chore: Bump versions.

Update plausible base url.
Add plausible service.
2024-01-10 12:29:34 -07:00 · 2024-01-10 12:29:21 -07:00 · 2024-01-10 11:37:08 -07:00 · 2024-01-10 10:44:20 -07:00 · 2024-01-10 09:28:31 -07:00
11 changed files with 121 additions and 17 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@ -1,12 +1,8 @@
 keys:
  - &admin_jrpotter age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
  - &server_phobos age16twzd97nh7tstk5meh277w02le6dxqmv7wzrjlemn87n36dzlyfq7uusj2
+  - &server_thebe age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
 creation_rules:
-  - path_regex: phobos/[^/]+\.(yaml|json|env|ini|enc)$
-    key_groups:
-    - age:
-      - *admin_jrpotter
-      - *server_phobos
  - path_regex: .*
    key_groups:
    - age:
--- a/README.md
+++ b/README.md
@ -83,5 +83,9 @@ To do so, run:
 $ nix-shell -p ssh-to-age --run 'ssh-keyscan <host> | ssh-to-age'
 ```
 This will look for any SSH host ed25519 public keys and automatically run
-through `ssh-to-age`. Include an appropriately top-level `keys` entry in
-`.sops.yaml` before generating the secrets needed by the machine.
+through `ssh-to-age`. Include a new top-level `keys` entry in `.sops.yaml` so
+that newly created secrets file automatically apply the age keys. For existing
+secret files, rotate and add the new age key to them:
+```bash
+$ sops --in-place --rotate --add-age <value> <secrets-file>
+```
--- a/flake.nix
+++ b/flake.nix
@ -34,6 +34,7 @@
            framework = tapir.pkgs;
            deimos = tapir.pkgs;
            phobos = tapir.pkgs;
+            thebe = tapir.pkgs;
          };
          nodeSpecialArgs = {
            framework = {
@ -45,6 +46,9 @@
            phobos = {
              inherit (tapir) sops-nix;
            };
+            thebe = {
+              inherit (tapir) sops-nix;
+            };
          };
        };

@ -62,6 +66,7 @@

        deimos.imports = [ ./hive/deimos ];
        phobos.imports = [ ./hive/phobos ];
+        thebe.imports = [ ./hive/thebe ];
      };

      packages.${system}.digital-ocean = {
--- a/hive/thebe/default.nix
+++ b/hive/thebe/default.nix
@ -0,0 +1,34 @@
+{ sops-nix, lib, ... }:
+{
+  imports = lib.optional (builtins.pathExists ./do-userdata.nix) ./do-userdata.nix ++ [
+    sops-nix.nixosModules.sops
+    ../../digital-ocean/configuration.nix
+    ../../services/plausible
+  ];
+
+  deployment.targetHost = "64.23.168.148";
+
+  networking = {
+    hostName = "thebe";
+    firewall = {
+      enable = true;
+      allowedTCPPorts = [ 80 443 ];
+    };
+  };
+
+  programs.mosh.enable = true;
+
+  services = {
+    nginx.enable = true;
+    openssh.enable = true;
+    plausible.enable = true;
+    postgresql.enable = true;
+  };
+
+  security.acme = {
+    acceptTerms = true;
+    defaults.email = "jrpotter2112@gmail.com";
+  };
+
+  system.stateVersion = "23.11";
+}
--- a/services/blog.nix
+++ b/services/blog.nix
@ -1,7 +1,7 @@
 { system, ... }:
 let
  blog = builtins.getFlake
-    "github:jrpotter/blog/76e0accbacb113fff57d42a9dc59adafc02eb885";
+    "github:jrpotter/blog/3985323a0378ad7571511a348ef83ef833b08646";
 in
