nginx: added log scraping for loki

2024-11-24 23:10:17 +07:00 · 2024-11-24 23:10:17 +07:00 · a4c05c7a60
parent c760e55c24
commit a4c05c7a60
2 changed files with 107 additions and 69 deletions
--- a/system/services/nginx.nix
+++ b/system/services/nginx.nix
@ -60,23 +60,23 @@ in
        in
        # html
        ''
-          <!DOCTYPE html>
-          <html>
-              <head>
-                  <title>Hosted Sites</title>
-                  <link
-                    rel="stylesheet"
-                    href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css"
-                    integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH"
-                    crossorigin="anonymous">
-              </head>
-              <body class="container">
-                  <h1 class="text-center">Hosted Sites</h1>
-                  <div class="row g-4">
-                      ${items}
-                  </div>
-              </body>
-          </html>
+                   <!DOCTYPE html>
+                   <html>
+                       <head>
+                           <title>Hosted Sites</title>
+                           <link
+                             rel="stylesheet"
+                             href="https://cdn.jsdelivr.net/npm/bootstrap@5.3.3/dist/css/bootstrap.min.css"
+                             integrity="sha384-QWTKZyjpPEjISv5WaRU9OFeRpok6YctnYmDr5pNlyT2bRjXh0JMhjY6hW+ALEwIH"
+                             crossorigin="anonymous">
+                       </head>
+                       <body class="container">
+          <h1 class="text-center">Hosted Sites</h1>
+                           <div class="row g-4">
+                               ${items}
+                           </div>
+                       </body>
+                   </html>
        '';
      user = "nginx";
      group = "nginx";
@ -99,23 +99,23 @@ in

    # Enable Real IP from Cloudflare
    services.nginx.commonHttpConfig =
-      # let
-      #   realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
-      #   fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
-      #   cfipv4 = fileToList (
-      #     pkgs.fetchurl {
-      #       url = "https://www.cloudflare.com/ips-v4";
-      #       sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
-      #     }
-      #   );
-      #   cfipv6 = fileToList (
-      #     pkgs.fetchurl {
-      #       url = "https://www.cloudflare.com/ips-v6";
-      #       sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
-      #     }
-      #   );
-      # in
-      #nginx
+      let
+        realIpsFromList = lib.strings.concatMapStringsSep "\n" (x: "set_real_ip_from  ${x};");
+        fileToList = x: lib.strings.splitString "\n" (builtins.readFile x);
+        cfipv4 = fileToList (
+          pkgs.fetchurl {
+            url = "https://www.cloudflare.com/ips-v4";
+            sha256 = "0ywy9sg7spafi3gm9q5wb59lbiq0swvf0q3iazl0maq1pj1nsb7h";
+          }
+        );
+        cfipv6 = fileToList (
+          pkgs.fetchurl {
+            url = "https://www.cloudflare.com/ips-v6";
+            sha256 = "1ad09hijignj6zlqvdjxv7rjj8567z357zfavv201b9vx3ikk7cy";
+          }
+        );
+      in
+      # nginx
      ''
        geo $auth_ip {
            default "Password required";
@ -124,11 +124,84 @@ in
            192.168.0.0/16 off;
        }

+        ${realIpsFromList cfipv4}
+        ${realIpsFromList cfipv6}
+        real_ip_header CF-Connecting-IP;
+
        auth_basic_user_file ${config.sops.secrets."nginx/htpasswd".path};
+
+        log_format json_combined escape=json '{'
+            '"time_local":"$time_local",'
+            '"host":"$host",'
+            '"remote_addr":"$remote_addr",'
+            '"remote_user":"$remote_user",'
+            '"request":"$request",'
+            '"status":$status,'
+            '"body_bytes_sent":"$body_bytes_sent",'
+            '"http_referer":"$http_referer",'
+            '"http_user_agent":"$http_user_agent",'
+            '"http_x_forwarded_for":"$http_x_forwarded_for",'
+            '"request_time":"$request_time",'
+            '"upstream_addr":"$upstream_addr",'
+            '"upstream_response_time":"$upstream_response_time",'
+            '"upstream_status":"$upstream_status"'
+        '}';
+        access_log /var/log/nginx/access.log json_combined;
      '';

    # This is needed for nginx to be able to read other processes
    # directories in `/run`. Else it will fail with (13: Permission denied)
    systemd.services.nginx.serviceConfig.ProtectHome = false;
+
+    environment.etc."alloy/config.alloy".text =
+      # hcl
+      ''
+          local.file_match "nginx_access_log" {
+              path_targets = [
+                  {
+                      "__path__" = "/var/log/nginx/access.log",
+                  },
+              ]
+              sync_period = "30s"
+          }   
+
+          loki.source.file "nginx_access_log" {
+            targets = local.file_match.nginx_access_log.targets
+            forward_to = [loki.process.nginx_access_log.receiver]
+          }
+
+          loki.process "nginx_access_log" {
+              forward_to = [loki.write.default.receiver]
+
+              stage.json {
+                  expressions = {
+                      time = "time_local",
+                      host = "",
+                      request = "",
+                      status = "",
+                  }
+              }
+
+              stage.labels {
+                  values = {
+                      host = "",
+                      request = "",
+                      status = "",
+                  }
+              }
+
+              stage.static_labels {
+                  values = {
+                      level = "info",
+                  }
+              } 
+
+              stage.timestamp {
+                  source = "time"
+                  format = "_2/Jan/2006:15:04:05 -0700"
+              }
+        }
+      '';
+
  };
 }
--- a/system/services/telemetry/alloy.nix
+++ b/system/services/telemetry/alloy.nix
@ -9,7 +9,6 @@ let
  webguiListenAddress = "0.0.0.0:5319";
  otelcolHTTPListenAddress = "192.168.100.5:4318";
  otelcolGRPCListenAddress = "192.168.100.5:4317";
-  domain = "alloy.tigor.web.id";
 in
 {
  # imports = [
@ -23,40 +22,6 @@ in
      extraFlags = [ ''--server.http.listen-addr=${webguiListenAddress}'' ];
      package = unstable.grafana-alloy;
    };
-    services.caddy.virtualHosts.${domain}.extraConfig = ''
-      @require_auth not remote_ip private_ranges
-
-      basic_auth @require_auth {
-        {$AUTH_USERNAME} {$AUTH_PASSWORD}
-      }
-
-      reverse_proxy ${webguiListenAddress}
-    '';
-
-    services.caddy.virtualHosts."otelhttp.tigor.web.id".extraConfig = ''
-      @require_auth not remote_ip private_ranges
-
-      basic_auth @require_auth {
-        {$AUTH_USERNAME} {$AUTH_PASSWORD}
-      }
-
-      reverse_proxy ${otelcolHTTPListenAddress}
-    '';
-
-    services.caddy.virtualHosts."otelgrpc.tigor.web.id".extraConfig = ''
-      @require_auth not remote_ip private_ranges
-
-      basic_auth @require_auth {
-        {$AUTH_USERNAME} {$AUTH_PASSWORD}
-      }
-
-      reverse_proxy ${otelcolGRPCListenAddress} {
-        transport http {
-            tls
-            tls_insecure_skip_verify
-        }
-      }
-    '';

    systemd.services.alloy.serviceConfig = {
      User = "root";