"hosts/plum/plausible/key.age".publicKeys = [ plum ] ++ admins;

			extraConfig = lib.optionalString (config.services ? plausible) 
			  (config.services.plausible.extraNginxConfigFor domain);

{ config, lib, pkgs, ... }: let
  inherit (lib) enabled mkForce mkOverride mkValue flip map;
in {
  options.services.postgresql.ensure = mkValue [];
  config.services.postgresql = enabled {
    package = pkgs.postgresql_17;
    enableJIT   = true;
    enableTCPIP = true;
    settings.listen_addresses = mkForce "::";
    authentication            = mkOverride 10 ''
      #     DATABASE USER        AUTHENTICATION
      local all      all         peer
      #     DATABASE USER ADDRESS AUTHENTICATION
      host  all      all  ::/0    md5
    '';
    ensure = [ "postgres" "root" ];
    initdbArgs      = [ "--locale=C" "--encoding=UTF8" ];
    ensureDatabases = config.services.postgresql.ensure;
    ensureUsers = flip map config.services.postgresql.ensure (name: {
      inherit name;
      ensureDBOwnership = true;
      ensureClauses = {
        login       = true;
        superuser   = name == "postgres" || name == "root";
      };
    });
  };
  config.environment.systemPackages = [
    config.services.postgresql.package
  ];
}

        ~^https://dr-radka\.pl$ $http_origin;

        ~^https://dr-radka\.pl$ "CONNECT, DELETE, GET, HEAD, OPTIONS, PATCH, POST, PUT, TRACE";

    extraConfig = lib.optionalString (config.services ? plausible) 
      (config.services.plausible.extraNginxConfigFor fqdn);

    extraConfig = lib.optionalString (config.services ? plausible) 
      (config.services.plausible.extraNginxConfigFor fqdn);

      # plausible
      extraConfig = ''
        proxy_set_header Accept-Encoding "";
        sub_filter "</head>" '<script defer data-domain="${domain}" data-api="https://analytics.plumj.am/api/event" src="https://analytics.plumj.am/js/script.file-downloads.hash.outbound-links.js"></script><script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script></head>';
        sub_filter_last_modified on;
        sub_filter_once on;
      '';

          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} cdn.jsdelivr.net unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com; object-src 'self' ${domain} *.${domain}; base-uri 'self'; frame-ancestors 'self' dr-radka.sanity.studio *.sanity.io; form-action 'self' ${domain} *.${domain}; font-src 'self' ${domain} *.${domain} cdn.jsdelivr.net; connect-src 'self' ${domain} *.${domain} unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com; img-src 'self' ${domain} *.${domain} unpkg.com *.tile.openstreetmap.org *.sanity.io cdn.sanity.io googletagmanager.com data:;" always;

          add_header Content-Security-Policy "script-src 'self' 'unsafe-inline' 'unsafe-eval' ${domain} *.${domain} cdn.jsdelivr.net unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com analytics.plumj.am; object-src 'self' ${domain} *.${domain}; base-uri 'self'; frame-ancestors 'self' dr-radka.sanity.studio *.sanity.io; form-action 'self' ${domain} *.${domain}; font-src 'self' ${domain} *.${domain} cdn.jsdelivr.net; connect-src 'self' ${domain} *.${domain} unpkg.com *.posthog.com *.sanity.io *.googletagmanager.com *.google-analytics.com plausible.io analytics.plumj.am; img-src 'self' ${domain} *.${domain} unpkg.com *.tile.openstreetmap.org *.sanity.io cdn.sanity.io www.googletagmanager.com data:;" always;

{ self, config, lib, ... }: let
  inherit (config.networking) domain;
  inherit (lib) enabled mkOption;
  fqdn = "analytics.${domain}";
  port = 8007;
in {
  imports = [ (self + /modules/postgresql.nix) ];
  options.services.plausible.extraNginxConfigFor = mkOption {
    type    = lib.types.functionTo lib.types.str;
    default = domain: ''
      proxy_set_header Accept-Encoding "";
      sub_filter "</head>" '<script defer data-domain="${domain}" data-api="https://${fqdn}/api/event" src="https://${fqdn}/js/script.file-downloads.hash.outbound-links.js"></script><script>window.plausible = window.plausible || function() { (window.plausible.q = window.plausible.q || []).push(arguments) }</script></head>';
      sub_filter_last_modified on;
      sub_filter_once on;
    '';
  };
  config = {
    services.postgresql.ensure = [ "plausible" ];
    age.secrets.plausibleKey = {
      file  = ./key.age;
      owner = "plausible";
    };
    services.plausible = enabled {
      database = {
        clickhouse.setup = true;
        postgres.setup   = true;
      };
      server = {
        inherit port;
        disableRegistration = true;
        secretKeybaseFile   = config.age.secrets.plausibleKey.path;
        baseUrl             = "https://${fqdn}";
        listenAddress       = "::1";
      };
    };
    services.nginx.virtualHosts.${fqdn} = lib.merge config.services.nginx.sslTemplate {
      extraConfig = config.services.plausible.extraNginxConfigFor fqdn;
      locations."/" = {
        proxyPass       = "http://[::1]:${toString port}";
        proxyWebsockets = true;
      };
    };
  };
}

    extraConfig = lib.optionalString (config.services ? plausible) 
      (config.services.plausible.extraNginxConfigFor fqdn);
      

          ./plausible