[PATCH] services: Add anonip-service-type.

+++ b/doc/guix.texi

+Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Ricardo Wurmus@*

+@cindex logging, anonymization

+@subheading Anonip Service

+

+Anonip is a privacy filter that removes IP address from web server logs.

+This service creates a FIFO and filters any written lines with anonip

+before writing the filtered log to a target file.

+

+The following example sets up the FIFO

+@file{/var/run/anonip/https.access.log} and writes the filtered log file

+@file{/var/log/anonip/https.access.log}.

+

+@lisp

+(service anonip-service-type

+ (anonip-configuration

+ (log-file "https.access.log")))

+@end lisp

+

+The directories to store the FIFO and the filtered log can be changed

+with @code{fifo-directory} and @code{output-directory}, respectively.

+In the following example the filtered log file would be written to

+@file{/var/web-logs/https.access.log}.

+

+@lisp

+(service anonip-service-type

+ (anonip-configuration

+ (log-file "https.access.log")

+ (output-directory "/var/web-logs/https.access.log")))

+@end lisp

+

+Configure your web server to write its logs to the FIFO at

+@file{/var/run/anonip/https.access.log} and collect the anonymized log

+file at @file{/var/web-logs/https.access.log}.

+

+@deftp {Data Type} anonip-configuration

+This data type represents the configuration of anonip.

+It has the following parameters:

+

+@table @asis

+@item @code{anonip} (default: @code{anonip})

+The anonip package to use.

+

+@item @code{log-file}

+The file name of the log file to process. This name is used in the FIFO

+as well as in the filtered log file. This must not be an absolute file

+name.

+

+@item @code{fifo-directory} (default: @code{"/var/run/anonip"})

+The directory where the FIFO file is created.

+

+@item @code{output-directory} (default: @code{"/var/log/anonip"})

+The directory to which the filtered log file will be written.

+

+@end table

+@end deftp

+

+

+++ b/gnu/services/web.scm

+;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net>

+ anonip-configuration

+ anonip-configuration?

+ anonip-configuration-anonip

+ anonip-configuration-log-file

+ anonip-configuration-fifo-directory

+ anonip-configuration-output-directory

+ anonip-service-type

+

+

+

+;;;

+;;; Log anonymization

+;;;

+

+(define-record-type* <anonip-configuration>

+ anonip-configuration make-anonip-configuration

+ anonip-configuration?

+ (anonip anonip-configuration-anonip ;file-like

+ (default anonip))

+ (log-file anonip-configuration-log-file) ;string

+ (fifo-directory anonip-configuration-fifo-directory

+ (default "/var/run/anonip")) ;string

+ (output-directory anonip-configuration-output-directory

+ (default "/var/log/anonip"))) ;string

+

+(define (anonip-activation config)

+ (with-imported-modules '((guix build utils))

+ #~(begin

+ (use-modules (guix build utils))

+ (for-each

+ (lambda (directory)

+ (mkdir-p directory)

+ (chmod directory #o755))

+ (list #$(anonip-configuration-output-directory config)

+ #$(anonip-configuration-fifo-directory config))))))

+

+(define (anonip-shepherd-service config)

+ (let ((log-file (anonip-configuration-log-file config))

+ (fifos (anonip-configuration-fifo-directory config))

+ (outputs (anonip-configuration-output-directory config)))

+ (list (shepherd-service

+ (provision (list (symbol-append 'anonip- (string->symbol log-file))))

+ (requirement '(user-processes))

+ (documentation "Anonimyze the given log file location with anonip.")

+ (start #~(lambda _

+ (let ((fifo #$(format #false "~a/~a" fifos log-file)))

+ (unless (file-exists? fifo)

+ (mknod fifo 'fifo #o600 0))

+ (let ((pid (fork+exec-command

+ (list #$(file-append (anonip-configuration-anonip config)

+ "/bin/anonip")

+ (string-append "--input=" fifo)

+ (string-append "--output=" #$(format #false "~a/~a" outputs log-file)))

+ ;; Run in a UTF-8 locale

+ #:environment-variables

+ (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales

+ "/lib/locale")

+ "LC_ALL=en_US.utf8"))))

+ pid))))

+ (stop #~(make-kill-destructor))))))

+

+(define anonip-service-type

+ (service-type

+ (name 'anonip)

+ (extensions

+ (list (service-extension shepherd-root-service-type

+ anonip-shepherd-service)

+ (service-extension activation-service-type

+ anonip-activation)))

+ (description

+ "Provide web server log anonymization with @command{anonip}.")))

