plumjam/nixos - Change HACMRPLPDJIRWINVHRKYM5N7RLT5273WQQYRJLA3URNXJBJ4FSVAC

analytics: switch to goatcounter from plausible

way more lightweight
no postgres
generally simpler too

Created by James Plummer on September 15, 2025

HACMRPLPDJIRWINVHRKYM5N7RLT5273WQQYRJLA3URNXJBJ4FSVAC

Dependencies

In channels

main

Change contents

Deletion in secrets.nix at line 15 [6.1]

B:BD[4.71] → [5.1:68]


  "hosts/plum/plausible/key.age".publicKeys = [ plum ] ++ admins;

File deletion: postgresql.nix

BF:BFD[7.2] → [5.1254:1292]

BF:BFD[5.1292] → [5.202:202]

B:BD[5.202] → [5.203:1253]

{ config, lib, pkgs, ... }: let
  inherit (lib) enabled mkForce mkOverride mkValue flip map;
in {
  options.services.postgresql.ensure = mkValue [];
  config.services.postgresql = enabled {
    package = pkgs.postgresql_17;
    enableJIT   = true;
    enableTCPIP = true;
    settings.listen_addresses = mkForce "::";
    authentication            = mkOverride 10 ''
      #     DATABASE USER        AUTHENTICATION
      local all      all         peer
      #     DATABASE USER ADDRESS AUTHENTICATION
      host  all      all  ::/0    md5
    '';
    ensure = [ "postgres" "root" ];
    initdbArgs      = [ "--locale=C" "--encoding=UTF8" ];
    ensureDatabases = config.services.postgresql.ensure;
    ensureUsers = flip map config.services.postgresql.ensure (name: {
      inherit name;
      ensureDBOwnership = true;
      ensureClauses = {
        login       = true;
        superuser   = name == "postgres" || name == "root";
      };
    });
  };
  config.environment.systemPackages = [
    config.services.postgresql.package
  ];
}

Replacement in modules/site.nix at line 31 [8.3]

B:BD[8.825] → [5.72:200]

			extraConfig = lib.optionalString (config.services ? plausible) 
			  (config.services.plausible.extraNginxConfigFor domain);

[8.825]

			extraConfig = ''
				proxy_set_header Accept-Encoding "";
				sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
				sub_filter_last_modified on;
				sub_filter_once on;
			'';

Replacement in modules/matrix.nix at line 117 [9.560]

B:BD[9.3229] → [2.176:243]

∅:D[2.243] → [5.1508:1568]

B:BD[5.1508] → [5.1508:1568]

    extraConfig = lib.optionalString (config.services ? plausible)
      (config.services.plausible.extraNginxConfigFor fqdn);

[9.3229]

[10.2028]

    extraConfig = ''
      proxy_set_header Accept-Encoding "";
      sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
      sub_filter_last_modified on;
      sub_filter_once on;
    '';

Replacement in modules/forgejo.nix at line 127 [12.3]

B:BD[11.2511] → [5.1572:1700]

    extraConfig = lib.optionalString (config.services ? plausible) 
      (config.services.plausible.extraNginxConfigFor fqdn);

[11.2511]

    extraConfig = ''
      proxy_set_header Accept-Encoding "";
      sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
      sub_filter_last_modified on;
      sub_filter_once on;
    '';

Deletion in modules/dr-radka.nix at line 65 [13.83]
B:BD[13.1679] → [5.1703:1721]
```
      # plausible
```

Replacement in modules/dr-radka.nix at line 67 [13.83]

B:BD[5.1789] → [5.1789:2139]

        sub_filter "</head>" '<script defer data-domain="${domain}" data-api="https://analytics.plumj.am/api/event" src="https://analytics.plumj.am/js/script.file-downloads.hash.outbound-links.js"></script><script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script></head>';

[5.1789]

[5.2139]

        sub_filter "</head>" '<script data-goatcounter="https://analytics.plumj.am/count" async src="https://analytics.plumj.am/count.js"></script></head>';

Replacement in modules/dr-radka.nix at line 84 [13.83]

B:BD[13.2216] → [5.2216:2961]

