherwise
'"gzip_ratio": "$gzip_ratio"'
'}';
'';
joinWgNamespace = ns: cfg:
nixpkgs.lib.attrsets.recursiveUpdate cfg {
bindsTo = ["netns@${ns}.service"];
after = ["wireguard-wg-${ns}.service"];
unitConfig.JoinsNamespaceOf = "netns@${ns}.service";
serviceConfig.NetworkNamespacePath = "/var/run/netns/${ns}";
};
mkPortProxy = service: ns: port: {
description = "Forward to ${service} in network namespace ${ns}";
requires = ["${service}.service"];
after = ["${service}.service"];
partOf = ["${service}.service"];
serviceConfig = {
Restart = "on-failure";
TimeoutStopSec = 300;
};
wantedBy = ["multi-user.target"];
script =
let
pkgs = nixpkgs.pkgs;
in
''
${pkgs.iproute2}/bin/ip netns exec ${ns} ${pkgs.iproute2}/bin/ip link set dev lo up
${pkgs.socat}/bin/socat tcp-listen:${toString port},fork,reuseaddr exec:'${pkgs.iproute2}/bin/ip netns exec ${ns} ${pkgs.socat}/bin/socat STDIO "tcp-connect:localhost:${toString port}"',nofork
'';
};
}
|