 {
  services.nginx.virtualHosts."blog.jrpotter.com" = {
--- a/services/boardwise/default.nix
+++ b/services/boardwise/default.nix
@ -1,7 +1,7 @@
 { system, pkgs, lib, ... }:
 let
  boardwise = builtins.getFlake
-    "github:boardwise-gg/website/db73e3b4f06659fd477be8e76594c01a185f1496";
+    "github:boardwise-gg/website/ef264d6670199157761602093f9bf52bb471c4b8";
  coach-scraper = builtins.getFlake
    "github:boardwise-gg/coach-scraper/58815d3ae5a69cac12436a01e77019a5ac5d16a7";
 in
@ -36,7 +36,7 @@ in
      Environment = [
        "DATABASE_URL=ecto://postgres:postgres@localhost/boardwise"
      ];
-      EnvironmentFile = "/run/secrets/SECRET_KEY_BASE";
+      EnvironmentFile = "/run/secrets/BOARDWISE_SECRET_KEY_BASE";
      ExecStartPre = "${boardwise.packages.${system}.app}/bin/migrate";
      ExecStart = "${boardwise.packages.${system}.app}/bin/boardwise start";
      Restart = "on-failure";
@ -49,6 +49,6 @@ in

  sops = {
    defaultSopsFile = ./secrets.yaml;
-    secrets.SECRET_KEY_BASE = {};
+    secrets.BOARDWISE_SECRET_KEY_BASE = {};
  };
 }
--- a/services/boardwise/secrets.yaml
+++ b/services/boardwise/secrets.yaml
@ -1,4 +1,4 @@
-SECRET_KEY_BASE: ENC[AES256_GCM,data:7momHRbT88d1hVkABk9altYurje6s/NQCuDRttBZm9JND1Gtdlf/xaPBHHBH/S0zYGZirzFsYHUYsCNeSNDao9Wa6zpb/ISt9gdMJ4kng3s=,iv:xcPtA1h1LapQpH2A2cyRIh22w5obrIibatE3b2EKpQ8=,tag:pxatJLQv2lBCFja6a/lSzQ==,type:str]
+BOARDWISE_SECRET_KEY_BASE: ENC[AES256_GCM,data:cXN04jWbIZOYxf5BJNtnebAFBDDn2b/Rj3d5LVZ028Q12y8KLmEuaj+s43Pcmgypvo7xQGhjT89p7TWkiciIzbNFTN0hrvQP3qpQCFWtrf0=,iv:obSPCWPoFLYvj9MulY4lBJnmaMlQsuM1NHsrCJnfywY=,tag:vrZgceJ9VRRgQjBF7FnXBA==,type:str]
 sops:
    kms: []
    gcp_kms: []
@ -23,8 +23,8 @@ sops:
            eVRiNzAyRk9mUXpPZmRCcU5BVitjQW8KPFKtQSwOKtp5pLI2mlAXtkc8nJYoXjo0
            jdqxptc4a7uKywi8s1lffUSkV/ifMxVc9uH2M+0ry227aU+r2Lk0tA==
            -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-12-12T16:25:49Z"
-    mac: ENC[AES256_GCM,data:EBzV8XbfwfTOBBmq3Tn6DptH93klcqxoz24f12wh6OtSahpBA3IK9OEOg0W3TrxdJ67Ymp/vKeM5/reMbVlQmiabEsZ4gDYaqeulQJWhRroBD4kEoqvCUF0Od7JFDwSFN5LsoT3Me95rNJMN1e8ZIpzGLfjYSIlJ/xvJGv73vvo=,iv:uV9Rs6HguHedQt/SSjLbiwOLrV2omtY2IqDKldkL8mg=,tag:Qev2BlCVcpAcN5Xo/bcioQ==,type:str]
+    lastmodified: "2024-01-10T17:43:15Z"
+    mac: ENC[AES256_GCM,data:YzJ0VhC1TIcnRdBT05NjnAihcfDwuDBYqCabOG0Z5yPqBH5GgChQ9TKxWQ9kVV9PSRr9cvJdVr5LxasjcmxMpCYDFP1EytikX3N47GXK6Y2ydnZ+Z5YMJLYMFAuEiePZvI7ksrQVISKDoZzzMV37gRn70aovWQBG0O9mo/2INiM=,iv:hE7z2YB8exHVJDRybeHObefOfRGkAt9I9pdovIEYgH0=,tag:hzZ1CoG+PjBSyCkFH3VwQw==,type:str]
    pgp: []
    unencrypted_suffix: _unencrypted
-    version: 3.7.3
+    version: 3.8.1
--- a/services/plausible/default.nix
+++ b/services/plausible/default.nix
@ -0,0 +1,34 @@
+{ config, ... }:
+{
+  services = {
+    plausible = {
+      adminUser = {
+        # activate is used to skip the email verification of the admin-user
+        # that's automatically created by plausible. This is only supported if
+        # postgresql is configured by the module. This is done by default, but
+        # can be turned off with services.plausible.database.postgres.setup.
