diff --git a/hosts/arcturus/default.nix b/hosts/arcturus/default.nix index b34696c..bb66461 100644 --- a/hosts/arcturus/default.nix +++ b/hosts/arcturus/default.nix @@ -7,9 +7,11 @@ imports = [ ./hardware-configuration.nix ../common + ../../modules/nixos/postgresql.nix ../../modules/nixos/headscale.nix ../../modules/nixos/vaultwarden.nix ../../modules/nixos/gitea.nix + ../../modules/nixos/plausible.nix ../../modules/nixos/monitoring/grafana.nix ../../modules/nixos/monitoring/loki.nix ../../modules/nixos/monitoring/promtail.nix @@ -33,6 +35,14 @@ "cloudflare_credentials/dns_api_token" = { sopsFile = ./secrets.yaml; }; + + plausible_password = { + sopsFile = ./secrets.yaml; + }; + + plausible_key = { + sopsFile = ./secrets.yaml; + }; }; boot = { diff --git a/hosts/arcturus/secrets.yaml b/hosts/arcturus/secrets.yaml index 8732386..a915629 100644 --- a/hosts/arcturus/secrets.yaml +++ b/hosts/arcturus/secrets.yaml @@ -1,5 +1,7 @@ borg_encryption_key: ENC[AES256_GCM,data:7DZQaoS2a5mPjTej25vr1aO1yAAPyXT2tf/VxKrLxF0=,iv:it8JlyEj4r4Z+qDvoEWMQlGkbVh08M/BCkGLVzRCVKQ=,tag:81gRhru8J3hkQhIbgUOgBg==,type:str] searx_secret_key: ENC[AES256_GCM,data:Z49PJ2gNI5CI0IfzOta+r67VNUvjoPpMVv5lajGhUMPzSy1KWZC5wIM3d02jWwCOsNjXdU5hE3j9W0rkoy5ZhFPXBJRUEv5b6IcaLA==,iv:364zGZkD2LO189nkvizl8yjedi1IgYEEQMA67SexSSI=,tag:qPqefG6jUaBOpUy6d7E++w==,type:str] +plausible_password: ENC[AES256_GCM,data:B0r2UuFqmz9i5yxbTCg=,iv:u6jZKJ1n15W0xH+UzNfvU1fHy3jDHZjs55nSW+0KoEo=,tag:tN0dunetZUPm/tsYAvDOzg==,type:str] +plausible_key: ENC[AES256_GCM,data:Ynf2aJ6RLRdAkT9ltLpCXTl8zg/VESDchlf67PmKjc93rSfDgq9tFqv1q55Km2lDo7y9iLu5WyLLg24CSSwy8Q==,iv:yW5hgP4dhfkvunv3iYmXGEH9w29OOmrG4ourPagslVg=,tag:C5PVfEseP5gJdoQQL4gERQ==,type:str] cloudflare_credentials: email: ENC[AES256_GCM,data:qesgxkzUglKdYPI=,iv:2XDEoQzmtagSiILWZzJPswdhkQ+qjdZfNd+LL1nHPx8=,tag:K1F23Za2Zq78tzf0fl5zEw==,type:str] dns_api_token: ENC[AES256_GCM,data:ibSL4KWYhqgHjo27fiSqB1iN9NWU3/qGGuLpmiMpBf+qCuh8uxR7Yw==,iv:NapMvfUSm5rgeROK7KuxGyog8s2PW9CCKtjRG87FoCQ=,tag:/Oah7PRCe4XPts0IYt83zw==,type:str] @@ -27,8 +29,8 @@ sops: NGprRGVyZ2plWVNrM3drM3JSUjM2L0UKuNk5DqYn2DIfRpY72zDRP5BKoVAXtNv9 uLI//8wc7f4I3uBdARQdpRE1fapY1UOJOn3i0yndrZARPEbdohRK1Q== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-08-26T14:25:03Z" - mac: ENC[AES256_GCM,data:UOxh1tIsFmYJ8i5HKhK8ckSZTbXsl6BmJATuLIJhfT93ir/sh58E9a9D6p6+Uyl6lt9qRESKRpeHUsdy4kKtXmmutQACzUHgVobzgL/1KpGYM4A/Wj5pSWGiT6D/zDkR0pJNFEshHxNfTJE8B6ZKFkHXy85nY22DW4fLjuMD4Y4=,iv:X4ArW4afDSHZ84rnn8Cuh+4Sgmk+7NXqcewgemlW+VI=,tag:2yorv0yFRAQkTZm06TQNiA==,type:str] + lastmodified: "2024-09-29T03:57:54Z" + mac: ENC[AES256_GCM,data:rQe7AKr5nY2hgIlVndBizG7Qnh4NgWerav/7VfU9n5ZqY8FO2ojPO7HCIRJggsMUXNNcsrj7oxLvsEDH4IwCnOySM5zrouQY20RL4eBBZ8W+fZERRGEZ8sQCey6Jt/w1sIP/eCVQMlL6RDqX7yTy0my0Ufu6pkGNELl4i+kui9c=,iv:bq64/7j23uF/Qm6xTv9xnrjTKyaFjI2HjTSSVfTw8aE=,tag:N6SQk+QSq0zCZZRA5DNouw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.0 diff --git