From c9264e6389bfdf7d874223c82e16fae5c0f9aa79 Mon Sep 17 00:00:00 2001 From: Tom Hubrecht Date: Fri, 30 Jun 2023 18:40:09 +0200 Subject: [PATCH] machines/web-01: Install plausible --- keys/machines/web-01.keys | 1 + machines/web-01/_configuration.nix | 4 +- machines/web-01/plausible.nix | 54 ++++++++++++++++++ .../plausible_admin-user-password-file | Bin 0 -> 1188 bytes .../secrets/plausible_release-cookie-file | 24 ++++++++ .../secrets/plausible_secret-key-base-file | 26 +++++++++ machines/web-01/secrets/secrets.nix | 10 ++++ 7 files changed, 117 insertions(+), 2 deletions(-) create mode 100644 keys/machines/web-01.keys create mode 100644 machines/web-01/plausible.nix create mode 100644 machines/web-01/secrets/plausible_admin-user-password-file create mode 100644 machines/web-01/secrets/plausible_release-cookie-file create mode 100644 machines/web-01/secrets/plausible_secret-key-base-file create mode 100644 machines/web-01/secrets/secrets.nix diff --git a/keys/machines/web-01.keys b/keys/machines/web-01.keys new file mode 100644 index 0000000..e81c999 --- /dev/null +++ b/keys/machines/web-01.keys @@ -0,0 +1 @@ +ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5 diff --git a/machines/web-01/_configuration.nix b/machines/web-01/_configuration.nix index 01fcf2f..598a841 100644 --- a/machines/web-01/_configuration.nix +++ b/machines/web-01/_configuration.nix @@ -3,12 +3,12 @@ # and in the NixOS manual (accessible by running ‘nixos-help’). { name, ... }: + { imports = [ - # Include the results of the hardware scan. - # ./hardware-configuration.nix ./networking.nix + ./plausible.nix ]; # Use the systemd-boot EFI boot loader. diff --git a/machines/web-01/plausible.nix b/machines/web-01/plausible.nix new file mode 100644 index 0000000..42a8fc4 --- /dev/null +++ b/machines/web-01/plausible.nix @@ -0,0 +1,54 @@ +{ config, ... }: + +let + host = "analytics.dgnum.eu"; + port = 8111; +in + +{ + services.plausible = { + enable = true; + + mail = { + email = "analytics@infra.dgnum.eu"; + smtp = { + user = "web-services@infra.dgnum.eu"; + # passwordFile = config.age.secrets."_smtp-password-file".path; + hostPort = 465; + hostAddr = "kurisu.lahfa.xyz"; + enableSSL = true; + }; + }; + + server = { + baseUrl = "https://${host}"; + inherit port; + + secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path; + }; + + releaseCookiePath = config.age.secrets."plausible_release-cookie-file".path; + + adminUser = { + passwordFile = config.age.secrets."plausible_admin-user-password-file".path; + email = "tom.hubrecht@dgnum.eu"; + name = "thubrecht"; + activate = true; + }; + }; + + services.nginx = { + enable = true; + + virtualHosts.