Add plausible service.
parent
140bae68cc
commit
ae4de597e3
|
@ -1,12 +1,8 @@
|
||||||
keys:
|
keys:
|
||||||
- &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
|
- &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
|
||||||
- &server_phobos age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2
|
- &server_phobos age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2
|
||||||
|
- &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
|
||||||
creation_rules:
|
creation_rules:
|
||||||
- path_regex: phobos/[^/]+\.(yaml|json|env|ini|enc)$
|
|
||||||
key_groups:
|
|
||||||
- age:
|
|
||||||
- *admin_jrpotter
|
|
||||||
- *server_phobos
|
|
||||||
- path_regex: .*
|
- path_regex: .*
|
||||||
key_groups:
|
key_groups:
|
||||||
- age:
|
- age:
|
||||||
|
|
|
@ -83,5 +83,9 @@ To do so, run:
|
||||||
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
|
$ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
|
||||||
```
|
```
|
||||||
This will look for any SSH host ed25519 public keys and automatically run
|
This will look for any SSH host ed25519 public keys and automatically run
|
||||||
through `ssh-to-age`. Include an appropriately top-level `keys` entry in
|
through `ssh-to-age`. Include a new top-level `keys` entry in `.sops.yaml` so
|
||||||
`.sops.yaml` before generating the secrets needed by the machine.
|
that newly created secrets file automatically apply the age keys. For existing
|
||||||
|
secret files, rotate and add the new age key to them:
|
||||||
|
```bash
|
||||||
|
$ sops --in-place --rotate --add-age <value> <secrets-file>
|
||||||
|
```
|
||||||
|
|
|
@ -47,7 +47,7 @@
|
||||||
inherit (tapir) sops-nix;
|
inherit (tapir) sops-nix;
|
||||||
};
|
};
|
||||||
thebe = {
|
thebe = {
|
||||||
inherit (tapir);
|
inherit (tapir) sops-nix;
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
};
|
};
|
||||||
|
|
|
@ -1,7 +1,9 @@
|
||||||
{ lib, ... }:
|
{ sops-nix, lib, ... }:
|
||||||
{
|
{
|
||||||
imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
|
imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
|
||||||
|
sops-nix.nixosModules.sops
|
||||||
../../digital-ocean/configuration.nix
|
../../digital-ocean/configuration.nix
|
||||||
|
../../services/plausible
|
||||||
];
|
];
|
||||||
|
|
||||||
deployment.targetHost = "64.23.168.148";
|
deployment.targetHost = "64.23.168.148";
|
||||||
|
@ -19,6 +21,8 @@
|
||||||
services = {
|
services = {
|
||||||
nginx.enable = true;
|
nginx.enable = true;
|
||||||
openssh.enable = true;
|
openssh.enable = true;
|
||||||
|
plausible.enable = true;
|
||||||
|
postgresql.enable = true;
|
||||||
};
|
};
|
||||||
|
|
||||||
security.acme = {
|
security.acme = {
|
||||||
|
|
|
@ -0,0 +1,34 @@
|
||||||
|
{ config, ... }:
