machines/web-01: Install plausible

2023-06-30 18:40:09 +02:00 · 2023-06-30 18:40:09 +02:00 · c9264e6389
commit c9264e6389
parent 5a0e196658
7 changed files with 117 additions and 2 deletions
--- a/keys/machines/web-01.keys
+++ b/keys/machines/web-01.keys
@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5
--- a/machines/web-01/_configuration.nix
+++ b/machines/web-01/_configuration.nix
@ -3,12 +3,12 @@
 # and in the NixOS manual (accessible by running ‘nixos-help’).

 { name, ... }:
+
 {
  imports =
    [
-      # Include the results of the hardware scan.
-      # ./hardware-configuration.nix
      ./networking.nix
+      ./plausible.nix
    ];

  # Use the systemd-boot EFI boot loader.
--- a/machines/web-01/plausible.nix
+++ b/machines/web-01/plausible.nix
@ -0,0 +1,54 @@
+{ config, ... }:
+
+let
+  host = "analytics.dgnum.eu";
+  port = 8111;
+in
+
+{
+  services.plausible = {
+    enable = true;
+
+    mail = {
+      email = "analytics@infra.dgnum.eu";
+      smtp = {
+        user = "web-services@infra.dgnum.eu";
+        # passwordFile = config.age.secrets."_smtp-password-file".path;
+        hostPort = 465;
+        hostAddr = "kurisu.lahfa.xyz";
+        enableSSL = true;
+      };
+    };
+
+    server = {
+      baseUrl = "https://${host}";
+      inherit port;
+
+      secretKeybaseFile = config.age.secrets."plausible_secret-key-base-file".path;
+    };
+
+    releaseCookiePath = config.age.secrets."plausible_release-cookie-file".path;
+
+    adminUser = {
+      passwordFile = config.age.secrets."plausible_admin-user-password-file".path;
+      email = "tom.hubrecht@dgnum.eu";
+      name = "thubrecht";
+      activate = true;
+    };
+  };
+
+  services.nginx = {
+    enable = true;
+
+    virtualHosts.${host} = {
+      enableACME = true;
+      forceSSL = true;
+
+      locations."/" = {
+        proxyPass = "http://127.0.0.1:${builtins.toString port}";
+      };
+    };
+  };
+
+  networking.firewall.allowedTCPPorts = [ 80 443 ];
+}
--- a/machines/web-01/secrets/plausible_admin-user-password-file
+++ b/machines/web-01/secrets/plausible_admin-user-password-file
--- a/machines/web-01/secrets/plausible_release-cookie-file
+++ b/machines/web-01/secrets/plausible_release-cookie-file
@ -0,0 +1,24 @@
+age-encryption.org/v1
+-> ssh-ed25519 0IVRbA 0jTTPBKyGia3BvT9EJlTY0UVqIF05D6zWokv6wE+Swc
+LLt0vGzPA8wKKa/s794GQ+4CVIV9DApJXswEjOx4kYw
+-> ssh-ed25519 JGx7Ng /oOaCppA2fnvo3kv27Ynl9P9NO04UWbs/yw9OrtfkzI
+Jt0wq/IdyiTBDxE78drV90zHgnfXT7JT305THHrcH+0
+-> ssh-rsa krWCLQ
+1yYjwCF3m/n+wOeQIiXbZAl4tVttROXIlRIhRqgK9pbsI22WmXIXV0qmMsac8VZQ
+OsaZJGvY38yhUpYfDZZZHN3JNKL5yZcPFX+HeXQo305oFKsuUSs5EGIWDZmE5XsJ
+AFcqwrSRhNLHCJ3PVk6+C9RWfLMhbTNl4Kelndv/KqOfG5AkW193ZG4DHOWSwE3k
+8nUgwUGrY79ZVCpGkQAi65TJ4C/3toGcooVxwFVsBX8tfVX53VLvLuUIeD/uvV6A
+pZ+cdzwanUK8BNDY3yWPN+a8IYltlWKxruF2Q/Ae+eez5BFHC9p9bok558GTrMwC
