about summary refs log tree commit diff
path: root/modules/nixos/plausible.nix
diff options
context:
space:
mode:
Diffstat (limited to 'modules/nixos/plausible.nix')
-rw-r--r--modules/nixos/plausible.nix144
1 files changed, 144 insertions, 0 deletions
diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix
new file mode 100644
index 0000000..856b318
--- /dev/null
+++ b/modules/nixos/plausible.nix
@@ -0,0 +1,144 @@
+{
+  config,
+  inputs,
+  lib,
+  pkgsPr,
+  ...
+}:
+with lib; let
+  cfg = config.nixfiles.modules.plausible;
+in {
+  disabledModules = ["services/web-apps/plausible.nix"];
+  imports = [
+    # TODO Wait for https://github.com/NixOS/nixpkgs/pull/253687
+    ./plausible-nixpkgs-override.nix
+  ];
+
+  options.nixfiles.modules.plausible = {
+    enable = mkEnableOption "Plausible Analytics";
+
+    port = mkOption {
+      description = "Port.";
+      type = with types; port;
+      default = 8000;
+    };
+
+    domain = mkOption {
+      description = "Domain name sans protocol scheme.";
+      type = with types; nullOr str;
+      default = "plausible.${config.networking.domain}";
+    };
+  };
+
+  config = let
+    db = "plausible";
+  in
+    mkIf cfg.enable {
+      secrets = {
+        plausible-key = {
+          file = "${inputs.self}/secrets/plausible-key";
+          mode = "0444"; # The user is dynamic so the file must be world-readable.
+        };
+        plausible-admin-password = {
+          file = "${inputs.self}/secrets/plausible-admin-password";
+          mode = "0444"; # The user is dynamic so the file must be world-readable.
+        };
+        plausible-smtp-password = {
+          file = "${inputs.self}/secrets/smtp-password";
+          mode = "0444"; # The user is dynamic so the file must be world-readable.
+        };
+        plausible-release-cookie = {
+          file = "${inputs.self}/secrets/plausible-release-cookie";
+          mode = "0444"; # The user is dynamic so the file must be world-readable.
+        };
+      };
+
+      nixfiles.modules = {
+        nginx = {
+          enable = true;
+          upstreams.plausible.servers."127.0.0.1:${toString cfg.port}" = {};
+          virtualHosts.${cfg.domain} = {
+            locations."/" = {
+              proxyPass = "http://plausible";
+              proxyWebsockets = true;
+            };
+            extraConfig = nginxInternalOnly;
+          };
+        };
+        postgresql = {
+          enable = true;
+          extraPostStart = [
+            ''
+              $PSQL "${db}" -tAc 'GRANT ALL ON SCHEMA "public" TO "${db}"'
+              $PSQL "${db}" -tAc 'CREATE EXTENSION IF NOT EXISTS citext'
+            ''
+          ];
+        };
+        clickhouse.enable = true;
+      };
+
+      services.postgresql = {
+        ensureDatabases = [db];
+        ensureUsers = [
+          {
+            name = db;
+            ensurePermissions."DATABASE \"${db}\"" = "ALL";
+          }
+        ];
+      };
+
+      services.plausible = {
+        enable = true;
+
+        # TODO Wait for https://github.com/NixOS/nixpkgs/pull/253687
+        package = (pkgsPr 253687 "sha256-36nXNVmZDgf//MrM6/VC7W4Vm013tJ6MlXvYQElhRRw=").plausible;
+
+        adminUser = {
+          name = "admin";
+          email = "admin@${my.domain.shire}";
+          passwordFile = config.secrets.plausible-admin-password.path;
+          activate = false;
+        };
+
+        mail = {
+          email = "admin+plausible@${my.domain.shire}";
+          smtp = {
+            hostAddr = my.domain.shire;
+            hostPort = 465;
+            enableSSL = true;
+            user = "azahi@${my.domain.shire}";
+            passwordFile = config.secrets.plausible-smtp-password.path;
+          };
+        };
+
+        database = {
+          clickhouse = {
+            setup = false;
+            url = "http://127.0.0.1:8123/default";
+          };
+
+          postgres = {
+            setup = true;
+            dbname = db;
+          };
+        };
+
+        server = {
+          baseUrl = "https://${cfg.domain}";
+          disableRegistration = true;
+          inherit (cfg) port;
+          secretKeybaseFile = config.secrets.plausible-key.path;
+        };
+
+        releaseCookiePath = config.secrets.plausible-release-cookie.path;
+      };
+
+      systemd.services.plausible = rec {
+        after = [
+          "postgresql.service"
+          "clickhouse.service"
+        ];
+        requires = after;
+      };
+    };
+}

Consider giving Nix/NixOS a try! <3