@@ -30,7 +30,7 @@ Copyright @copyright{} 2015, 2016 Mathieu Lirzin@*
Copyright @copyright{} 2014 Pierre-Antoine Rault@*
Copyright @copyright{} 2015 Taylan Ulrich Bayırlı/Kammer@*
Copyright @copyright{} 2015, 2016, 2017, 2019, 2020, 2021 Leo Famulari@*
-Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021 Ricardo Wurmus@*
+Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Ricardo Wurmus@*
Copyright @copyright{} 2016 Ben Woodcroft@*
Copyright @copyright{} 2016, 2017, 2018, 2021 Chris Marusich@*
Copyright @copyright{} 2016, 2017, 2018, 2019, 2020, 2021, 2022 Efraim Flashner@*
@@ -18700,6 +18700,62 @@ String or gexp denoting the corresponding mcron job schedule
@end table
@end deftp
+@cindex logging, anonymization
+@subheading Anonip Service
+
+Anonip is a privacy filter that removes IP address from web server logs.
+This service creates a FIFO and filters any written lines with anonip
+before writing the filtered log to a target file.
+
+The following example sets up the FIFO
+@file{/var/run/anonip/https.access.log} and writes the filtered log file
+@file{/var/log/anonip/https.access.log}.
+
+@lisp
+(service anonip-service-type
+ (anonip-configuration
+ (log-file "https.access.log")))
+@end lisp
+
+The directories to store the FIFO and the filtered log can be changed
+with @code{fifo-directory} and @code{output-directory}, respectively.
+In the following example the filtered log file would be written to
+@file{/var/web-logs/https.access.log}.
+
+@lisp
+(service anonip-service-type
+ (anonip-configuration
+ (log-file "https.access.log")
+ (output-directory "/var/web-logs/https.access.log")))
+@end lisp
+
+Configure your web server to write its logs to the FIFO at
+@file{/var/run/anonip/https.access.log} and collect the anonymized log
+file at @file{/var/web-logs/https.access.log}.
+
+@deftp {Data Type} anonip-configuration
+This data type represents the configuration of anonip.
+It has the following parameters:
+
+@table @asis
+@item @code{anonip} (default: @code{anonip})
+The anonip package to use.
+
+@item @code{log-file}
+The file name of the log file to process. This name is used in the FIFO
+as well as in the filtered log file. This must not be an absolute file
+name.
+
+@item @code{fifo-directory} (default: @code{"/var/run/anonip"})
+The directory where the FIFO file is created.
+
+@item @code{output-directory} (default: @code{"/var/log/anonip"})
+The directory to which the filtered log file will be written.
+
+@end table
+@end deftp
+
+
@node Networking Setup
@subsection Networking Setup
@@ -9,7 +9,7 @@
;;; Copyright © 2018 Pierre-Antoine Rouby <pierre-antoine.rouby@inria.fr>
;;; Copyright © 2018 Marius Bakke <mbakke@fastmail.com>
;;; Copyright © 2019, 2020 Florian Pelz <pelzflorian@pelzflorian.de>
-;;; Copyright © 2020 Ricardo Wurmus <rekado@elephly.net>
+;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net>
;;; Copyright © 2020 Tobias Geerinckx-Rice <me@tobias.gr>
;;; Copyright © 2020 Arun Isaac <arunisaac@systemreboot.net>
;;; Copyright © 2020 Oleg Pykhalov <go.wigust@gmail.com>
@@ -204,6 +204,14 @@ (define-module (gnu services web)
tailon-service-type
+ anonip-configuration
+ anonip-configuration?
+ anonip-configuration-anonip
+ anonip-configuration-log-file
+ anonip-configuration-fifo-directory
+ anonip-configuration-output-directory
+ anonip-service-type
+
varnish-configuration
varnish-configuration?
varnish-configuration-package
@@ -1343,6 +1351,70 @@ (define tailon-service-type
files))))))))
(default-value (tailon-configuration))))
+
+�
+;;;
+;;; Log anonymization
+;;;
+
+(define-record-type* <anonip-configuration>
+ anonip-configuration make-anonip-configuration
+ anonip-configuration?
+ (anonip anonip-configuration-anonip ;file-like
+ (default anonip))
+ (log-file anonip-configuration-log-file) ;string
+ (fifo-directory anonip-configuration-fifo-directory
+ (default "/var/run/anonip")) ;string
+ (output-directory anonip-configuration-output-directory
+ (default "/var/log/anonip"))) ;string
+
+(define (anonip-activation config)
+ (with-imported-modules '((guix build utils))
+ #~(begin
+ (use-modules (guix build utils))
+ (for-each
+ (lambda (directory)
+ (mkdir-p directory)
+ (chmod directory #o755))
+ (list #$(anonip-configuration-output-directory config)
+ #$(anonip-configuration-fifo-directory config))))))
+
+(define (anonip-shepherd-service config)
+ (let ((log-file (anonip-configuration-log-file config))
+ (fifos (anonip-configuration-fifo-directory config))
+ (outputs (anonip-configuration-output-directory config)))
+ (list (shepherd-service
+ (provision (list (symbol-append 'anonip- (string->symbol log-file))))
+ (requirement '(user-processes))
+ (documentation "Anonimyze the given log file location with anonip.")
+ (start #~(lambda _
+ (let ((fifo #$(format #false "~a/~a" fifos log-file)))
+ (unless (file-exists? fifo)
+ (mknod fifo 'fifo #o600 0))
+ (let ((pid (fork+exec-command
+ (list #$(file-append (anonip-configuration-anonip config)
+ "/bin/anonip")
+ (string-append "--input=" fifo)
+ (string-append "--output=" #$(format #false "~a/~a" outputs log-file)))
+ ;; Run in a UTF-8 locale
+ #:environment-variables
+ (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales
+ "/lib/locale")
+ "LC_ALL=en_US.utf8"))))
+ pid))))
+ (stop #~(make-kill-destructor))))))
+
+(define anonip-service-type
+ (service-type
+ (name 'anonip)
+ (extensions
+ (list (service-extension shepherd-root-service-type
+ anonip-shepherd-service)
+ (service-extension activation-service-type
+ anonip-activation)))
+ (description
+ "Provide web server log anonymization with @command{anonip}.")))
+
�
;;;
;;; Varnish