+0cu/C1X2nqFormascUW2Q
+-> ssh-ed25519 /vwQcQ Ei8pI/GiyHtZWyqxYPoNTz5UVXtSdZllCQU8sF7CYH0
+oPuVJbkDVCgWZUp45wkPbogRP3AliLiidKTNP7ttzCY
+-> ssh-ed25519 0R97PA RLo/0D0TUnvH6yoLbjV9jEVIYZG/G/2nK9RaA/Zepg0
+18hpQWaZmJJFjABVvQJiM6pe7PtcF94BIg3J61+BX14
+-> ssh-ed25519 jIXfPA X+zJWTGGvy0LPBgTFRURdS4Rsnd+eSYiW7JhdnlK9yc
+mQjvg4cijN8VOeQR0ht9tyHKUX0Eg0iazcN36AAKQE8
+-> ssh-ed25519 QlRB9Q KI6rxe4Kek4IkMlDQvDlaO4MgMEKc/DdpWX4pCJFGjI
+MAaBVH1HlRntm8gFdbXPPYy1dQcHv8aU6OPCIuVLXYc
+-> kEXh"WN-grease WpN@loT^ MVM G\
+dL1RrBYkPiADu5E7PXyTBfx3UOhAhaFf66Dajg3aZwgwPOlSciKtsQqu4Q
+--- ApT4k9TGTnj3hpJVkSbIElRAwBNliRfmnLYBKsVutpA
+žBÍë¦6™È ÝtÈËí§1ùX»Ÿ±!o.ö<>þÜë=Z<>ÉXüåÚt‚}ÊåO £Kò¤	œg°;<3B>a—‚ÒÑÚVyYt¤¤Äë«ßM)â´÷ü›Š!þ;—].ÒX´ÇÛPG;=f‡37	…2³ÒWk<+IXûµ<C3BB>l§„*ËQS€Epçoc¶@«Â‚{=ß×ÝžÎ±*›_Ž)ì
--- a/machines/web-01/secrets/plausible_secret-key-base-file
+++ b/machines/web-01/secrets/plausible_secret-key-base-file
@ -0,0 +1,26 @@
+age-encryption.org/v1
+-> ssh-ed25519 0IVRbA zuXFn55iEAtXdyZIrqGFhMuRmJWO7vVj6biT+/70Vk4
+RqGr6dEsYs/zQML0nkaVgnWBdYkaLso0fBZCFNAVosk
+-> ssh-ed25519 JGx7Ng 1qQXt05dyoJ/1MVe5XudTJEvDwnLPB8wPg+IDIfoyjw
+wSW6ivHK38p+AcaayIY3bn3Io6mB54ut0eaLhvXBWxg
+-> ssh-rsa krWCLQ
+iaQb8f5LiExwJbZA5rF5FQNuKAh63XLmUjgyoxgkFOn6VprJ9oAH22Y8wq85SMrv
+rp5SmOYTcdn9hG1LnABPiSCGcquW+vEfL1LnpQIk0E+sFAHW/P8Pt7iK7L6nyxmR
+WF0xhKNBvZudysNMEtYtCWbAWf93awXx2qdH1+N/uITNGLgmviBXGThuz+sKGwVO
+mi86qk+B1MKkOCYJpWL6CrFeRJrYgph51y1fHl8Rywb3LE605oDCJ18GyvqBTpKl
+AGGtVDmMRIr16TEDVjfTg0XmNKQWDdmqvlpesxyXvKk1kU77eT4bfVtsdqyIDNjk
+/9RQqW2kiUDrYuige+p1cg
+-> ssh-ed25519 /vwQcQ 8rY5jPREmYfaWWP8KWjOEHgh87e241JbQO5EEgBhVBo
+RQhE8XjdFuj/eQujOot4oFrKEb63LrZ34AIeSigosKc
+-> ssh-ed25519 0R97PA G/zvtYihaKYoA6hFWoI4ceZt+T7ysxQ+aUSu2XZQHWA
+Nud2DqDI/gOeMXg0vZZN75RnDcQxRQix+uKOVS0RMz4
+-> ssh-ed25519 jIXfPA NnB25GAo+1eyVKI0m74E93V52XZ35UjECnYLgSTpFjY
+ip2J8AW+vo3e3otTE67/ns1lelFQs38JaCdb6l6CLW8
+-> ssh-ed25519 QlRB9Q 5PvEcPWMg0+k2fVP5oXjBQxcLLN2S3yV7zvzLO7d6gs
+TyZSXXPDyQwZtJmoElqmcl915oHOAaY2EEBb38rfSSM
+-> gS\H(UbE-grease xPm5+9D~ ` +jBi]
+IMHs3CjXalMD9i1riMNx0E61OhfZfaeONQn0OEn074kj6Qtjll/kr34yXf4CTmG2
+LtnT6xiGtf3Hq88Bk0QyuhmOyXpePk0//c40Qr+Ym82RR+mJmv9yRQ
+--- fjFYmVm6FP+waGy4INlgyAQonGSp4Q4g1HS/OZfDJWI
+†1ñ‰ÄpW¤
+»¨<EFBFBD>ó¹èi8çfŸ¹¹Ü±´å7ózö¥‚oHyÀehf3“N”c\Ï‹ª3;*È’2ÑÝ8¶C…þtAw	Ëc!H˜há<68>˜®‰§pøˆt}¦$(`Àç> ¥T¬×´R‚`e†%ï´x•IÂ¾Â…^®wÑ¹îêÝËñ«_Amðsi×X£¼Í`´Ý6xÊÈ>j<><6A>2ffÕ÷C
--- a/machines/web-01/secrets/secrets.nix
+++ b/machines/web-01/secrets/secrets.nix
@ -0,0 +1,10 @@
+let
+  lib = import ../../../lib { inherit (import <nixpkgs> { }) lib; };
+  publicKeys = lib.getNodeKeys "web-01";
+in
+
+lib.setDefault { inherit publicKeys; } [
+  "plausible_admin-user-password-file"
+  "plausible_secret-key-base-file"
+  "plausible_release-cookie-file"
+]
				`@ -0,0 +1 @@`
				`ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPR+lewuJ/zhCyizJGJOH1UaAB699ItNKEaeuoK57LY5`