feat: add plausible analytics for blog

2024-09-18 16:48:48 +02:00 · 2024-09-18 16:48:48 +02:00 · c30ec709a7
commit c30ec709a7
parent 3383fd9a14
16 changed files with 277 additions and 91 deletions
--- a/hosts/sentinel/blog.nix
+++ b/hosts/sentinel/blog.nix
@ -0,0 +1,33 @@
+{
+  globals,
+  pkgs,
+  ...
+}: {
+  services.nginx.virtualHosts.${globals.domains.me} = {
+    forceSSL = true;
+    useACMEWildcardHost = true;
+    locations."/".root = pkgs.runCommand "index.html" {} ''
+      mkdir -p $out
+      cat > $out/index.html <<EOF
+      <html>
+        <head>
+        	<script defer data-api="/api/event" data-domain="oddlama.org" src="/js/script.js"></script>
+        </head>
+        <body>Not empty soon TM. Until then please go here: <a href="https://github.com/oddlama">oddlama</a></body>
+      </html>
+      EOF
+    '';
+    # Don't use the proxyPass option because we don't want the recommended proxy headers
+    locations."= /js/script.js".extraConfig = ''
+      proxy_pass https://${globals.services.plausible.domain}/js/script.js;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_ssl_server_name on;
+    '';
+    locations."= /api/event".extraConfig = ''
+      proxy_pass https://${globals.services.plausible.domain}/api/event;
+      proxy_http_version 1.1;
+      proxy_set_header Host ${globals.services.plausible.domain};
+      proxy_ssl_server_name on;
+    '';
+  };
+}
--- a/hosts/sentinel/clickhouse-config.xml
+++ b/hosts/sentinel/clickhouse-config.xml
@ -0,0 +1,17 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <logger>
+        <level>warning</level>
+        <console>true</console>
+    </logger>
+    <query_thread_log remove="remove"/>
+    <query_log remove="remove"/>
+    <text_log remove="remove"/>
+    <trace_log remove="remove"/>
+    <metric_log remove="remove"/>
+    <asynchronous_metric_log remove="remove"/>
+
+    <!-- Update: Required for newer versions of Clickhouse -->
+    <session_log remove="remove"/>
+    <part_log remove="remove"/>
+</clickhouse>
--- a/hosts/sentinel/clickhouse-users.xml
+++ b/hosts/sentinel/clickhouse-users.xml
@ -0,0 +1,9 @@
+<?xml version="1.0"?>
+<clickhouse>
+    <profiles>
+        <default>
+            <log_queries>0</log_queries>
+            <log_query_threads>0</log_query_threads>
+        </default>
+    </profiles>
+</clickhouse>
--- a/hosts/sentinel/default.nix
+++ b/hosts/sentinel/default.nix
@ -1,7 +1,6 @@
 {
  config,
  globals,
-  pkgs,
  ...
 }: {
  imports = [
@ -11,10 +10,13 @@
    ../../config/optional/zfs.nix

    ./acme.nix
+    ./blog.nix
    ./coturn.nix
    ./fs.nix
    ./net.nix
    ./oauth2.nix
+    ./plausible.nix
+    ./postgresql.nix
  ];

  nixpkgs.hostPlatform = "x86_64-linux";
@ -26,19 +28,6 @@
  services.nginx.enable = true;
  services.nginx.recommendedSetup = true;

