plausible: init

2025-07-27 18:17:44 +00:00 · 2025-06-08 05:01:32 +03:00 · 2025-06-08 05:01:32 +03:00 · e7cf9c7239
commit e7cf9c7239
parent b9c640dd78
4 changed files with 49 additions and 1 deletions
--- a/hosts/best/plausible/default.nix
+++ b/hosts/best/plausible/default.nix
@ -0,0 +1,39 @@
+{ config, self, lib, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "shekels.${domain}";
+  port = 8007;
+in {
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];
+
+  secrets.plausibleKey = {
+    file  = ./key.age;
+    owner = "plausible";
+  };
+
+  services.postgresql.ensure = [ "plausible" ];
+
+  services.plausible = enabled {
+    server = {
+      disableRegistration = true; # Setting it explicitly just in case.
+
+      secretKeybaseFile = config.secrets.plausibleKey.path;
+
+      baseUrl = "https://${fqdn}";
+
+      listenAddress = "::1";
+      inherit port;
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    locations."/" = {
+      proxyPass       = "http://[::1]:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}
--- a/hosts/best/plausible/key.age
+++ b/hosts/best/plausible/key.age
@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w 6z16kXAqAppYOMXQ7riHs+iP6SFMfJND1KlG0TI+Bgo
+Gm99zghsZ69nBzs8I+Hs3fRM7+dGEaNC7mFwVJZbjO4
+-> ssh-ed25519 CzqbPQ AYm8rfc18ftg7vvt6MVIYlaMcyL09VDoDBLGa0v6STo
+uWmdITsGHXPZfMMBDdaYkbLCHntii4mupaWklLfOYa0
+--- LFjB2mFBC6OkRoM7A9RVGjcXGbMQGKutBz44EDK3YJo
+ｰuL6lｸﾚ6eﾕ燗z<E78797>月ﾓE<EFBE93>'｢Gｺ殻逎､^xjﾉﾔj椴!YEsDZﾓy2紙ｦ<E7B499>rF瀚Oｿ<4F>K<EFBFBD><4B>剰%ﾌ<>圦ﾈ^秉怖ﾎ<E68096>ｭﾐ┐ｨ∩ﾜY麩屍ﾄyI
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@ -16,7 +16,7 @@ in {

    add_header Strict-Transport-Security $hsts_header always;

-    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; base-uri 'self';" always;
+    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always;

    add_header Referrer-Policy no-referrer always;

--- a/secrets.nix
+++ b/secrets.nix
@ -20,6 +20,8 @@ in {

  "hosts/best/nextcloud/password.age".publicKeys      = [ best ] ++ admins;

+  "hosts/best/plausible/key.age".publicKeys      = [ best ] ++ admins;
+
  # disk
  "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
  "hosts/disk/password.age".publicKeys = [ disk ] ++ admins;