${host} = { + enableACME = true; + forceSSL = true; + + locations."/" = { + proxyPass = "http://127.0.0.1:${builtins.toString port}"; + }; + }; + }; + + networking.firewall.allowedTCPPorts = [ 80 443 ]; +} diff --git a/machines/web-01/secrets/plausible_admin-user-password-file b/machines/web-01/secrets/plausible_admin-user-password-file new file mode 100644 index 0000000000000000000000000000000000000000..364d943ec7cfd8fc92083742effd7c39035b4fd8 GIT binary patch literal 1188 zcmZ9~yXxz70KjpFwDshsF!(O6Rcf4YrYA60dD%lG2GL09jJQ{~bL&$s2dytnCKu4vH*zTa~ z)=8b47!5NU%4ii+?l`}tbFN+5RXU@F>)WCTN~qx1+Ew(oW{dkz#$E+CG8 z5iwEEY{hxv#WwAeAIYdIQ01KobGVoSLRF}1G^q>@0s;2@az=VMbZWlNXVir1gWZ)w zwNQiy?$sOvx_6dRkvxIM39RpLZpZEVu$g3I4D(5NN3E>lD`VVG#;`W3q5(FJr5dh;<-ZO|H+S+YCT&orQX; zT|_VaPZRvaLG}yh;Y1unOG10hxt+9Q^Vp3=FheyZt}v8VObUJJ>vFt;J@d1Q=BixG7GLcorZCneHS zT1=!0BVxQ&LQHxKo9T#NDASXjUc8t~F$aZWqQ@z%MO&sLMo}d9p(6ilB>Q}w^+`A+ z(6QLzzoHjkP5<~GfA~rDZ2RZS&wu&y_21up{@o9+z4O^O TU-WOEfBt&+=KF6&fB*U~$i9gO literal 0 HcmV?d00001 diff --git a/machines/web-01/secrets/plausible_release-cookie-file b/machines/web-01/secrets/plausible_release-cookie-file new file mode 100644 index 0000000..e5d3b30 --- /dev/null +++ b/machines/web-01/secrets/plausible_release-cookie-file @@ -0,0 +1,24 @@ +age-encryption.org/v1 +-> ssh-ed25519 0IVRbA 0jTTPBKyGia3BvT9EJlTY0UVqIF05D6zWokv6wE+Swc +LLt0vGzPA8wKKa/s794GQ+4CVIV9DApJXswEjOx4kYw +-> ssh-ed25519 JGx7Ng /oOaCppA2fnvo3kv27Ynl9P9NO04UWbs/yw9OrtfkzI +Jt0wq/IdyiTBDxE78drV90zHgnfXT7JT305THHrcH+0 +-> ssh-rsa krWCLQ +1yYjwCF3m/n+wOeQIiXbZAl4tVttROXIlRIhRqgK9pbsI22WmXIXV0qmMsac8VZQ +OsaZJGvY38yhUpYfDZZZHN3JNKL5yZcPFX+HeXQo305oFKsuUSs5EGIWDZmE5XsJ +AFcqwrSRhNLHCJ3PVk6+C9RWfLMhbTNl4Kelndv/KqOfG5AkW193ZG4DHOWSwE3k +8nUgwUGrY79ZVCpGkQAi65TJ4C/3toGcooVxwFVsBX8tfVX53VLvLuUIeD/uvV6A +pZ+cdzwanUK8BNDY3yWPN+a8IYltlWKxruF2Q/Ae+eez5BFHC9p9bok558GTrMwC ++0cu/C1X2nqFormascUW2Q +-> ssh-ed25519 /vwQcQ Ei8pI/GiyHtZWyqxYPoNTz5UVXtSdZllCQU8sF7CYH0 +oPuVJbkDVCgWZUp45wkPbogRP3AliLiidKTNP7ttzCY +-> ssh-ed25519 0R97PA RLo/0D0TUnvH6yoLbjV9jEVIYZG/G/2nK9RaA/Zepg0 +18hpQWaZmJJFjABVvQJiM6pe7PtcF94BIg3J61+BX14 +-> ssh-ed25519 jIXfPA X+zJWTGGvy0LPBgTFRURdS4Rsnd+eSYiW7JhdnlK9yc +mQjvg4cijN8VOeQR0ht9tyHKUX0Eg0iazcN36AAKQE8 +-> ssh-ed25519 QlRB9Q KI6rxe4Kek4IkMlDQvDlaO4MgMEKc/DdpWX4pCJFGjI +MAaBVH1HlRntm8gFdbXPPYy1dQcHv8aU6OPCIuVLXYc +-> kEXh"WN-grease WpN@loT^ MVM G\ +dL1RrBYkPiADu5E7PXyTBfx3UOhAhaFf66Dajg3aZwgwPOlSciKtsQqu4Q +--- ApT4k9TGTnj3hpJVkSbIElRAwBNliRfmnLYBKsVutpA +B6 t1X!o.