1 files changed, 44 insertions, 19 deletions

diff --git a/modules/foundation/www/default.nix b/modules/foundation/www/default.nix
index 97e2f2f..5030799 100644
--- a/modules/foundation/www/default.nix
+++ b/modules/foundation/www/default.nix
@@ -4,6 +4,8 @@
   pkgs,
   lib,
   util,
+  cloudflare-ips-v4,
+  cloudflare-ips-v6,
   ...
 }:
 
@@ -13,6 +15,9 @@ let
     mkIf
     mkEnableOption
     mkOption
+    concatMapStrings
+    concatLines
+    splitString
     ;
   inherit (config.age) secrets;
 
@@ -109,25 +114,45 @@ in
 
       statusPage = true;
 
-      commonHttpConfig = ''
-        log_format json_combined escape=json '{'
-          '"time_local":"$time_local",'
-          '"remote_addr":"$remote_addr",'
-          '"remote_user":"$remote_user",'
-          '"request":"$request",'
-          '"status": "$status",'
-          '"body_bytes_sent":"$body_bytes_sent",'
-          '"request_length":"$request_length",'
-          '"request_time":"$request_time",'
-          '"http_referrer":"$http_referer",'
-          '"http_user_agent":"$http_user_agent",'
-          '"upstream_response_time":"$upstream_response_time",'
-          '"upstream_addr":"$upstream_addr",'
-          '"upstream_status":"$upstream_status"'
-        '}';
-        access_log /var/log/nginx/access.log json_combined;
-        error_log /var/log/nginx/error.log warn;
-      '';
+      commonHttpConfig =
+        let
+          logs = ''
+            log_format json_combined escape=json '{'
+              '"time_local":"$time_local",'
+              '"remote_addr":"$remote_addr",'
+              '"remote_user":"$remote_user",'
+              '"request":"$request",'
+              '"status": "$status",'
+              '"body_bytes_sent":"$body_bytes_sent",'
+              '"request_length":"$request_length",'
+              '"request_time":"$request_time",'
+              '"http_referrer":"$http_referer",'
+              '"http_user_agent":"$http_user_agent",'
+              '"upstream_response_time":"$upstream_response_time",'
+              '"upstream_addr":"$upstream_addr",'
+              '"upstream_status":"$upstream_status",'
+              '"cf_connecting_ip":"$http_cf_connecting_ip"'
+            '}';
+            access_log /var/log/nginx/access.log json_combined;
+            error_log /var/log/nginx/error.log warn;
+          '';
+
+          cloudflareAddresses = builtins.filter (ip: ip != "") (
+            splitString "\n" ''
+              ${builtins.readFile cloudflare-ips-v4}
+              ${builtins.readFile cloudflare-ips-v6}
+            ''
+          );
+
+          realIpLine = ip: "set_real_ip_from ${ip};\n";
+
+          cloudflare = ''
+            ${concatMapStrings realIpLine cloudflareAddresses}
+
+            real_ip_header CF-Connecting-IP;
+          '';
+        in
+        concatLines [ logs cloudflare ];
 
       virtualHosts = {
         base = mkIf cfg.public (defaultHost rnrdUrl "rnrd.eu" cfg.defaultPage "base");