a/modules/nixos/plausible.nix b/modules/nixos/plausible.nix new file mode 100644 index 0000000..a43837a --- /dev/null +++ b/modules/nixos/plausible.nix @@ -0,0 +1,45 @@ +{ + config, + lib, + ... +}: { + services = { + plausible = { + enable = true; + + server = { + baseUrl = "https://plausible.tux.rs"; + port = 2100; + disableRegistration = true; + secretKeybaseFile = config.sops.secrets.plausible_key.path; + }; + + adminUser = { + activate = true; + name = "tux"; + email = "0xtux@pm.me"; + passwordFile = config.sops.secrets.plausible_password.path; + }; + + database.postgres = { + dbname = "plausible"; + socket = "/run/postgresql"; + }; + }; + + nginx = { + enable = lib.mkForce true; + virtualHosts = { + "plausible.tux.rs" = { + forceSSL = true; + useACMEHost = "tux.rs"; + locations = { + "/" = { + proxyPass = "http://localhost:2100"; + }; + }; + }; + }; + }; + }; +} diff --git a/modules/nixos/postgresql.nix b/modules/nixos/postgresql.nix new file mode 100644 index 0000000..397a03e --- /dev/null +++ b/modules/nixos/postgresql.nix @@ -0,0 +1,92 @@ +{ + lib, + pkgs, + ... +}: { + services.postgresql = { + enable = true; + package = pkgs.postgresql_16; + + ensureDatabases = [ + "plausible" + ]; + ensureUsers = [ + { + name = "postgres"; + ensureClauses = { + superuser = true; + login = true; + createrole = true; + createdb = true; + replication = true; + }; + } + { + name = "plausible"; + ensureDBOwnership = true; + } + ]; + + checkConfig = true; + enableTCPIP = false; + + settings = { + max_connections = 100; + superuser_reserved_connections = 3; + + shared_buffers = "1024 MB"; + work_mem = "32 MB"; + maintenance_work_mem = "320 MB"; + huge_pages = "off"; + effective_cache_size = "3 GB"; + effective_io_concurrency = 100; + random_page_cost = 1.25; + + shared_preload_libraries = "pg_stat_statements"; + track_io_timing = "on"; + track_functions = "pl"; + + wal_level = "replica"; + max_wal_senders = 0; + synchronous_commit = "on"; + + checkpoint_timeout = "15 min"; + checkpoint_completion_target = 0.9; + max_wal_size = "1024 MB"; + min_wal_size = "512 MB"; + + wal_compression = "on"; + wal_buffers = -1; + wal_writer_delay = "200ms"; + wal_writer_flush_after = "1MB"; + + bgwriter_delay = "200ms"; + bgwriter_lru_maxpages = 100; + bgwriter_lru_multiplier = 2.0; + bgwriter_flush_after = 0; + + max_worker_processes = 3; + max_parallel_workers_per_gather = 2; + max_parallel_maintenance_workers = 2; + max_parallel_workers = 3; + parallel_leader_participation = "on"; + + enable_partitionwise_join = "on"; + enable_partitionwise_aggregate = "on"; + jit = "on"; + + jit_above_cost = 100000; + jit_inline_above_cost = 150000; + jit_optimize_above_cost = 500000; + + log_min_duration_statement = 100; + "auto_explain.log_min_duration" = 100; + + log_connections = true; + log_statement = "all"; + logging_collector = true; + log_disconnections = true; + log_destination = lib.mkForce "syslog"; + }; + }; +}