|
||||||
|
{
|
||||||
|
services = {
|
||||||
|
plausible = {
|
||||||
|
adminUser = {
|
||||||
|
# activate is used to skip the email verification of the admin-user
|
||||||
|
# that's automatically created by plausible. This is only supported if
|
||||||
|
# postgresql is configured by the module. This is done by default, but
|
||||||
|
# can be turned off with services.plausible.database.postgres.setup.
|
||||||
|
activate = true;
|
||||||
|
email = "jrpotter2112@gmail.com";
|
||||||
|
passwordFile = "/run/secrets/PLAUSIBLE_ADMIN_PWD";
|
||||||
|
};
|
||||||
|
server = {
|
||||||
|
baseUrl = "http://analytics.jrpotter.com";
|
||||||
|
secretKeybaseFile = "/run/secrets/PLAUSIBLE_SECRET_KEY_BASE";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
nginx.virtualHosts."analytics.jrpotter.com" = {
|
||||||
|
forceSSL = true;
|
||||||
|
enableACME = true;
|
||||||
|
locations."/" = {
|
||||||
|
recommendedProxySettings = true;
|
||||||
|
proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
sops = {
|
||||||
|
defaultSopsFile = ./secrets.yaml;
|
||||||
|
secrets.PLAUSIBLE_ADMIN_PWD = {};
|
||||||
|
secrets.PLAUSIBLE_SECRET_KEY_BASE = {};
|
||||||
|
};
|
||||||
|
}
|
|
@ -0,0 +1,31 @@
|
||||||
|
PLAUSIBLE_ADMIN_PWD: ENC[AES256_GCM,data:bnSVaGHJG/VzWuiks8wYGdWu,iv:Xhhvqk1ThBJXz1XNYx40YfIpqcADL9SPwrLf/rje57I=,tag:fw1RujBToGTo1qFhbYEcaQ==,type:str]
|
||||||
|
PLAUSIBLE_SECRET_KEY_BASE: ENC[AES256_GCM,data:gyncr/BiekwFFQww9aJXkiU3nTUtwpUxb3E3RYw89zInV/e6v4gGJHXG1T1SPvOsl8QRyMq6rYvHSpCGCXx0iwx/9jBUyyTw16fTTsANA6vrVrufpe3vrg==,iv:r6OSjNskgXpBqMOIPYjYziGyfiS0enFRJFI87PGwl1I=,tag:Dl/InBqKF2XTmMlKfYZk1w==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDN1ZjUWpHak9sL2hPVzk3
|
||||||
|
RXR1NkFuMmpXUXpQTUc1TU1CZHp5ZTFrRlZJCnpLWmRTWGN5bzFLOFd3RVFHbU5H
|
||||||
|
dkc1UzdWcEViNEh6bGRJYTY2V2RBWXcKLS0tIExsb0FvajE2amE1YU9TbjZXTTJo
|
||||||
|
NzkrMlVjMkp3a1BxL01LZUhpTWZ6Y0EKOEDeya5JhwXWcj+7tloeGSKHLaFqqjQl
|
||||||
|
7U66quW6QX9k/DjixhNzVYlOTlkHKWguoS8OHk9qsTExGupM7HkNAw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bXh0dWlLRE9mTDV1akNv
|
||||||
|
bExpSmZhODJnc0h6SkZ1OHR0NkQrZXNPeHhnCndPTUdjS0Q4VXRxUEZQOUJSa3ZD
|
||||||
|
OWJtSXkvNmZrWWJ5ZTBiZnFmV2VlMzgKLS0tIEpBZng4VktnaG9aZDZJaXYzamcr
|
||||||
|
UHZrdXBWZ0I2SnArQkJ6UkhRa2xpdEEKHBNMEcQQNs3mLQE5UI21Ue52dnZlIOqZ
|
||||||
|
91HSVBgFP4dfrsW4+ZyxrhqADZziHSn5AfpbuhJ7QLSsjNRLHyrbgw==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-01-10T18:27:35Z"
|
||||||
|
mac: ENC[AES256_GCM,data:7rsYMbTTmOPHVqoaQu78Glf4EvXRbDVvkbZYQd9fSy7JOWyKzvVC9ZD2yr0WbHoe0Gq8mpdfmcc5Q/3JIuNanqQxbvvLDqYSBQNoifeuQ9dLRhxzI2Up1mhLTHDIV3CB+7TfIMkaJ7gYkQXX9sg2P2EL9R4o0TJ8Uuee3Iq2H/s=,iv:ym9btl+HL/dX++fXTyPl0Aze6b5dyuO+gM+CuBWvagE=,tag:PBy4EvtnivzXpCdviDEaSw==,type:str]
|
||||||
|
pgp: []
|
||||||
|
unencrypted_suffix: _unencrypted
|
||||||
|
version: 3.7.3
|
Loading…
Reference in New Issue