+

+++ b/doc/guix.texi

+Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Ricardo Wurmus@*

+@cindex logging, anonymization

+@subheading Anonip Service

+

+Anonip is a privacy filter that removes IP address from web server logs.

+This service creates a FIFO and filters any written lines with anonip

+before writing the filtered log to a target file.

+

+The following example sets up the FIFO

+@file{/var/run/anonip/https.access.log} and writes the filtered log file

+@file{/var/log/anonip/https.access.log}.

+

+@lisp

+(service anonip-service-type

+ (anonip-configuration

+ (input "/var/run/anonip/https.access.log")

+ (output "/var/log/anonip/https.access.log")))

+@end lisp

+

+Configure your web server to write its logs to the FIFO at

+@file{/var/run/anonip/https.access.log} and collect the anonymized log

+file at @file{/var/web-logs/https.access.log}.

+

+@deftp {Data Type} anonip-configuration

+This data type represents the configuration of anonip.

+It has the following parameters:

+

+@table @asis

+@item @code{anonip} (default: @code{anonip})

+The anonip package to use.

+

+@item @code{input}

+The file name of the input log file to process. The service creates a

+FIFO of this name. The web server should write its logs to this FIFO.

+

+@item @code{output}

+The file name of the processed log file.

+@end table

+

+The following optional settings may be provided:

+

+@table @asis

+@item @code{skip-private?}

+When @code{#true} do not mask addresses in private ranges.

+

+@item @code{column}

+A 1-based indexed column number. Assume IP address is in the specified

+column (default is 1).

+

+@item @code{replacement}

+Replacement string in case address parsing fails, e.g. @code{"0.0.0.0"}.

+

+@item @code{ipv4mask}

+Number of bits to mask in IPv4 addresses.

+

+@item @code{ipv6mask}

+Number of bits to mask in IPv6 addresses.

+

+@item @code{increment}

+Increment the IP address by the given number. By default this is zero.

+

+@item @code{delimiter}

+Log delimiter string.

+

+@item @code{regex}

+Regular expression for detecting IP addresses. Use this instead of @code{column}.

+@end table

+@end deftp

+

+

+++ b/gnu/services/web.scm

+;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net>

+ anonip-configuration

+ anonip-configuration?

+ anonip-configuration-anonip

+ anonip-configuration-input

+ anonip-configuration-output

+ anonip-configuration-skip-private?

+ anonip-configuration-column

+ anonip-configuration-replacement

+ anonip-configuration-ipv4mask

+ anonip-configuration-ipv6mask

+ anonip-configuration-increment

+ anonip-configuration-delimiter

+ anonip-configuration-regex

+ anonip-service-type

+

+

+

+;;;

+;;; Log anonymization

+;;;

+

+(define-record-type* <anonip-configuration>

+ anonip-configuration make-anonip-configuration

+ anonip-configuration?

+ (anonip anonip-configuration-anonip ;file-like

+ (default anonip))

+ (input anonip-configuration-input) ;string

+ (output anonip-configuration-output) ;string

+ (skip-private? anonip-configuration-skip-private? ;boolean

+ (default #f))

+ (column anonip-configuration-column ;number

+ (default #f))

+ (replacement anonip-configuration-replacement ;string

+ (default #f))

+ (ipv4mask anonip-configuration-ipv4mask ;number

+ (default #f))

+ (ipv6mask anonip-configuration-ipv6mask ;number

+ (default #f))

+ (increment anonip-configuration-increment ;number

+ (default #f))

+ (delimiter anonip-configuration-delimiter ;string

+ (default #f))

+ (regex anonip-configuration-regex ;string

+ (default #f)))

+

+(define (anonip-activation config)

+ (with-imported-modules '((guix build utils))

+ #~(begin

+ (use-modules (guix build utils))

+ (for-each

+ (lambda (directory)

+ (mkdir-p directory)

+ (chmod directory #o755))

+ (list (dirname #$(anonip-configuration-input config))

+ (dirname #$(anonip-configuration-output config)))))))

+

+(define (anonip-shepherd-service config)

+ (let ((input (anonip-configuration-input config))

+ (output (anonip-configuration-output config)))

+ (list (shepherd-service

+ (provision (list (symbol-append 'anonip- (string->symbol output))))

+ (requirement '(user-processes))

+ (documentation "Anonimyze the given log file location with anonip.")

