fail2ban: Add metrics

configuration/default.nix

@@ -140,20 +140,8 @@
     domain = "tlater.net";
 
     statusPage = true; # For metrics, should be accessible only from localhost
-
-    commonHttpConfig = ''
-      log_format upstream_time '$remote_addr - $remote_user [$time_local] '
-                         '"$request" $status $body_bytes_sent '
-                         '"$http_referer" "$http_user_agent" '
-                         'rt=$request_time uct="$upstream_connect_time" '
-                         'uht="$upstream_header_time" urt="$upstream_response_time"';
-    '';
   };
 
-  systemd.tmpfiles.rules =
-    lib.mapAttrsToList (virtualHost: config: "d /var/log/nginx/${virtualHost} 0750 nginx nginx")
-    config.services.nginx.virtualHosts;
-
   security.acme = {
     defaults.email = "tm@tlater.net";
     acceptTerms = true;

configuration/services/conduit.nix

@@ -205,7 +205,6 @@ in {
     addSSL = true;
     extraConfig = ''
       merge_slashes off;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
     '';
 
     locations = {

configuration/services/foundryvtt.nix

@@ -25,7 +25,6 @@ in {
     enableACME = true;
     extraConfig = ''
       add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
     '';
 
     locations."/" = {

configuration/services/gitea.nix

@@ -33,7 +33,6 @@ in {
     enableACME = true;
     extraConfig = ''
       add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
     '';
 
     locations."/".proxyPass = "http://${httpAddress}:${toString httpPort}";

configuration/services/metrics/default.nix

@@ -63,27 +63,6 @@ in {
     nginxlog = {
       enable = true;
       listenAddress = "127.0.0.1";
-      group = "nginx";
-
-      settings.namespaces =
-        lib.mapAttrsToList (name: virtualHost: {
-          inherit name;
-          metrics_override.prefix = "nginxlog";
-          namespace_label = "vhost";
-
-          format = lib.concatStringsSep " " [
-            "$remote_addr - $remote_user [$time_local]"
-            ''"$request" $status $body_bytes_sent''
-            ''"$http_referer" "$http_user_agent"''
-            ''rt=$request_time uct="$upstream_connect_time"''
-            ''uht="$upstream_header_time" urt="$upstream_response_time"''
-          ];
-
-          source.files = [
-            "/var/log/nginx/${name}/access.log"
-          ];
-        })
-        config.services.nginx.virtualHosts;
     };
   };
 
@@ -137,7 +116,6 @@ in {
     enableACME = true;
     extraConfig = ''
       add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
     '';
     locations."/".proxyPass = "http://localhost:3001";
   };

configuration/services/nextcloud.nix

@@ -50,9 +50,6 @@ in {
   services.nginx.virtualHosts."${hostName}" = {
     forceSSL = true;
     enableACME = true;
-    extraConfig = ''
-      access_log /var/log/nginx/${hostName}/access.log upstream_time;
-    '';
   };
 
   # Block repeated failed login attempts

configuration/services/webserver.nix

@@ -19,7 +19,6 @@ in {
     enableACME = true;
     extraConfig = ''
       add_header Strict-Transport-Security "max-age=15552000; includeSubDomains" always;
-      access_log /var/log/nginx/${domain}/access.log upstream_time;
     '';
 
     locations."/".proxyPass = "http://${addr}:${toString port}";