diff --git a/os/linux/nix/machines/beefcake.nix b/os/linux/nix/machines/beefcake.nix index 5fa63c1..2efb52f 100644 --- a/os/linux/nix/machines/beefcake.nix +++ b/os/linux/nix/machines/beefcake.nix @@ -56,6 +56,10 @@ owner = services.api-lyte-dev.user; group = services.api-lyte-dev.group; }; + + plausible-admin-password = {}; + plausible-erlang-cookie = {}; + plausible-secret-key-base = {}; }; }; @@ -316,9 +320,8 @@ services.clickhouse.enable = true; services.plausible = { - enable = false; # TODO: enable this and fix access? probably need a proper secrets management system that integrates with nix (sops-nix?) - # otherwise we can probably chown these files to a group that plausible has access to for reading - releaseCookiePath = "/root/plausible-erlang-cookie"; + enable = true; + releaseCookiePath = sops.secrets.plausible-erlang-cookie.path; database = { clickhouse.setup = true; postgres.setup = true; @@ -327,12 +330,12 @@ baseUrl = "http://beefcake.hare-cod.ts.net:8899"; disableRegistration = true; port = 8899; - secretKeybaseFile = "/root/plusible-secret-key-base"; + secretKeybaseFile = sops.secrets.plausible-secret-key-base.path; }; adminUser = { activate = true; email = "daniel@lyte.dev"; - passwordFile = "/root/plausible-admin-password"; + passwordFile = sops.secrets.plausible-admin-password.path; }; }; diff --git a/os/linux/nix/secrets/beefcake/secrets.yml b/os/linux/nix/secrets/beefcake/secrets.yml index 108405e..618caee 100644 --- a/os/linux/nix/secrets/beefcake/secrets.yml +++ b/os/linux/nix/secrets/beefcake/secrets.yml @@ -8,6 +8,9 @@ example_number: ENC[AES256_GCM,data:AifVPuuPnEw2lQ==,iv:/L/vG2znNlM35u4ZGM31bweT example_booleans: - ENC[AES256_GCM,data:GD3U7Q==,iv:ahTK9d6m8lQkjd2sS9Yo6V3EyFWoyEbeQG6Uke4hF40=,tag:rykfnfaLz39V+SJbomu5Zw==,type:bool] - ENC[AES256_GCM,data:hK/CtTQ=,iv:EFXdBumvMKdaXdd97vUBIMKIaw1rMfUt+/irkRZGc4Y=,tag:JofhZ5SS+jzRe6WJmP34Xg==,type:bool] +plausible-admin-password: ENC[AES256_GCM,data:dC9olypZgMLdPOsmjthOaa/fMLtbGBlF9A==,iv:GU2ccj10TKQ0KW9b9X9AgYnvhS/wMVqYTyxr6Xt50Gk=,tag:ypQ0VtutVD8wgdfm40QZkw==,type:str] +plausible-erlang-cookie: ENC[AES256_GCM,data:zhmC+D6EjIE8Rw91lIrMqY0QIazTX1e1jBzcZJP/76B9VvHWZ5bCkP1+KdfCY0lk3wIEq5vRfb8=,iv:RNNjlV3OFtXn1N0a5fEb/3FWzcHX19wtCLMdaVlKNJ0=,tag:8iU5oFVbzd0eMe5Mo1PiAw==,type:str] +plausible-secret-key-base: ENC[AES256_GCM,data:ylakPGzY4S9640krl0fxYgm0Getf0+I7zthyTqTD/IpVhz5xgYBYx3Y2lSNa9Oi9yQ7+f9OdOBC6nc7n6MuUBg==,iv:YLPax/cRjMdIFti26gJd8COKr+3jXNZ7HCA5VvQVyAo=,tag:LHqYi590oEIp1IihLcFTtw==,type:str] api.lyte.dev: ENC[AES256_GCM,data:14C5GQ41m/g7qHPzxlYoWjKWDOcm7MEDkuSofiuLfRNc/nji61t1eDbKX3d+SQL1UBchJFoBrWrUxnf0mUERhED1196z8vUq2jKEkcqKCAUS3soECInlb8zcxTcxaTFjYSjp1vUBdAn05AqLsF+hh9Bsm4fMQYjnHEZke9EmPZhuTlUdZa4eLv3+L3xAPHk2QIHQhdsjcTjGAZRMZOgTEcCvtGlb5pQuo11XmR2JzwzOXMC51WFDeOIWMAdO80yQBAdILso7rp1Nts/lwF0Bc9t7bNdHyoVTOA==,iv:jWGqUpXOTb/O972qXOqeX0EMFQLDKwaNHBqlpuGrZOk=,tag:uwB/jlAgESkLZ+vJ/OeV0A==,type:str] sops: kms: [] @@ -33,8 +36,8 @@ sops: b0lTRjVCMU9ELzdvbFBJZ0tHbGtsYkEKLEcXCEikC3T3hfVOYKtWcNSGmfg28y+f nGC4dQh9EciEbk1ZBbN3i6YSNULDoMSH172KBmRyt1ogr1ZPyCNqtg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-07-28T18:18:23Z" - mac: ENC[AES256_GCM,data:1jsXTfH2XFdm+99XBkZ6Esy8FCQuVYb1khA+iESLdGcQqrkHq5uRBsYD151BcMq7bCz/NDJPzvYx1gdKk1BqWrecfvfbpLZTfySF0LyXkZkGZwiP1Z54NMiFZ5Qp3jLYkwn1le5BPAFYcv8q3qeXCHmoxlCHAbzbvaMzlGhqLcE=,iv:wHEZqC75m+my0g/KUP2oTZMagsSIoXc/cgRp0MF1PyY=,tag:Z9C6Nkqvibw3voAk4l6qAA==,type:str] + lastmodified: "2023-07-28T21:11:56Z" + mac: ENC[AES256_GCM,data:V/Gdc3LEwlNlfSqUzQFHFmtJQVaQ5wGXZmzoBpwHzhyHQpEkezHBwhq4XTCuXH5XPpjmWvih/dAbOn9EBA6gvPSX1DB0j/JvHvK9b8+BpjlL4xtnYaBql2eQgCWLKqzZMGCnbwONWi+1sjowK1ac4zPnXhEr52EIES31hV8KHKU=,iv:4NzQxve+iKhRcQVxfXbDsQz1sBU+pnm9x/HQnv2TLgc=,tag:zLYKf+tEUsXApNdc1hLjhw==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.7.3