logging and ddos protection

2026-02-26 06:02:34 -05:00 · 2025-08-22 22:52:35 -04:00 · 2025-08-22 22:52:35 -04:00 · 9aca33af0a
commit 9aca33af0a
parent b60067d31e
4 changed files with 106 additions and 10 deletions
--- a/modules/services/system-logging/default.nix
+++ b/modules/services/system-logging/default.nix
@ -0,0 +1,64 @@
+{
+  pkgs,
+  config,
+  ...
+}: let
+  lokiConfig = pkgs.writeText "lokiconfig" ''
+    # This is a complete configuration to deploy Loki backed by the filesystem.
+    # The index will be shipped to the storage via tsdb-shipper.
+
+    auth_enabled: false
+
+    server:
+      http_listen_port: 3100
+
+    common:
+      ring:
+        instance_addr: 127.0.0.1
+        kvstore:
+          store: inmemory
+      replication_factor: 1
+      path_prefix: /tmp/loki
+
+    schema_config:
+      configs:
+      - from: 2020-05-15
+        store: tsdb
+        object_store: filesystem
+        schema: v13
+        index:
+          prefix: index_
+          period: 24h
+
+    storage_config:
+      filesystem:
+        directory: /tmp/loki/chunks
+  '';
+
+  alloyConfig = pkgs.writeText "alloyconfig" '''';
+in {
+  services = {
+    grafana = {
+      enable = true;
+      settings = {
+        analytics.reporting_enabled = false;
+        server = {
+          http_addr = "127.0.0.1";
+          http_port = 2432;
+          enable_gzip = true;
+          domain = "logs.wanderingcrow.net";
+          #root_url = "https://logs.wanderingcrow.net/${config.hostSpec.hostName}";
+          #serve_from_subpath = false;
+        };
+      };
+    };
+    loki = {
+      enable = true;
+      configFile = lokiConfig;
+    };
+    alloy = {
+      enable = true;
+      configPath = alloyConfig;
+    };
+  };
+}
--- a/modules/services/system-logging/nginx.nix
+++ b/modules/services/system-logging/nginx.nix
@ -0,0 +1,26 @@
+{
+  config,
+  inputs,
+  ...
+}: {
+  services.nginx = {
+    enable = true;
+    recommendedProxySettings = true;
+    virtualHosts = {
+      "logs.wanderingcrow.net" = {
+        forceSSL = true;
+        useACMEHost = "logs.wanderingcrow.net";
+        locations."/" = {
+          extraConfig = ''
+            allow 192.168.0.0/16;
+            allow ${inputs.nix-secrets.network.primary.publicIP};
+            deny all;
+          '';
+          proxyPass = "http://${builtins.toString config.services.grafana.settings.server.http_addr}:${builtins.toString config.services.grafana.settings.server.http_port}";
+          proxyWebsockets = true;
+          recommendedProxySettings = true;
+        };
+      };
+    };
+  };
+}