Debian: add service and post installation script to create user and group

I need the actual remote address to add fail2ban rules for it, but i
also to not want everyone to be able to fake X-Forward-For HTTP headers.
Which can contain multiple ip addresses, by the way, so i have to get
only the first one, as the others will be the proxies that the request
has been (re)forwarded to.

debian/numerus.postinst

@@ -0,0 +1,40 @@
+#!/bin/sh
+set -e
+
+. /usr/share/debconf/confmodule
+
+case "$1" in
+    configure)
+        # Create numerus user and group
+        if ! getent group numerus >/dev/null; then
+            addgroup --system --quiet numerus
+        fi
+        if ! getent passwd numerus >/dev/null; then
+            adduser --quiet \
+                    --system \
+                    --disabled-login \
+                    --no-create-home \
+                    --shell /bin/bash \
+                    --ingroup numerus \
+                    --home /usr/share/numerus \
+                    --gecos "Numerus Daemon" \
+                    numerus
+        fi
+
+        # Make sure log directory has correct permissions set
+        dpkg-statoverride --list "/var/log/numerus" >/dev/null || \
+            dpkg-statoverride --add --force --quiet --update numerus adm 0750 /var/log/numerus
+        ;;
+
+  abort-upgrade|abort-remove|abort-deconfigure)
+        ;;
+
+    *)
+        echo "postinst called with unknown argument \`$1'" >&2
+        exit 1
+        ;;
+esac
+
+#DEBHELPER#
+
+exit 0

debian/numerus.service

@@ -0,0 +1,15 @@
+[Unit]
+Description=Numerus application server
+Requires=postgresql.service
+After=postgresql.service
+
+[Service]
+Type=simple
+User=numerus
+Group=numerus
+WorkingDirectory=/usr/share/numerus
+EnvironmentFile=-/etc/default/numerus
+ExecStart=/usr/bin/numerus
+Restart=always
+StandardOutput=append:/var/log/numerus/access.log
+StandardError=append:/var/log/numerus/error.log

pkg/logger.go

@@ -44,7 +44,7 @@ func Logger(handler http.Handler) http.Handler {
 			referer = "-"
 		}
 		log.Printf("HTTP - %s - - [%s] \"%s %s %s\" %d %d \"%s\" \"%s\" %s\n",
-			r.RemoteAddr,
+			remoteAddr(r),
 			t.Format("02/Jan/2006:15:04:05 -0700"),
 			r.Method,
 			r.URL.Path,

pkg/login.go

@@ -7,6 +7,7 @@ import (
 	"html/template"
 	"net"
 	"net/http"
+	"strings"
 	"time"
 
 	"golang.org/x/text/language"
@@ -129,12 +130,21 @@ func HandleLogout(w http.ResponseWriter, r *http.Request, _ httprouter.Params) {
 }
 
 func remoteAddr(r *http.Request) string {
-	address := r.Header.Get("X-Forwarded-For")
+	address, _, _ := net.SplitHostPort(r.RemoteAddr)
-	if address == "" {
+	if address != "localhost" && address != "127.0.0.1" && address != "::1" {
-		address, _, _ = net.SplitHostPort(r.RemoteAddr)
-	}
 		return address
 	}
+	forwarded := r.Header.Get("X-Forwarded-For")
+	if forwarded == "" {
+		return address
+	}
+	ips := strings.Split(forwarded, ", ")
+	forwarded = ips[0]
+	if forwarded == "" {
+		return address
+	}
+	return forwarded
+}
 
 func setSessionCookie(w http.ResponseWriter, cookie string) {
 	http.SetCookie(w, createSessionCookie(cookie, 8766*24*time.Hour))