+        activate = true;
+        email = "jrpotter2112@gmail.com";
+        passwordFile = "/run/secrets/PLAUSIBLE_ADMIN_PWD";
+      };
+      server = {
+        baseUrl = "https://analytics.jrpotter.com";
+        secretKeybaseFile = "/run/secrets/PLAUSIBLE_SECRET_KEY_BASE";
+      };
+    };
+    nginx.virtualHosts."analytics.jrpotter.com" = {
+      forceSSL = true;
+      enableACME = true;
+      locations."/" = {
+        recommendedProxySettings = true;
+        proxyPass = "http://127.0.0.1:${toString config.services.plausible.server.port}";
+      };
+    };
+  };
+
+  sops = {
+    defaultSopsFile = ./secrets.yaml;
+    secrets.PLAUSIBLE_ADMIN_PWD = {};
+    secrets.PLAUSIBLE_SECRET_KEY_BASE = {};
+  };
+}
--- a/services/plausible/secrets.yaml
+++ b/services/plausible/secrets.yaml
@ -0,0 +1,31 @@
+PLAUSIBLE_ADMIN_PWD: ENC[AES256_GCM,data:bnSVaGHJG/VzWuiks8wYGdWu,iv:Xhhvqk1ThBJXz1XNYx40YfIpqcADL9SPwrLf/rje57I=,tag:fw1RujBToGTo1qFhbYEcaQ==,type:str]
+PLAUSIBLE_SECRET_KEY_BASE: ENC[AES256_GCM,data:gyncr/BiekwFFQww9aJXkiU3nTUtwpUxb3E3RYw89zInV/e6v4gGJHXG1T1SPvOsl8QRyMq6rYvHSpCGCXx0iwx/9jBUyyTw16fTTsANA6vrVrufpe3vrg==,iv:r6OSjNskgXpBqMOIPYjYziGyfiS0enFRJFI87PGwl1I=,tag:Dl/InBqKF2XTmMlKfYZk1w==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1huyyxsy4g0e5svmcejxvvdjnnk6qkulgd3qfpue59exnfrnqzudspxnn62
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDN1ZjUWpHak9sL2hPVzk3
+            RXR1NkFuMmpXUXpQTUc1TU1CZHp5ZTFrRlZJCnpLWmRTWGN5bzFLOFd3RVFHbU5H
+            dkc1UzdWcEViNEh6bGRJYTY2V2RBWXcKLS0tIExsb0FvajE2amE1YU9TbjZXTTJo
+            NzkrMlVjMkp3a1BxL01LZUhpTWZ6Y0EKOEDeya5JhwXWcj+7tloeGSKHLaFqqjQl
+            7U66quW6QX9k/DjixhNzVYlOTlkHKWguoS8OHk9qsTExGupM7HkNAw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1pjgqvdyzxz30rxvu3zysjpmxrjjsvklggfepswhmwdaunx0kg3vsfept24
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4bXh0dWlLRE9mTDV1akNv
+            bExpSmZhODJnc0h6SkZ1OHR0NkQrZXNPeHhnCndPTUdjS0Q4VXRxUEZQOUJSa3ZD
+            OWJtSXkvNmZrWWJ5ZTBiZnFmV2VlMzgKLS0tIEpBZng4VktnaG9aZDZJaXYzamcr
+            UHZrdXBWZ0I2SnArQkJ6UkhRa2xpdEEKHBNMEcQQNs3mLQE5UI21Ue52dnZlIOqZ
+            91HSVBgFP4dfrsW4+ZyxrhqADZziHSn5AfpbuhJ7QLSsjNRLHyrbgw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-01-10T18:27:35Z"
+    mac: ENC[AES256_GCM,data:7rsYMbTTmOPHVqoaQu78Glf4EvXRbDVvkbZYQd9fSy7JOWyKzvVC9ZD2yr0WbHoe0Gq8mpdfmcc5Q/3JIuNanqQxbvvLDqYSBQNoifeuQ9dLRhxzI2Up1mhLTHDIV3CB+7TfIMkaJ7gYkQXX9sg2P2EL9R4o0TJ8Uuee3Iq2H/s=,iv:ym9btl+HL/dX++fXTyPl0Aze6b5dyuO+gM+CuBWvagE=,tag:PBy4EvtnivzXpCdviDEaSw==,type:str]
+    pgp: []
+    unencrypted_suffix: _unencrypted
+    version: 3.7.3
--- a/services/portfolio.nix
+++ b/services/portfolio.nix
@ -1,7 +1,7 @@
 { system, ... }:
 let
  portfolio = builtins.getFlake
-    "github:jrpotter/portfolio/eb0bc7d44ba1349860a56797b92761c68a4e7dce";
+    "github:jrpotter/portfolio/869cbe0f566814caa8a791d956ea794004f2eb7d";
 in
 {
  services.nginx.virtualHosts."www.jrpotter.com" = {
--- a/users/jrpotter/default.nix
+++ b/users/jrpotter/default.nix
@ -1,7 +1,7 @@
 { stateVersion, pkgs, ... }:
 let
  bootstrap = builtins.getFlake
-    "github:jrpotter/bootstrap/ad6e70f99940c986a153443f9d36e55be2dbb8b4";
+    "github:jrpotter/bootstrap/a4d83776c36568be84db9869182a35c356a947b4";
 in
 {
  imports = [
Author	SHA1	Message	Date
Joshua Potter	aacb694151	chore: Bump versions.	2024-01-10 12:29:34 -07:00
Joshua Potter	7bd90fd202	Update plausible base url.	2024-01-10 12:29:21 -07:00
Joshua Potter	ae4de597e3	Add plausible service.	2024-01-10 11:37:08 -07:00
Joshua Potter	140bae68cc	Prefix secrets with service name.	2024-01-10 10:44:20 -07:00
Joshua Potter	d2921e0985	Register thebe machine.	2024-01-10 09:28:31 -07:00