diff options
Diffstat (limited to 'modules/nixos/plausible.nix')
-rw-r--r-- | modules/nixos/plausible.nix | 144 |
1 files changed, 144 insertions, 0 deletions
diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix new file mode 100644 index 0000000..856b318 --- /dev/null +++ b/modules/nixos/plausible.nix @@ -0,0 +1,144 @@ +{ + config, + inputs, + lib, + pkgsPr, + ... +}: +with lib; let + cfg = config.nixfiles.modules.plausible; +in { + disabledModules = ["services/web-apps/plausible.nix"]; + imports = [ + # TODO Wait for https://github.com/NixOS/nixpkgs/pull/253687 + ./plausible-nixpkgs-override.nix + ]; + + options.nixfiles.modules.plausible = { + enable = mkEnableOption "Plausible Analytics"; + + port = mkOption { + description = "Port."; + type = with types; port; + default = 8000; + }; + + domain = mkOption { + description = "Domain name sans protocol scheme."; + type = with types; nullOr str; + default = "plausible.${config.networking.domain}"; + }; + }; + + config = let + db = "plausible"; + in + mkIf cfg.enable { + secrets = { + plausible-key = { + file = "${inputs.self}/secrets/plausible-key"; + mode = "0444"; # The user is dynamic so the file must be world-readable. + }; + plausible-admin-password = { + file = "${inputs.self}/secrets/plausible-admin-password"; + mode = "0444"; # The user is dynamic so the file must be world-readable. + }; + plausible-smtp-password = { + file = "${inputs.self}/secrets/smtp-password"; + mode = "0444"; # The user is dynamic so the file must be world-readable. + }; + plausible-release-cookie = { + file = "${inputs.self}/secrets/plausible-release-cookie"; + mode = "0444"; # The user is dynamic so the file must be world-readable. + }; + }; + + nixfiles.modules = { + nginx = { + enable = true; + upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {}; + virtualHosts.${cfg.domain} = { + locations."/" = { + proxyPass = "http://plausible"; + proxyWebsockets = true; + }; + extraConfig = nginxInternalOnly; + }; + }; + postgresql = { + enable = true; + extraPostStart = [ + '' + $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"' + $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext' + '' + ]; + }; + clickhouse.enable = true; + }; + + services.postgresql = { + ensureDatabases = [db]; + ensureUsers = [ + { + name = db; + ensurePermissions."DATABASE \"${db}\"" = "ALL"; + } + ]; + }; + + services.plausible = { + enable = true; + + # TODO Wait for https://github.com/NixOS/nixpkgs/pull/253687 + package = (pkgsPr 253687 "sha256-36nXNVmZDgf//MrM6/VC7W4Vm013tJ6MlXvYQElhRRw=").plausible; + + adminUser = { + name = "admin"; + email = "admin@${my.domain.shire}"; + passwordFile = config.secrets.plausible-admin-password.path; + activate = false; + }; + + mail = { + email = "admin+plausible@${my.domain.shire}"; + smtp = { + hostAddr = my.domain.shire; + hostPort = 465; + enableSSL = true; + user = "azahi@${my.domain.shire}"; + passwordFile = config.secrets.plausible-smtp-password.path; + }; + }; + + database = { + clickhouse = { + setup = false; + url = "http://127.0.0.1:8123/default"; + }; + + postgres = { + setup = true; + dbname = db; + }; + }; + + server = { + baseUrl = "https://${cfg.domain}"; + disableRegistration = true; + inherit (cfg) port; + secretKeybaseFile = config.secrets.plausible-key.path; + }; + + releaseCookiePath = config.secrets.plausible-release-cookie.path; + }; + + systemd.services.plausible = rec { + after = [ + "postgresql.service" + "clickhouse.service" + ]; + requires = after; + }; + }; +} |