From cbbf20004c19010dd64d97c30df37ffb585b0c46 Mon Sep 17 00:00:00 2001
From: Aine <aine@etke.cc>
Date: Wed, 30 Jul 2025 14:40:48 +0100
Subject: [PATCH] replace access log ip anonymization with vars to control
 access logs

---
 roles/custom/matrix-client-cinny/defaults/main.yml   |  3 +++
 .../matrix-client-cinny/templates/nginx.conf.j2      | 12 +++++-------
 .../custom/matrix-client-hydrogen/defaults/main.yml  |  3 +++
 .../matrix-client-hydrogen/templates/nginx.conf.j2   | 12 +++++-------
 .../templates/nginx/nginx.conf.j2                    | 10 +++-------
 5 files changed, 19 insertions(+), 21 deletions(-)

diff --git a/roles/custom/matrix-client-cinny/defaults/main.yml b/roles/custom/matrix-client-cinny/defaults/main.yml
index 79a03be61..70e12825f 100644
--- a/roles/custom/matrix-client-cinny/defaults/main.yml
+++ b/roles/custom/matrix-client-cinny/defaults/main.yml
@@ -159,6 +159,9 @@ matrix_client_cinny_self_check_validate_certificates: true
 # See `matrix_client_cinny_config_homeserverList`.
 matrix_client_cinny_default_hs_url: ""
 
+# Controls whether the Cinny access log is enabled
+matrix_client_cinny_access_log_enabled: true
+
 # Controls the `defaultHomeserver` value in the `config.json` file.
 matrix_client_cinny_config_defaultHomeserver: 0  # noqa var-naming
 
diff --git a/roles/custom/matrix-client-cinny/templates/nginx.conf.j2 b/roles/custom/matrix-client-cinny/templates/nginx.conf.j2
index 774cdd998..a8cc8da68 100644
--- a/roles/custom/matrix-client-cinny/templates/nginx.conf.j2
+++ b/roles/custom/matrix-client-cinny/templates/nginx.conf.j2
@@ -31,17 +31,15 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	map $remote_addr $remote_addr_anon {
-		~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
-		~(?P<ip>[^:]+:[^:]+):       $ip::;
-		default                     0.0.0.0;
-	}
-
-	log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 		'$status $body_bytes_sent "$http_referer" '
 		'"$http_user_agent" "$http_x_forwarded_for"';
 
+	{% if matrix_client_cinny_access_log_enabled %}
 	access_log /var/log/nginx/access.log main;
+	{% else %}
+	access_log off;
+	{% endif %}
 
 	sendfile on;
 	#tcp_nopush on;
diff --git a/roles/custom/matrix-client-hydrogen/defaults/main.yml b/roles/custom/matrix-client-hydrogen/defaults/main.yml
index 1c562f189..811395ed4 100644
--- a/roles/custom/matrix-client-hydrogen/defaults/main.yml
+++ b/roles/custom/matrix-client-hydrogen/defaults/main.yml
@@ -154,6 +154,9 @@ matrix_client_hydrogen_path_prefix: /
 # Controls whether the self-check feature should validate SSL certificates.
 matrix_client_hydrogen_self_check_validate_certificates: true
 
+# Controls whether the access log is enabled.
+matrix_client_hydrogen_access_log_enabled: true
+
 # config.json
 matrix_client_hydrogen_push:
   appId: io.element.hydrogen.web
diff --git a/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2 b/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
index 41f5f0fc3..94dd99f71 100644
--- a/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
+++ b/roles/custom/matrix-client-hydrogen/templates/nginx.conf.j2
@@ -31,17 +31,15 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	map $remote_addr $remote_addr_anon {
-		~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
-		~(?P<ip>[^:]+:[^:]+):       $ip::;
-		default                     0.0.0.0;
-	}
-
-	log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 		'$status $body_bytes_sent "$http_referer" '
 		'"$http_user_agent" "$http_x_forwarded_for"';
 
+	{% if matrix_client_hydrogen_access_log_enabled %}
 	access_log /var/log/nginx/access.log main;
+	{% else %}
+	access_log off;
+	{% endif %}
 
 	sendfile on;
 	#tcp_nopush on;
diff --git a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2 b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
index 8df94b6f4..26cc6f523 100644
--- a/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
+++ b/roles/custom/matrix-synapse-reverse-proxy-companion/templates/nginx/nginx.conf.j2
@@ -33,18 +33,14 @@ http {
 	include /etc/nginx/mime.types;
 	default_type application/octet-stream;
 
-	map $remote_addr $remote_addr_anon {
-		~(?P<ip>\d+\.\d+\.\d+)\.    $ip.0;
-		~(?P<ip>[^:]+:[^:]+):       $ip::;
-		default                     0.0.0.0;
-	}
-
-	log_format main '$remote_addr_anon - $remote_user [$time_local] "$request" '
+	log_format main '$remote_addr - $remote_user [$time_local] "$request" '
 		'$status $body_bytes_sent "$http_referer" '
 		'"$http_user_agent" "$http_x_forwarded_for"';
 
 	{% if matrix_synapse_reverse_proxy_companion_access_log_enabled %}
 	access_log /var/log/nginx/access.log main;
+	{% else %}
+	access_log off;
 	{% endif %}
 
 	{% if matrix_synapse_reverse_proxy_companion_access_log_syslog_integration_enabled %}