diff --git a/keys/machines/web-01.keys b/keys/machines/web-01.keys new file mode 100644 index 0000000..e81c999 --- /dev/null +++ b/keys/machines/web-01.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5 diff --git a/machines/web-01/_configuration.nix b/machines/web-01/_configuration.nix index 01fcf2f..598a841 100644 --- a/machines/web-01/_configuration.nix +++ b/machines/web-01/_configuration.nix @@ -3,12 +3,12 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { name, ... }: + { imports = [ - # Include the results of the hardware scan. - # ./hardware-configuration.nix ./networking.nix + ./plausible.nix ]; # Use the systemd-boot EFI boot loader. diff --git a/machines/web-01/plausible.nix b/machines/web-01/plausible.nix new file mode 100644 index 0000000..42a8fc4 --- /dev/null +++ b/machines/web-01/plausible.nix @@ -0,0 +1,54 @@ +{ config, ... }: + +let + host = "analytics.dgnum.eu"; + port = 8111; +in + +{ + services.plausible = { + enable = true; + + mail = { + email = "analytics@infra.dgnum.eu"; + smtp = { + user = "web-services@infra.dgnum.eu"; + # passwordFile = config.age.secrets."_smtp-password-file".path; + hostPort = 465; + hostAddr = "kurisu.lahfa.xyz"; + enableSSL = true; + }; + }; + + server = { + baseUrl = "https://${host}"; + inherit port; + + secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path; + }; + + releaseCookiePath = config.age.secrets."plausible_release-cookie-file".path; + + adminUser = { + passwordFile = config.age.secrets."plausible_admin-user-password-file".path; + email = "tom.hubrecht@dgnum.eu"; + name = "thubrecht"; + activate = true; + }; + }; + + services.nginx = { + enable = true; + + virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/machines/web-01/secrets/plausible_admin-user-password-file b/machines/web-01/secrets/plausible_admin-user-password-file new file mode 100644 index 0000000..364d943 Binary files /dev/null and b/machines/web-01/secrets/plausible_admin-user-password-file differ diff --git a/machines/web-01/secrets/plausible_release-cookie-file b/machines/web-01/secrets/plausible_release-cookie-file new file mode 100644 index 0000000..e5d3b30 --- /dev/null +++ b/machines/web-01/secrets/plausible_release-cookie-file @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 0IVRbA 0jTTPBKyGia3BvT9EJlTY0UVqIF05D6zWokv6wE+Swc +LLt0vGzPA8wKKa/s794GQ+4CVIV9DApJXswEjOx4kYw +-> ssh-ed25519 JGx7Ng /oOaCppA2fnvo3kv27Ynl9P9NO04UWbs/yw9OrtfkzI +Jt0wq/IdyiTBDxE78drV90zHgnfXT7JT305THHrcH+0 +-> ssh-rsa krWCLQ +1yYjwCF3m/n+wOeQIiXbZAl4tVttROXIlRIhRqgK9pbsI22WmXIXV0qmMsac8VZQ +OsaZJGvY38yhUpYfDZZZHN3JNKL5yZcPFX+HeXQo305oFKsuUSs5EGIWDZmE5XsJ +AFcqwrSRhNLHCJ3PVk6+C9RWfLMhbTNl4Kelndv/KqOfG5AkW193ZG4DHOWSwE3k +8nUgwUGrY79ZVCpGkQAi65TJ4C/3toGcooVxwFVsBX8tfVX53VLvLuUIeD/uvV6A +pZ+cdzwanUK8BNDY3yWPN+a8IYltlWKxruF2Q/Ae+eez5BFHC9p9bok558GTrMwC ++0cu/C1X2nqFormascUW2Q +-> ssh-ed25519 /vwQcQ Ei8pI/GiyHtZWyqxYPoNTz5UVXtSdZllCQU8sF7CYH0 +oPuVJbkDVCgWZUp45wkPbogRP3AliLiidKTNP7ttzCY +-> ssh-ed25519 0R97PA RLo/0D0TUnvH6yoLbjV9jEVIYZG/G/2nK9RaA/Zepg0 +18hpQWaZmJJFjABVvQJiM6pe7PtcF94BIg3J61+BX14 +-> ssh-ed25519 jIXfPA X+zJWTGGvy0LPBgTFRURdS4Rsnd+eSYiW7JhdnlK9yc +mQjvg4cijN8VOeQR0ht9tyHKUX0Eg0iazcN36AAKQE8 +-> ssh-ed25519 QlRB9Q KI6rxe4Kek4IkMlDQvDlaO4MgMEKc/DdpWX4pCJFGjI +MAaBVH1HlRntm8gFdbXPPYy1dQcHv8aU6OPCIuVLXYc +-> kEXh"WN-grease WpN@loT^ MVM G\ +dL1RrBYkPiADu5E7PXyTBfx3UOhAhaFf66Dajg3aZwgwPOlSciKtsQqu4Q +--- ApT4k9TGTnj3hpJVkSbIElRAwBNliRfmnLYBKsVutpA +B6 t1X!o.=ZXt}O K g;aVyYtM) !;].XPG;=f37 2Wk<+IXl*QSEpoc@‚{=ݞα*_) \ No newline at end of file diff --git a/machines/web-01/secrets/plausible_secret-key-base-file b/machines/web-01/secrets/plausible_secret-key-base-file new file mode 100644 index 0000000..3016bb8 --- /dev/null +++ b/machines/web-01/secrets/plausible_secret-key-base-file @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-ed25519 0IVRbA zuXFn55iEAtXdyZIrqGFhMuRmJWO7vVj6biT+/70Vk4 +RqGr6dEsYs/zQML0nkaVgnWBdYkaLso0fBZCFNAVosk +-> ssh-ed25519 JGx7Ng 1qQXt05dyoJ/1MVe5XudTJEvDwnLPB8wPg+IDIfoyjw +wSW6ivHK38p+AcaayIY3bn3Io6mB54ut0eaLhvXBWxg +-> ssh-rsa krWCLQ +iaQb8f5LiExwJbZA5rF5FQNuKAh63XLmUjgyoxgkFOn6VprJ9oAH22Y8wq85SMrv +rp5SmOYTcdn9hG1LnABPiSCGcquW+vEfL1LnpQIk0E+sFAHW/P8Pt7iK7L6nyxmR +WF0xhKNBvZudysNMEtYtCWbAWf93awXx2qdH1+N/uITNGLgmviBXGThuz+sKGwVO +mi86qk+B1MKkOCYJpWL6CrFeRJrYgph51y1fHl8Rywb3LE605oDCJ18GyvqBTpKl +AGGtVDmMRIr16TEDVjfTg0XmNKQWDdmqvlpesxyXvKk1kU77eT4bfVtsdqyIDNjk +/9RQqW2kiUDrYuige+p1cg +-> ssh-ed25519 /vwQcQ 8rY5jPREmYfaWWP8KWjOEHgh87e241JbQO5EEgBhVBo +RQhE8XjdFuj/eQujOot4oFrKEb63LrZ34AIeSigosKc +-> ssh-ed25519 0R97PA G/zvtYihaKYoA6hFWoI4ceZt+T7ysxQ+aUSu2XZQHWA +Nud2DqDI/gOeMXg0vZZN75RnDcQxRQix+uKOVS0RMz4 +-> ssh-ed25519 jIXfPA NnB25GAo+1eyVKI0m74E93V52XZ35UjECnYLgSTpFjY +ip2J8AW+vo3e3otTE67/ns1lelFQs38JaCdb6l6CLW8 +-> ssh-ed25519 QlRB9Q 5PvEcPWMg0+k2fVP5oXjBQxcLLN2S3yV7zvzLO7d6gs +TyZSXXPDyQwZtJmoElqmcl915oHOAaY2EEBb38rfSSM +-> gS\H(UbE-grease xPm5+9D~ ` +jBi] +IMHs3CjXalMD9i1riMNx0E61OhfZfaeONQn0OEn074kj6Qtjll/kr34yXf4CTmG2 +LtnT6xiGtf3Hq88Bk0QyuhmOyXpePk0//c40Qr+Ym82RR+mJmv9yRQ +--- fjFYmVm6FP+waGy4INlgyAQonGSp4Q4g1HS/OZfDJWI +1pW +i8fܱ 7zoHyehf3Nc\ϋ3;*Ȓ28CtAw c!Hhpt}$(`>T״R`e%xI¾…^wѹ_AmsiX`6x>j2ffC \ No newline at end of file diff --git a/machines/web-01/secrets/secrets.nix b/machines/web-01/secrets/secrets.nix new file mode 100644 index 0000000..a1634b6 --- /dev/null +++ b/machines/web-01/secrets/secrets.nix @@ -0,0 +1,10 @@ +let + lib = import ../../../lib { inherit (import { }) lib; }; + publicKeys = lib.getNodeKeys "web-01"; +in + +lib.setDefault { inherit publicKeys; } [ + "plausible_admin-user-password-file" + "plausible_secret-key-base-file" + "plausible_release-cookie-file" +]