From c06161a62abfb2e2dcf60636475036337ec15886 Mon Sep 17 00:00:00 2001
From: Rouven Seifert <rouven@rfive.de>
Date: Wed, 1 Mar 2023 16:39:41 +0100
Subject: [PATCH] anonymize ip adresses in nginx logs

---
 modules/nginx.nix | 19 ++++++++++++++++++-
 1 file changed, 18 insertions(+), 1 deletion(-)

diff --git a/modules/nginx.nix b/modules/nginx.nix
index c97c327..7cc17f2 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -1,6 +1,23 @@
 { config, pkgs, ... }:
 {
-  services.nginx.enable = true;
+  services.nginx = {
+    enable = true;
+    appendHttpConfig = ''
+      map $remote_addr $remote_addr_anon {
+               ~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
+               ~(?P<ip>[^:]+:[^:]+):       $ip::;
+               # IP addresses to not anonymize
+               127.0.0.1                   $remote_addr;
+               ::1                         $remote_addr;
+               default                     0.0.0.0;
+      }
+      log_format  anon_ip   '$remote_addr_anon - $remote_user [$time_local] "$request" '
+                            '$status $body_bytes_sent "$http_referer" '
+                            '"$http_user_agent" "$http_x_forwarded_for"';
+
+      access_log  /var/log/nginx/access.log  anon_ip;
+    '';
+  };
   security.acme = {
     acceptTerms = true;
     defaults = {