=ZXt}O K g;aVyYtM) !;].XPG;=f37 2Wk<+IXl*QSEpoc@‚{=ݞα*_) \ No newline at end of file diff --git a/machines/web-01/secrets/plausible_secret-key-base-file b/machines/web-01/secrets/plausible_secret-key-base-file new file mode 100644 index 0000000..3016bb8 --- /dev/null +++ b/machines/web-01/secrets/plausible_secret-key-base-file @@ -0,0 +1,26 @@ +age-encryption.org/v1 +-> ssh-ed25519 0IVRbA zuXFn55iEAtXdyZIrqGFhMuRmJWO7vVj6biT+/70Vk4 +RqGr6dEsYs/zQML0nkaVgnWBdYkaLso0fBZCFNAVosk +-> ssh-ed25519 JGx7Ng 1qQXt05dyoJ/1MVe5XudTJEvDwnLPB8wPg+IDIfoyjw +wSW6ivHK38p+AcaayIY3bn3Io6mB54ut0eaLhvXBWxg +-> ssh-rsa krWCLQ +iaQb8f5LiExwJbZA5rF5FQNuKAh63XLmUjgyoxgkFOn6VprJ9oAH22Y8wq85SMrv +rp5SmOYTcdn9hG1LnABPiSCGcquW+vEfL1LnpQIk0E+sFAHW/P8Pt7iK7L6nyxmR +WF0xhKNBvZudysNMEtYtCWbAWf93awXx2qdH1+N/uITNGLgmviBXGThuz+sKGwVO +mi86qk+B1MKkOCYJpWL6CrFeRJrYgph51y1fHl8Rywb3LE605oDCJ18GyvqBTpKl +AGGtVDmMRIr16TEDVjfTg0XmNKQWDdmqvlpesxyXvKk1kU77eT4bfVtsdqyIDNjk +/9RQqW2kiUDrYuige+p1cg +-> ssh-ed25519 /vwQcQ 8rY5jPREmYfaWWP8KWjOEHgh87e241JbQO5EEgBhVBo +RQhE8XjdFuj/eQujOot4oFrKEb63LrZ34AIeSigosKc +-> ssh-ed25519 0R97PA G/zvtYihaKYoA6hFWoI4ceZt+T7ysxQ+aUSu2XZQHWA +Nud2DqDI/gOeMXg0vZZN75RnDcQxRQix+uKOVS0RMz4 +-> ssh-ed25519 jIXfPA NnB25GAo+1eyVKI0m74E93V52XZ35UjECnYLgSTpFjY +ip2J8AW+vo3e3otTE67/ns1lelFQs38JaCdb6l6CLW8 +-> ssh-ed25519 QlRB9Q 5PvEcPWMg0+k2fVP5oXjBQxcLLN2S3yV7zvzLO7d6gs +TyZSXXPDyQwZtJmoElqmcl915oHOAaY2EEBb38rfSSM +-> gS\H(UbE-grease xPm5+9D~ ` +jBi] +IMHs3CjXalMD9i1riMNx0E61OhfZfaeONQn0OEn074kj6Qtjll/kr34yXf4CTmG2 +LtnT6xiGtf3Hq88Bk0QyuhmOyXpePk0//c40Qr+Ym82RR+mJmv9yRQ +--- fjFYmVm6FP+waGy4INlgyAQonGSp4Q4g1HS/OZfDJWI +1pW +i8fܱ 7zoHyehf3Nc\ϋ3;*Ȓ28CtAw c!Hhpt}$(`>T״R`e%xI¾…^wѹ_AmsiX`6x>j2ffC \ No newline at end of file diff --git a/machines/web-01/secrets/secrets.nix b/machines/web-01/secrets/secrets.nix new file mode 100644 index 0000000..a1634b6 --- /dev/null +++ b/machines/web-01/secrets/secrets.nix @@ -0,0 +1,10 @@ +let + lib = import ../../../lib { inherit (import { }) lib; }; + publicKeys = lib.getNodeKeys "web-01"; +in + +lib.setDefault { inherit publicKeys; } [ + "plausible_admin-user-password-file" + "plausible_secret-key-base-file" + "plausible_release-cookie-file" +]