r
/
nixos-configuration
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add plausible service.

main
Joshua Potter 2024-01-10 10:45:12 -07:00
parent 140bae68cc
commit ae4de597e3
6 changed files with 78 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
.sops.yaml
View File

@ -1,12 +1,8 @@
keys: keys:
- &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62 - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
- &server_phobos age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2 - &server_phobos age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2
- &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
creation_rules: creation_rules:
- path_regex: phobos/[^/]+\.(yaml|json|env|ini|enc)$
key_groups:
- age:
- *admin_jrpotter
- *server_phobos
- path_regex: .* - path_regex: .*
key_groups: key_groups:
- age: - age:

8
README.md
View File

@ -83,5 +83,9 @@ To do so, run:
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age' $ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
``` ```
This will look for any SSH host ed25519 public keys and automatically run This will look for any SSH host ed25519 public keys and automatically run
through `ssh-to-age`. Include an appropriately top-level `keys` entry in through `ssh-to-age`. Include a new top-level `keys` entry in `.sops.yaml` so
`.sops.yaml` before generating the secrets needed by the machine. that newly created secrets file automatically apply the age keys. For existing
secret files, rotate and add the new age key to them:
```bash
$ sops --in-place --rotate --add-age <value> <secrets-file>
```

2
flake.nix
View File

@ -47,7 +47,7 @@
inherit (tapir) sops-nix; inherit (tapir) sops-nix;
}; };
thebe = { thebe = {
inherit (tapir); inherit (tapir) sops-nix;
}; };
}; };
}; };

6
hive/thebe/default.nix
View File

@ -1,7 +1,9 @@
{ lib, ... }: { sops-nix, lib, ... }:
{ {
imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [ imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
sops-nix.nixosModules.sops
../../digital-ocean/configuration.nix ../../digital-ocean/configuration.nix
../../services/plausible
]; ];
deployment.targetHost = "64.23.168.148"; deployment.targetHost = "64.23.168.148";
@ -19,6 +21,8 @@
services = { services = {
nginx.enable = true; nginx.enable = true;
openssh.enable = true; openssh.enable = true;
plausible.enable = true;
postgresql.enable = true;
}; };
security.acme = { security.acme = {

34
services/plausible/default.nix Normal file
View File

@ -0,0 +1,34 @@
{ config, ... }:
{
services = {
plausible = {
adminUser = {
# activate is used to skip the email verification of the admin-user
# that's automatically created by plausible. This is only supported if
# postgresql is configured by the module. This is done by default, but
# can be turned off with services.plausible.database.postgres.setup.
activate = true;
email = "jrpotter2112@gmail.com";
passwordFile = "/run/secrets/PLAUSIBLE_ADMIN_PWD";
};
server = {
baseUrl = "http://analytics.jrpotter.com";
secretKeybaseFile = "/run/secrets/PLAUSIBLE_SECRET_KEY_BASE";
};
};
nginx.virtualHosts."analytics.jrpotter.com" = {
forceSSL = true;
enableACME = true;
locations."/" = {
recommendedProxySettings = true;
proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
};
};
};
sops = {
defaultSopsFile = ./secrets.yaml;
secrets.PLAUSIBLE_ADMIN_PWD = {};
secrets.PLAUSIBLE_SECRET_KEY_BASE = {};
};
}

31
services/plausible/secrets.yaml Normal file
View File

@ -0,0 +1,31 @@
PLAUSIBLE_ADMIN_PWD: ENC[AES256_GCM,data:bnSVaGHJG/VzWuiks8wYGdWu,iv:Xhhvqk1ThBJXz1XNYx40YfIpqcADL9SPwrLf/rje57I=,tag:fw1RujBToGTo1qFhbYEcaQ==,type:str]
PLAUSIBLE_SECRET_KEY_BASE: ENC[AES256_GCM,data:gyncr/BiekwFFQww9aJXkiU3nTUtwpUxb3E3RYw89zInV/e6v4gGJHXG1T1SPvOsl8QRyMq6rYvHSpCGCXx0iwx/9jBUyyTw16fTTsANA6vrVrufpe3vrg==,iv:r6OSjNskgXpBqMOIPYjYziGyfiS0enFRJFI87PGwl1I=,tag:Dl/InBqKF2XTmMlKfYZk1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDN1ZjUWpHak9sL2hPVzk3
RXR1NkFuMmpXUXpQTUc1TU1CZHp5ZTFrRlZJCnpLWmRTWGN5bzFLOFd3RVFHbU5H
dkc1UzdWcEViNEh6bGRJYTY2V2RBWXcKLS0tIExsb0FvajE2amE1YU9TbjZXTTJo
NzkrMlVjMkp3a1BxL01LZUhpTWZ6Y0EKOEDeya5JhwXWcj+7tloeGSKHLaFqqjQl
7U66quW6QX9k/DjixhNzVYlOTlkHKWguoS8OHk9qsTExGupM7HkNAw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bXh0dWlLRE9mTDV1akNv
bExpSmZhODJnc0h6SkZ1OHR0NkQrZXNPeHhnCndPTUdjS0Q4VXRxUEZQOUJSa3ZD
OWJtSXkvNmZrWWJ5ZTBiZnFmV2VlMzgKLS0tIEpBZng4VktnaG9aZDZJaXYzamcr
UHZrdXBWZ0I2SnArQkJ6UkhRa2xpdEEKHBNMEcQQNs3mLQE5UI21Ue52dnZlIOqZ
91HSVBgFP4dfrsW4+ZyxrhqADZziHSn5AfpbuhJ7QLSsjNRLHyrbgw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-10T18:27:35Z"
mac: ENC[AES256_GCM,data:7rsYMbTTmOPHVqoaQu78Glf4EvXRbDVvkbZYQd9fSy7JOWyKzvVC9ZD2yr0WbHoe0Gq8mpdfmcc5Q/3JIuNanqQxbvvLDqYSBQNoifeuQ9dLRhxzI2Up1mhLTHDIV3CB+7TfIMkaJ7gYkQXX9sg2P2EL9R4o0TJ8Uuee3Iq2H/s=,iv:ym9btl+HL/dX++fXTyPl0Aze6b5dyuO+gM+CuBWvagE=,tag:PBy4EvtnivzXpCdviDEaSw==,type:str]
pgp: []
unencrypted_suffix: _unencrypted
version: 3.7.3