-  services.nginx.virtualHosts.${globals.domains.me} = {
-    forceSSL = true;
-    useACMEWildcardHost = true;
-    locations."/".root = pkgs.runCommand "index.html" {} ''
-      mkdir -p $out
-      cat > $out/index.html <<EOF
-      <html>
-        <body>Not empty soon TM. Until then please go here: <a href="https://github.com/oddlama">oddlama</a></body>
-      </html>
-      EOF
-    '';
-  };
-
  meta.promtail = {
    enable = true;
    proxy = "sentinel";
--- a/hosts/sentinel/plausible.nix
+++ b/hosts/sentinel/plausible.nix
@ -0,0 +1,120 @@
+{
+  config,
+  lib,
+  globals,
+  ...
+}: let
+  plausibleDomain = "analytics.${globals.domains.me}";
+in {
+  age.secrets.plausible-secret = {
+    generator.script = args: "${args.pkgs.openssl}/bin/openssl rand -base64 64";
+    mode = "440";
+    group = "plausible";
+  };
+
+  age.secrets.plausible-admin-pw = {
+    generator.script = "alnum";
+    mode = "440";
+    group = "plausible";
+  };
+
+  environment.persistence."/persist".directories = [
+    {
+      directory = "/var/lib/clickhouse";
+      mode = "0750";
+      user = "clickhouse";
+      group = "clickhouse";
+    }
+    {
+      directory = "/var/lib/plausible";
+      mode = "0750";
+      user = "plausible";
+      group = "plausible";
+    }
+  ];
+
+  services.clickhouse.enable = true;
+  environment.etc = {
+    # With changes from https://theorangeone.net/posts/calming-down-clickhouse/
+    "clickhouse-server/config.d/custom.xml".source = lib.mkForce ./clickhouse-config.xml;
+    "clickhouse-server/users.d/custom.xml".source = lib.mkForce ./clickhouse-users.xml;
+  };
+
+  globals.services.plausible.domain = plausibleDomain;
+  services.plausible = {
+    enable = true;
+
+    server = {
+      port = 8545;
+      baseUrl = "https://${plausibleDomain}";
+      disableRegistration = true;
+      secretKeybaseFile = config.age.secrets.plausible-secret.path;
+    };
+
+    adminUser = {
+      activate = true;
+      name = "admin";
+      email = "plausible@${globals.domains.me}";
+      passwordFile = config.age.secrets.plausible-admin-pw.path;
+    };
+  };
+
+  services.nginx = {
+    upstreams.plausible = {
+      servers."127.0.0.1:${toString config.services.plausible.server.port}" = {};
+      extraConfig = ''
+        zone plausible 64k;
+        keepalive 2;
+      '';
+      monitoring = {
+        enable = true;
+        expectedBodyRegex = "Plausible";
+      };
+    };
+    virtualHosts.${plausibleDomain} = {
+      forceSSL = true;
+      useACMEWildcardHost = true;
+      oauth2.enable = true;
+      oauth2.allowedGroups = ["access_analytics"];
+      locations."/".proxyPass = "http://plausible";
+      locations."= /js/script.js" = {
+        proxyPass = "http://plausible";
+        extraConfig = ''
+          auth_request off;
+        '';
+      };
+      locations."= /api/event" = {
+        proxyPass = "http://plausible";
+        extraConfig = ''
+          proxy_http_version 1.1;
+          auth_request off;
+        '';
+      };
+    };
+  };
+
+  services.epmd.enable = lib.mkForce false;
+  systemd.services.plausible = {
+    environment = {
+      STORAGE_DIR = lib.mkForce "/run/plausible/elixir_tzdata";
+      RELEASE_TMP = lib.mkForce "/run/plausible/tmp";
+      HOME = lib.mkForce "/run/plausible";
+    };
+    serviceConfig = {
+      RestartSec = "60"; # Retry every minute
+      DynamicUser = lib.mkForce false;
+      User = "plausible";
+      Group = "plausible";
+      StateDirectory = lib.mkForce "plausible";
+      RuntimeDirectory = "plausible";
+      WorkingDirectory = lib.mkForce "/run/plausible";
+    };
+  };
+
+  users.groups.plausible = {};
+  users.users.plausible = {
+    group = "plausible";
+    isSystemUser = true;
+    home = "/var/lib/plausible";
+  };
+}
--- a/hosts/sentinel/postgresql.nix
+++ b/hosts/sentinel/postgresql.nix
@ -0,0 +1,23 @@
+{pkgs, ...}: {
+  services.postgresql = {
+    enable = true;
+    package = pkgs.postgresql_16_jit;
+
+    # Doesn't work with plausible, since it wants to connect as the postgres
+    # for some (probably unecessary) reason.
+    #
+    # authentication = lib.mkForce ''
+    #   #type database  DBuser   auth-method optional_ident_map
+    #   local sameuser  all      peer        map=superuser_map
+    #   local all       postgres peer        map=superuser_map
+    # '';
+    #
+    # identMap = ''
+    #   # ArbitraryMapName systemUser DBUser
+    #   superuser_map      root      postgres
+    #   superuser_map      postgres  postgres
+    #   # Let other names login as themselves
+    #   superuser_map      /^(.*)$   \1
+    # '';
+  };
+}
--- a/hosts/ward/guests/kanidm.nix
+++ b/hosts/ward/guests/kanidm.nix
@ -195,6 +195,7 @@ in {
      groups."web-sentinel.access" = {};
      groups."web-sentinel.adguardhome" = {};
      groups."web-sentinel.openwebui" = {};
+      groups."web-sentinel.analytics" = {};
      systems.oauth2.web-sentinel = {
        displayName = "Web Sentinel";
        originUrl = "https://oauth2.${globals.domains.me}/";
@ -206,6 +207,7 @@ in {
          joinType = "array";
          valuesByGroup."web-sentinel.adguardhome" = ["access_adguardhome"];
          valuesByGroup."web-sentinel.openwebui" = ["access_openwebui"];
+          valuesByGroup."web-sentinel.analytics" = ["access_analytics"];
        };
      };
    };