+ (start #~(lambda _

+ (let ((optional

+ (lambda (accessor option)

+ (or (and=> (accessor config)

+ (lambda (value)

+ (list

+ (format #false "~a=~a"

+ option (accessor config)))))

+ (list)))))

+ (unless (file-exists? input)

+ (mknod input 'fifo #o600 0))

+ (let ((pid (fork+exec-command

+ (append

+ (list #$(file-append (anonip-configuration-anonip config)

+ "/bin/anonip")

+ (string-append "--input=" input)

+ (string-append "--output=" output))

+ (if (anonip-configuration-skip-private? config)

+ '("--skip-private") (list))

+ (optional anonip-configuration-column "--column")

+ (optional anonip-configuration-ipv4mask "--ipv4mask")

+ (optional anonip-configuration-ipv6mask "--ipv6mask")

+ (optional anonip-configuration-increment "--increment")

+ (optional anonip-configuration-replacement "--replacement")

+ (optional anonip-configuration-delimiter "--delimiter")

+ (optional anonip-configuration-regex "--regex"))

+ ;; Run in a UTF-8 locale

+ #:environment-variables

+ (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales

+ "/lib/locale")

+ "LC_ALL=en_US.utf8"))))

+ pid))))

+ (stop #~(make-kill-destructor))))))

+

+(define anonip-service-type

+ (service-type

+ (name 'anonip)

+ (extensions

+ (list (service-extension shepherd-root-service-type

+ anonip-shepherd-service)

+ (service-extension activation-service-type

+ anonip-activation)))

+ (description

+ "Provide web server log anonymization with @command{anonip}.")))

+

+++ b/doc/guix.texi

+Copyright @copyright{} 2015, 2016, 2017, 2018, 2019, 2020, 2021, 2022 Ricardo Wurmus@*

+@cindex logging, anonymization

+@subheading Anonip Service

+

+Anonip is a privacy filter that removes IP address from web server logs.

+This service creates a FIFO and filters any written lines with anonip

+before writing the filtered log to a target file.

+

+The following example sets up the FIFO

+@file{/var/run/anonip/https.access.log} and writes the filtered log file

+@file{/var/log/anonip/https.access.log}.

+

+@lisp

+(service anonip-service-type

+ (anonip-configuration

+ (input "/var/run/anonip/https.access.log")

+ (output "/var/log/anonip/https.access.log")))

+@end lisp

+

+Configure your web server to write its logs to the FIFO at

+@file{/var/run/anonip/https.access.log} and collect the anonymized log

+file at @file{/var/web-logs/https.access.log}.

+

+@deftp {Data Type} anonip-configuration

+This data type represents the configuration of anonip.

+It has the following parameters:

+

+@table @asis

+@item @code{anonip} (default: @code{anonip})

+The anonip package to use.

+

+@item @code{input}

+The file name of the input log file to process. The service creates a

+FIFO of this name. The web server should write its logs to this FIFO.

+

+@item @code{output}

+The file name of the processed log file.

+@end table

+

+The following optional settings may be provided:

+

+@table @asis

+@item @code{skip-private?}

+When @code{#true} do not mask addresses in private ranges.

+

+@item @code{column}

+A 1-based indexed column number. Assume IP address is in the specified

+column (default is 1).

+

+@item @code{replacement}

+Replacement string in case address parsing fails, e.g. @code{"0.0.0.0"}.

+

+@item @code{ipv4mask}

+Number of bits to mask in IPv4 addresses.

+

+@item @code{ipv6mask}

+Number of bits to mask in IPv6 addresses.

+

+@item @code{increment}

+Increment the IP address by the given number. By default this is zero.

+

+@item @code{delimiter}

+Log delimiter string.

