From cb19202bb7a76b1b17421aaa2540d616dd2e8cfc Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Sun, 8 Jun 2025 04:39:21 +0300
Subject: [PATCH 1/4] nix-serve: fix key user

---
 hosts/best/cache/default.nix | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/hosts/best/cache/default.nix b/hosts/best/cache/default.nix
index 54ba52b..0ae8afb 100644
--- a/hosts/best/cache/default.nix
+++ b/hosts/best/cache/default.nix
@@ -10,7 +10,7 @@ in {
 
   secrets.nixServeKey = {
     file  = ./key.age;
-    owner = "nix-serve";
+    owner = "root"; # `nix-serve` runs as root.
   };
 
   services.nix-serve = enabled {

From b9c640dd78a3de18dcd312fadd8b2e78fc95134c Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Sun, 8 Jun 2025 04:59:22 +0300
Subject: [PATCH 2/4] matrix: add comment and explicit setting about
 registration

---
 hosts/best/matrix/default.nix | 1 +
 1 file changed, 1 insertion(+)

diff --git a/hosts/best/matrix/default.nix b/hosts/best/matrix/default.nix
index 6829d72..a32a9e0 100644
--- a/hosts/best/matrix/default.nix
+++ b/hosts/best/matrix/default.nix
@@ -66,6 +66,7 @@ in {
       url_preview_enabled = true;
       dynamic_thumbnails = true;
 
+      enable_registration = false; # Setting it explicitly just in case.
       expire_access_token = true;
 
       # Trusting Matrix.org.

From e7cf9c723987a03be57ef56bb8cfd09858dbf3e7 Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Sun, 8 Jun 2025 05:01:32 +0300
Subject: [PATCH 3/4] plausible: init

---
 hosts/best/plausible/default.nix | 39 ++++++++++++++++++++++++++++++++
 hosts/best/plausible/key.age     |  7 ++++++
 modules/nginx.nix                |  2 +-
 secrets.nix                      |  2 ++
 4 files changed, 49 insertions(+), 1 deletion(-)
 create mode 100644 hosts/best/plausible/default.nix
 create mode 100644 hosts/best/plausible/key.age

diff --git a/hosts/best/plausible/default.nix b/hosts/best/plausible/default.nix
new file mode 100644
index 0000000..8e8674f
--- /dev/null
+++ b/hosts/best/plausible/default.nix
@@ -0,0 +1,39 @@
+{ config, self, lib, ... }: let
+  inherit (config.networking) domain;
+  inherit (lib) enabled merge;
+
+  fqdn = "shekels.${domain}";
+  port = 8007;
+in {
+  imports = [
+    (self + /modules/nginx.nix)
+    (self + /modules/postgresql.nix)
+  ];
+
+  secrets.plausibleKey = {
+    file  = ./key.age;
+    owner = "plausible";
+  };
+
+  services.postgresql.ensure = [ "plausible" ];
+
+  services.plausible = enabled {
+    server = {
+      disableRegistration = true; # Setting it explicitly just in case.
+
+      secretKeybaseFile = config.secrets.plausibleKey.path;
+
+      baseUrl = "https://${fqdn}";
+
+      listenAddress = "::1";
+      inherit port;
+    };
+  };
+
+  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    locations."/" = {
+      proxyPass       = "http://[::1]:${toString port}";
+      proxyWebsockets = true;
+    };
+  };
+}
diff --git a/hosts/best/plausible/key.age b/hosts/best/plausible/key.age
new file mode 100644
index 0000000..edc645e
--- /dev/null
+++ b/hosts/best/plausible/key.age
@@ -0,0 +1,7 @@
+age-encryption.org/v1
+-> ssh-ed25519 8y3T6w 6z16kXAqAppYOMXQ7riHs+iP6SFMfJND1KlG0TI+Bgo
+Gm99zghsZ69nBzs8I+Hs3fRM7+dGEaNC7mFwVJZbjO4
+-> ssh-ed25519 CzqbPQ AYm8rfc18ftg7vvt6MVIYlaMcyL09VDoDBLGa0v6STo
+uWmdITsGHXPZfMMBDdaYkbLCHntii4mupaWklLfOYa0
+--- LFjB2mFBC6OkRoM7A9RVGjcXGbMQGKutBz44EDK3YJo
+�uL6l��6e���z�Ō��E�'�G��k磤^xj��j��!YEsDZ�y2�����rF
�jO���K�e�Ï�%�����^�\�|����Є�����Y�n�r�yI
\ No newline at end of file
diff --git a/modules/nginx.nix b/modules/nginx.nix
index bb29cb7..27fc846 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -16,7 +16,7 @@ in {
 
     add_header Strict-Transport-Security $hsts_header always;
 
-    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval'; object-src 'self'; base-uri 'self';" always;
+    add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain}; object-src 'self' ${domain} *.${domain}; base-uri 'self';" always;
 
     add_header Referrer-Policy no-referrer always;
 
diff --git a/secrets.nix b/secrets.nix
index 71e66af..4e0ab44 100644
--- a/secrets.nix
+++ b/secrets.nix
@@ -20,6 +20,8 @@ in {
 
   "hosts/best/nextcloud/password.age".publicKeys      = [ best ] ++ admins;
 
+  "hosts/best/plausible/key.age".publicKeys      = [ best ] ++ admins;
+
   # disk
   "hosts/disk/id.age".publicKeys              = [ disk ] ++ admins;
   "hosts/disk/password.age".publicKeys = [ disk ] ++ admins;

From f8c824dd0a24bf9cc5197d5542b96b750aad9c7d Mon Sep 17 00:00:00 2001
From: RGBCube <git@rgbcu.be>
Date: Sun, 8 Jun 2025 05:49:18 +0300
Subject: [PATCH 4/4] plausible: add to other services