          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} cdn.jsdelivr.net unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com analytics.plumj.am; object-src 'self' ${domain} *.${domain}; base-uri 'self'; frame-ancestors 'self' dr-radka.sanity.studio *.sanity.io; form-action 'self' ${domain} *.${domain}; font-src 'self' ${domain} *.${domain} cdn.jsdelivr.net; connect-src 'self' ${domain} *.${domain} unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com plausible.io analytics.plumj.am; img-src 'self' ${domain} *.${domain} unpkg.com *.tile.openstreetmap.org *.sanity.io cdn.sanity.io www.googletagmanager.com data:;" always;

[13.2216]

[14.698]

          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} cdn.jsdelivr.net unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com analytics.plumj.am; object-src 'self' ${domain} *.${domain}; base-uri 'self'; frame-ancestors 'self' dr-radka.sanity.studio *.sanity.io; form-action 'self' ${domain} *.${domain}; font-src 'self' ${domain} *.${domain} cdn.jsdelivr.net; connect-src 'self' ${domain} *.${domain} unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com analytics.plumj.am; img-src 'self' ${domain} *.${domain} unpkg.com *.tile.openstreetmap.org *.sanity.io cdn.sanity.io www.googletagmanager.com data:;" always;

File deletion: plausible
BF:BFD[15.7] → [5.3045:3065]
BF:BFD[5.3065] → [5.3044:3044]

File deletion: default.nix

BF:BFD[5.3044] → [5.5131:5166]

BF:BFD[5.5166] → [5.3508:3508]

B:BD[5.3508] → [5.3509:5130]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled mkOption;
  fqdn = "analytics.${domain}";
  port = 8007;
in {
  imports = [ (self + /modules/postgresql.nix) ];
  options.services.plausible.extraNginxConfigFor = mkOption {
    type    = lib.types.functionTo lib.types.str;
    default = domain: ''
      proxy_set_header Accept-Encoding "";
      sub_filter "</head>" '<script defer data-domain="${domain}" data-api="https://${fqdn}/api/event" src="https://${fqdn}/js/script.file-downloads.hash.outbound-links.js"></script><script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script></head>';
      sub_filter_last_modified on;
      sub_filter_once on;
    '';
  };
  config = {
    services.postgresql.ensure = [ "plausible" ];
    age.secrets.plausibleKey = {
      file  = ./key.age;
      owner = "plausible";
    };
    services.plausible = enabled {
      database = {
        clickhouse.setup = true;
        postgres.setup   = true;
      };
      server = {
        inherit port;
        disableRegistration = true;
        secretKeybaseFile   = config.age.secrets.plausibleKey.path;
        baseUrl             = "https://${fqdn}";
        listenAddress       = "::1";
      };
    };
    services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
      extraConfig = config.services.plausible.extraNginxConfigFor fqdn;
      locations."/" = {
        proxyPass       = "http://[::1]:${toString port}";
        proxyWebsockets = true;
      };
    };
  };
}

File deletion: key.age
BF:BFD[5.3044] → [5.3468:3506]
BF:BFD[5.3506] → [5.3067:3067]
B:BD[5.3067] → [5.3068:3090]
B:BD[5.3090] → [3.641:1018]
```
age-encryption.org/v1
```

Replacement in hosts/plum/grafana/default.nix at line 50 [4.2110]

B:BD[4.3146] → [5.5175:5303]

    extraConfig = lib.optionalString (config.services ? plausible) 
      (config.services.plausible.extraNginxConfigFor fqdn);

[4.3146]

[5.5303]

    extraConfig = ''
      proxy_set_header Accept-Encoding "";
      sub_filter "</head>" '<script data-goatcounter="https://analytics.${domain}/count" async src="https://analytics.${domain}/count.js"></script></head>';
      sub_filter_last_modified on;
      sub_filter_once on;
    '';

File addition: goatcounter (d--x------)
[15.7]

File addition: default.nix (----------)

[0.2117]

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled;
  fqdn = "analytics.${domain}";
  port = 8007;
in {
  config = {
    services.goatcounter = enabled {
      inherit port;
      proxy = true;
      address = "127.0.0.1";
    };
    services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
      locations."/" = {
        proxyPass = "http://127.0.0.1:${toString port}";
        proxyWebsockets = true;
        extraConfig = ''
          proxy_hide_header X-Content-Type-Options;
        '';
      };
    };
  };
}

Replacement in hosts/plum/default.nix at line 22 [17.987]
B:BD[16.3293] → [5.5314:5336]
```
          ./plausible
```
[16.3293]
[16.3293]
```
          ./goatcounter
```