diff --git a/hosts/picard/default.nix b/hosts/picard/default.nix index decf9ec4..1d5a32fe 100644 --- a/hosts/picard/default.nix +++ b/hosts/picard/default.nix @@ -10,6 +10,7 @@ # Include the results of the hardware scan. ./hardware-configuration.nix ./xynospace-matrix.nix + ./plausible.nix ]; documentation.enable = false; @@ -51,6 +52,8 @@ enableACME = true; forceSSL = true; locations."/".proxyPass = "http://[::1]${config.services.xynoblog.listen}"; + locations."/js".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}"; + locations."/api/event".proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}"; }; services.lolpizza2.enable = true; services.nginx.virtualHosts."lolpizza.ragon.xyz" = { diff --git a/hosts/picard/plausible.nix b/hosts/picard/plausible.nix new file mode 100644 index 00000000..e4884417 --- /dev/null +++ b/hosts/picard/plausible.nix @@ -0,0 +1,34 @@ +{ config, lib, pkgs, ... }: +let domain = "stats.xyno.space"; +in { + ragon.agenix.secrets."plausibleAdminPw" = { }; + ragon.agenix.secrets."plausibleReleaseCookie" = { }; + ragon.agenix.secrets."plausibleSecretKeybase" = { }; + services.nginx.virtualHosts.${domain} = { + forceSSL = true; + enableACME = true; + locations."/".proxyPass = + "http://127.0.0.1:${toString config.services.plausible.server.port}"; + }; + services.plausible = { + enable = true; + releaseCookiePath = config.age.secrets.plausibleSecretKeybase.path; + + adminUser = { + # activate is used to skip the email verification of the admin-user that's + # automatically created by plausible. This is only supported if + # postgresql is configured by the module. This is done by default, but + # can be turned off with services.plausible.database.postgres.setup. + activate = true; + email = "john.doe@example.com"; + passwordFile = config.age.secrets.plausibleAdminPw.path; + }; + + server = { + baseUrl = "https://${domain}"; + secretKeybaseFile = config.age.secrets.plausibleSecretKeybase.path; + }; + }; + + ragon.persist.extraDirectories = [ "/var/lib/private/plausible" ]; +} diff --git a/secrets/plausibleAdminPw.age b/secrets/plausibleAdminPw.age new file mode 100644 index 00000000..0aa2e374 Binary files /dev/null and b/secrets/plausibleAdminPw.age differ diff --git a/secrets/plausibleReleaseCookie.age b/secrets/plausibleReleaseCookie.age new file mode 100644 index 00000000..756b6b0e --- /dev/null +++ b/secrets/plausibleReleaseCookie.age @@ -0,0 +1,18 @@ +age-encryption.org/v1 +-> ssh-ed25519 WceKOQ s6LEhBv5f0Y4pFAiqT5sAiz5MQcCEXzzAvRn60nY91o +azm/SHN8np8/VggbvfgvR8GUWev7NMYPFjKEAojBDGM +-> ssh-ed25519 ugHWWw 1clL4KDUfDvGxvbC5IOjT8NYaGWF+UptCrbmOuEcuW4 +KAjVBXJa080+2XwAwrddL939dHC5ca0mR291k5/uuaU +-> ssh-ed25519 UU9RSA Fva5zn/dOj0wEPxIJGnd4d/artjrsO9IEQMYM103x3A +Kn++cAaHqtw6HaHiY66XTc2+P+mxtOEH1EZp94MXjcw +-> ssh-ed25519 RJI3BA 7pnamgoI9/0Km2LDVF3THQi7CRNxkYmz8wL96/aoGys +sXM6LAz84SfAh9tLkUK25++Qdz/qGk6V7rdvqkmXwg4 +-> ssh-ed25519 XnvJKw rUUAhwaXS9wcDt3buIgsfaKadiV9SKvpw8e5JVsTEnk +dO16Um3KgYBBJ63dGmPUAO7Z899iOwyyU4f5QSEYr+A +-> ssh-ed25519 7NL5Ng HNd75fgH8IxECxfCMvf45YY3qF5OjGVDeJSARYddMiM +h3zcp4pe/x/PMOiAr7XV2Ow1Zz78WaSNJNM56CdJ6Bc +-> S92&V-grease +PzsnXw7IaNSZQ1Uf104RzTYwrdN+mqO7Lr9n5X2OJzVz0vgJLhfGOBIKULn90qo9 +26q9XH7QFw +--- OKB5WPytBPOgAexxmQnQB6O0BnQr6X9tErM6gyKr0O0 +gHEp3}z#Sɺx nCU"=>Γ=wT=xr.&~2"gWd˼W؈#ĥ\ĜXF8'8Y[J1p5mm \ No newline at end of file diff --git a/secrets/plausibleSecretKeybase.age b/secrets/plausibleSecretKeybase.age new file mode 100644 index 00000000..09372a7c --- /dev/null +++ b/secrets/plausibleSecretKeybase.age @@ -0,0 +1,19 @@ +age-encryption.org/v1 +-> ssh-ed25519 WceKOQ rCdPywD1r/PHf48nPrY6HPUT1LxQ6MBrJKLCurgju0s +kGnFV/KXM50y9QKwRK/IZIuqQ13QouziqMyiZ2PXO1U +-> ssh-ed25519 ugHWWw 7KkMzqW7p+tOXkvC0ho6BSvlMXBWY/SQNN8D50KhTzM +6yb/srww8wgqew6nKTPqTgSsMriC2oU8I92kjPdFvqU +-> ssh-ed25519 UU9RSA jMFgLgwjJHjAgGVcOzIQFc5IdohxZ+AXp0r5kppJgBY +Q3KDHtaa40kZqjZfhU7TL7udeEVa69m/o+HmKWibZiA +-> ssh-ed25519 RJI3BA 0jX5SqapLzsryxeOiq3T+3K/GYsEH/gQ7bWKP9yqpl0 +SluEKtJOMPMUt6nwie/44LoJY7+IkSQ9cqaT+pIR5/4 +-> ssh-ed25519 XnvJKw joxQfynNc+2p6ETEy9CWUCktVgAPH7E9pubD5kG1u3k +5/2eYHgb5NGN19gH9DvkDNPLyhDuoCYJAAIl7x8urHg +-> ssh-ed25519 7NL5Ng JeTzth65EzZWOjHHbo+8eg0ui6pQ3vjnEy3z7nR0Z1Q +Rh2tGhS8HSMKBFVuV8oXNK0ftM0M+VPdkSN+zxd/W5Q +-> gq{Jn]M-grease y 9&yЌo9A.;ʖԥ58I.ưɍBS=n@,:I1 +WLuQ nДRV8R-5i6# \ No newline at end of file diff --git a/secrets/secrets.nix b/secrets/secrets.nix index fa160f31..35a5012a 100644 --- a/secrets/secrets.nix +++ b/secrets/secrets.nix @@ -17,6 +17,9 @@ in "ds9OffsiteBackupSSH.age".publicKeys = pubkeys.ragon.host "ds9"; "ds9SyncoidHealthCheckUrl.age".publicKeys = pubkeys.ragon.host "ds9"; "gatebridgeHostKeys.age".publicKeys = pubkeys.ragon.host "ds9"; + "plausibleAdminPw.age".publicKeys = pubkeys.ragon.host "picard"; + "plausibleReleaseCookie.age".publicKeys = pubkeys.ragon.host "picard"; + "plausibleSecretKeybase.age".publicKeys = pubkeys.ragon.host "picard"; "hedgedocSecret.age".publicKeys = pubkeys.ragon.host "picard"; "mailmoverConf.age".publicKeys = pubkeys.ragon.host "picard"; "matrixSecrets.age".publicKeys = pubkeys.ragon.host "picard";