---
 hosts/best/forgejo.nix           |  4 ++++
 hosts/best/grafana/default.nix   |  2 ++
 hosts/best/nextcloud/default.nix |  4 +++-
 hosts/best/plausible/default.nix | 19 ++++++++++++++-----
 modules/nginx.nix                |  1 +
 modules/site.nix                 | 11 +++++++----
 6 files changed, 31 insertions(+), 10 deletions(-)

diff --git a/hosts/best/forgejo.nix b/hosts/best/forgejo.nix
index 523d541..10398ad 100644
--- a/hosts/best/forgejo.nix
+++ b/hosts/best/forgejo.nix
@@ -111,6 +111,10 @@ in {
   };
 
   services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    extraConfig = ''
+      ${config.services.plausible.extraNginxConfigFor fqdn}
+    '';
+
     locations."/".proxyPass = "http://[::1]:${toString port}";
   };
 }
diff --git a/hosts/best/grafana/default.nix b/hosts/best/grafana/default.nix
index eded4c8..a1d2d61 100644
--- a/hosts/best/grafana/default.nix
+++ b/hosts/best/grafana/default.nix
@@ -77,6 +77,8 @@ in {
         # Grafana sets `nosniff` while not setting the content type properly,
         # so everything breaks with it. Unset the header.
         proxy_hide_header X-Content-Type-Options;
+
+        ${config.services.plausible.extraNginxConfigFor fqdn}
       '';
 
       proxyPass       = "http://[::1]:${toString port}";
diff --git a/hosts/best/nextcloud/default.nix b/hosts/best/nextcloud/default.nix
index aa22546..f33f17c 100644
--- a/hosts/best/nextcloud/default.nix
+++ b/hosts/best/nextcloud/default.nix
@@ -111,6 +111,8 @@ in {
   };
 
   services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
-    extraConfig = config.services.nginx.headers;    
+    extraConfig = ''
+      ${config.services.nginx.headers}
+    '';
   };
 }
diff --git a/hosts/best/plausible/default.nix b/hosts/best/plausible/default.nix
index 8e8674f..2ff64bc 100644
--- a/hosts/best/plausible/default.nix
+++ b/hosts/best/plausible/default.nix
@@ -1,6 +1,6 @@
 { config, self, lib, ... }: let
   inherit (config.networking) domain;
-  inherit (lib) enabled merge;
+  inherit (lib) enabled merge mkConst;
 
   fqdn = "shekels.${domain}";
   port = 8007;
@@ -10,14 +10,14 @@ in {
     (self + /modules/postgresql.nix)
   ];
 
-  secrets.plausibleKey = {
+  config.secrets.plausibleKey = {
     file  = ./key.age;
     owner = "plausible";
   };
 
-  services.postgresql.ensure = [ "plausible" ];
+  config.services.postgresql.ensure = [ "plausible" ];
 
-  services.plausible = enabled {
+  config.services.plausible = enabled {
     server = {
       disableRegistration = true; # Setting it explicitly just in case.
 
@@ -30,7 +30,16 @@ in {
     };
   };
 
-  services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+  options.services.plausible.extraNginxConfigFor = mkConst /* nginx */ (domain: ''
+    proxy_set_header Accept-Encoding ""; # Substitution won't work if it is compressed.
+    sub_filter "</head>" '<script defer data-domain="${domain}" src="https://${fqdn}/js/script.js"></script></head>';
+    sub_filter_last_modified on;
+    sub_filter_once on;
+  '');
+
+  config.services.nginx.virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
+    extraConfig = config.services.plausible.extraNginxConfigFor fqdn;
+
     locations."/" = {
       proxyPass       = "http://[::1]:${toString port}";
       proxyWebsockets = true;
diff --git a/modules/nginx.nix b/modules/nginx.nix
index 27fc846..0bf98ca 100644
--- a/modules/nginx.nix
+++ b/modules/nginx.nix
@@ -52,6 +52,7 @@ in {
         https "max-age=31536000; includeSubdomains; preload";
       }
 
+      # FIXME: These two aren't working.
       map $http_origin $allow_origin {
         ~^https://.+\.${domain}$ $http_origin;
       }
diff --git a/modules/site.nix b/modules/site.nix
index 590537c..56d8434 100644
--- a/modules/site.nix
+++ b/modules/site.nix
@@ -2,6 +2,7 @@
   inherit (config.networking) domain;
   inherit (lib) enabled merge;
 
+  fqdn = domain;
   root = "/var/www/site";
 in {
   imports = [(self + /modules/nginx.nix)];
@@ -16,7 +17,7 @@ in {
       }
     '';
 
-    virtualHosts.${domain} = merge config.services.nginx.sslTemplate {
+    virtualHosts.${fqdn} = merge config.services.nginx.sslTemplate {
       inherit root;
 
       locations."/".tryFiles = "$uri $uri.html $uri/index.html =404";
@@ -29,6 +30,8 @@ in {
 
       extraConfig = /* nginx */ ''
         error_page 404 /404.html;
+
+        ${config.services.plausible.extraNginxConfigFor fqdn}
       '';
 
       locations."/404".extraConfig = /* nginx */ ''
@@ -36,12 +39,12 @@ in {
       '';
     };
 
-    virtualHosts."www.${domain}" = merge config.services.nginx.sslTemplate {
-      locations."/".return = "301 https://${domain}$request_uri";
+    virtualHosts."www.${fqdn}" = merge config.services.nginx.sslTemplate {
+      locations."/".return = "301 https://${fqdn}$request_uri";
     };
 
     virtualHosts._ = merge config.services.nginx.sslTemplate {
-      locations."/".return = "301 https://${domain}/404";
+      locations."/".return = "301 https://${fqdn}/404";
     };
   };
 }