+

+@item @code{regex}

+Regular expression for detecting IP addresses. Use this instead of @code{column}.

+@end table

+@end deftp

+

+

+++ b/gnu/services/web.scm

+;;; Copyright © 2020, 2022 Ricardo Wurmus <rekado@elephly.net>

+ anonip-configuration

+ anonip-configuration?

+ anonip-configuration-anonip

+ anonip-configuration-input

+ anonip-configuration-output

+ anonip-configuration-skip-private?

+ anonip-configuration-column

+ anonip-configuration-replacement

+ anonip-configuration-ipv4mask

+ anonip-configuration-ipv6mask

+ anonip-configuration-increment

+ anonip-configuration-delimiter

+ anonip-configuration-regex

+ anonip-service-type

+

+

+

+;;;

+;;; Log anonymization

+;;;

+

+(define-record-type* <anonip-configuration>

+ anonip-configuration make-anonip-configuration

+ anonip-configuration?

+ (anonip anonip-configuration-anonip ;file-like

+ (default anonip))

+ (input anonip-configuration-input) ;string

+ (output anonip-configuration-output) ;string

+ (skip-private? anonip-configuration-skip-private? ;boolean

+ (default #f))

+ (column anonip-configuration-column ;number

+ (default #f))

+ (replacement anonip-configuration-replacement ;string

+ (default #f))

+ (ipv4mask anonip-configuration-ipv4mask ;number

+ (default #f))

+ (ipv6mask anonip-configuration-ipv6mask ;number

+ (default #f))

+ (increment anonip-configuration-increment ;number

+ (default #f))

+ (delimiter anonip-configuration-delimiter ;string

+ (default #f))

+ (regex anonip-configuration-regex ;string

+ (default #f)))

+

+(define (anonip-activation config)

+ (with-imported-modules '((guix build utils))

+ #~(begin

+ (use-modules (guix build utils))

+ (for-each

+ (lambda (directory)

+ (mkdir-p directory)

+ (chmod directory #o755))

+ (list (dirname #$(anonip-configuration-input config))

+ (dirname #$(anonip-configuration-output config)))))))

+

+(define (anonip-shepherd-service config)

+ (let ((input (anonip-configuration-input config))

+ (output (anonip-configuration-output config))

+ (optional

+ (lambda (accessor option)

+ (or (and=> (accessor config)

+ (lambda (value)

+ (list

+ (format #false "~a=~a"

+ option value))))

+ (list)))))

+ (list (shepherd-service

+ (provision (list (symbol-append 'anonip- (string->symbol output))))

+ (requirement '(user-processes))

+ (documentation "Anonimyze the given log file location with anonip.")

+ (start #~(lambda _

+ (unless (file-exists? #$input)

+ (mknod #$input 'fifo #o600 0))

+ (let ((pid (fork+exec-command

+ (append

+ (list #$(file-append (anonip-configuration-anonip config)

+ "/bin/anonip")

+ (string-append "--input=" #$input)

+ (string-append "--output=" #$output))

+ (if #$(anonip-configuration-skip-private? config)

+ '("--skip-private") (list))

+ '#$(optional anonip-configuration-column "--column")

+ '#$(optional anonip-configuration-ipv4mask "--ipv4mask")

+ '#$(optional anonip-configuration-ipv6mask "--ipv6mask")

+ '#$(optional anonip-configuration-increment "--increment")

+ '#$(optional anonip-configuration-replacement "--replacement")

+ '#$(optional anonip-configuration-delimiter "--delimiter")

+ '#$(optional anonip-configuration-regex "--regex"))

+ ;; Run in a UTF-8 locale

+ #:environment-variables

+ (list (string-append "GUIX_LOCPATH=" #$glibc-utf8-locales

+ "/lib/locale")

+ "LC_ALL=en_US.utf8"))))

+ pid)))

+ (stop #~(make-kill-destructor))))))

+

+(define anonip-service-type

+ (service-type

+ (name 'anonip)

+ (extensions

+ (list (service-extension shepherd-root-service-type

+ anonip-shepherd-service)

+ (service-extension activation-service-type

+ anonip-activation)))

+ (description

+ "Provide web server log anonymization with @command{anonip}.")))

+