about summary refs log tree commit diff
path: root/modules/nginx.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nginx.nix')
-rw-r--r--modules/nginx.nix59
1 files changed, 53 insertions, 6 deletions
diff --git a/modules/nginx.nix b/modules/nginx.nix
index dee08e4..e41999c 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -28,11 +28,15 @@ in
   config = lib.mkIf cfg.enable {
     _module.args.libNginx.config = {
       internalOnly = ''
-        add_header X-Robots-Tag "noindex, nofollow, noarchive, nosnippet";
-        access_log off;
         if ($internal != 1) {
           return 403;
         }
+        access_log off;
+      '';
+      noAICrawlers = ''
+        if ($crawler != 0) {
+          return 403;
+        }
       '';
       appendHead = text: ''
         brotli off;
@@ -80,6 +84,20 @@ in
         commonHttpConfig = lib.concatStrings [
           ''
             access_log syslog:server=unix:/dev/log;
+
+            map $http_user_agent $crawler {
+              default 0;
+              ${
+                pkgs.fetchurl {
+                  url = "https://raw.githubusercontent.com/ai-robots-txt/ai.robots.txt/5e7c3c432f8bad894363c7289b888328f98963f3/robots.json";
+                  hash = "sha256-purIvhot5wNyQH2fYrwQ8E/WaO/EYdOeqxQM5xLb8zA=";
+                }
+                |> builtins.readFile
+                |> builtins.fromJSON
+                |> lib.mapAttrsToList (n: _: "'${n}' 1;")
+                |> lib.concatLines
+              }
+            }
           ''
           (lib.optionalString (lib.hasAttr "wireguard" this) (
             with config.nixfiles.modules.wireguard;
@@ -126,13 +144,42 @@ in
         nginx-botsearch.enabled = true;
       };
 
-      prometheus.exporters.nginx = {
-        enable = true;
-        listenAddress = lib.mkDefault this.wireguard.ipv4.address;
-        port = lib.mkDefault 9113;
+      prometheus.exporters = {
+        nginx = {
+          enable = true;
+          listenAddress = "127.0.0.1";
+          port = 9113;
+        };
+        nginxlog = {
+          enable = false;
+          listenAddress = "127.0.0.1";
+          port = 9117;
+          group = "nginx";
+          settings.namespaces = [
+            {
+              source.syslog = {
+                # TODO
+              };
+            }
+          ];
+        };
       };
     };
 
+    systemd.services.alloy.reloadTriggers = [ config.environment.etc."alloy/nginx.alloy".source ];
+
+    environment.etc."alloy/nginx.alloy".text = with config.services.prometheus.exporters.nginx; ''
+      prometheus.scrape "nginx" {
+        targets = [
+          {
+            __address__ = "${listenAddress}:${toString port}",
+            instance    = "${config.networking.hostName}",
+          },
+        ]
+        forward_to = [prometheus.relabel.default.receiver]
+      }
+    '';
+
     security.dhparams = {
       enable = true;
       params.nginx = { };

Consider giving Nix/NixOS a try! <3