Add umami analytics

This commit is contained in:
Julius 2022-05-25 19:13:13 +02:00
parent df52299784
commit 58f3ab978b
Signed by: j00lz
GPG key ID: AF241B0AA237BBA2
17 changed files with 152 additions and 130 deletions

View file

@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- umami

View file

@ -0,0 +1,39 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: umami-deployment
namespace: asraphiel
labels:
app: umami-deployment
keel.sh/policy: poll
keel.sh/match-tag: "true"
keel.sh/pollSchedule: "@weekly"
spec:
replicas: 1
selector:
matchLabels:
app: umami-deployment
template:
metadata:
labels:
app: umami-deployment
spec:
containers:
- name: umami-deployment
imagePullPolicy: Always
image: ghcr.io/mikecao/umami:postgresql-latest
ports:
- containerPort: 3000
env:
- name: DATABASE_TYPE
value: postgres
- name: DATABASE_URL
valueFrom:
secretKeyRef:
name: umami-secrets
key: db-url
- name: HASH_SALT
valueFrom:
secretKeyRef:
name: umami-secrets
key: salt

View file

@ -0,0 +1,17 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: umami-deployment-ingress
namespace: asraphiel
spec:
rules:
- host: "analytics.asraphiel.dev"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: umami-deployment-service
port:
number: 80

View file

@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: umami-secrets
namespace: asraphiel
spec:
refreshInterval: "15s"
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: umami-secrets
data:
- secretKey: db-url
remoteRef:
key: k8s/umami
property: db-url
- secretKey: salt
remoteRef:
key: k8s/umami
property: salt

View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: umami-deployment-service
namespace: asraphiel
spec:
selector:
app: umami-deployment
ports:
- protocol: TCP
port: 80
targetPort: 3000

View file

@ -7,3 +7,4 @@ resources:
- drone - drone
- keel - keel
- family - family
- asraphiel

View file

@ -1,53 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: cdn-deployment
namespace: misc
labels:
app: cdn-deployment
keel.sh/policy: force
keel.sh/match-tag: "true"
spec:
replicas: 1
selector:
matchLabels:
app: cdn-deployment
template:
metadata:
labels:
app: cdn-deployment
spec:
containers:
- name: cdn-deployment
imagePullPolicy: Always
image: registry.asraphiel.dev/library/cdn-control:main
ports:
- containerPort: 8080
env:
- name: CDN_ACCESS_KEY
valueFrom:
secretKeyRef:
name: cdn-secrets
key: access-key
- name: CDN_SECRET_KEY
valueFrom:
secretKeyRef:
name: cdn-secrets
key: secret-key
- name: CDN_ENDPOINT
valueFrom:
secretKeyRef:
name: cdn-secrets
key: endpoint
- name: CDN_BASE_PATH
valueFrom:
secretKeyRef:
name: cdn-secrets
key: base-path
- name: CDN_BUCKET
valueFrom:
secretKeyRef:
name: cdn-secrets
key: bucket
imagePullSecrets:
- name: registry-creds

View file

@ -1,27 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: cdn-deployment-ingress
namespace: misc
spec:
rules:
- host: "cdn.asraphiel.dev"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cdn-deployment-service
port:
number: 80
- host: "cdn.voidcorp.nl"
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: cdn-deployment-service
port:
number: 80

View file

@ -1,33 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cdn-secrets
namespace: misc
spec:
refreshInterval: "15s"
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: cdn-secrets
data:
- secretKey: access-key
remoteRef:
key: k8s/cdn
property: access-key
- secretKey: secret-key
remoteRef:
key: k8s/cdn
property: secret-key
- secretKey: endpoint
remoteRef:
key: k8s/cdn
property: endpoint
- secretKey: base-path
remoteRef:
key: k8s/cdn
property: base-path
- secretKey: bucket
remoteRef:
key: k8s/cdn
property: bucket

View file

@ -1,12 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: cdn-deployment-service
namespace: misc
spec:
selector:
app: cdn-deployment
ports:
- protocol: TCP
port: 80
targetPort: 8080

View file

@ -3,4 +3,3 @@ kind: Kustomization
resources: resources:
- pinbot - pinbot
- registry-creds.yaml - registry-creds.yaml
- cdn-control

View file

@ -0,0 +1,6 @@
kind: Namespace
apiVersion: v1
metadata:
name: asraphiel
labels:
name: asraphiel

View file

@ -9,3 +9,4 @@ resources:
- keel.yaml - keel.yaml
- family.yaml - family.yaml
- misc.yaml - misc.yaml
- asraphiel.yaml

View file

@ -63,6 +63,7 @@ in {
virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/"; virtualHosts."registry.asraphiel.dev" = proxy "http://registry.lxd:5000/";
virtualHosts."vaultwarden.asraphiel.dev" = virtualHosts."vaultwarden.asraphiel.dev" =
proxy "http://vaultwarden.lxd:8000/"; proxy "http://vaultwarden.lxd:8000/";
virtualHosts."analytics.asraphiel.dev" = k8sProxy;
virtualHosts."groenehartansichtkaarten.nl" = k8sProxy; virtualHosts."groenehartansichtkaarten.nl" = k8sProxy;
virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy; virtualHosts."ansichtkaarten.asraphiel.dev" = k8sProxy;
@ -77,6 +78,7 @@ in {
http2 = true; http2 = true;
globalRedirect = "galerievanslagmaat.nl"; globalRedirect = "galerievanslagmaat.nl";
}; };
}; };
security.acme.email = "acme@voidcorp.nl"; security.acme.email = "acme@voidcorp.nl";

View file

@ -1,4 +1,10 @@
{ config, pkgs, ... }: { { config, pkgs, ... }:
let
user = name: {
name = name;
ensurePermissions = { "DATABASE \"${name}\"" = "ALL PRIVILEGES"; };
};
in {
imports = [ ../../common ../../common/lxc.nix ]; imports = [ ../../common ../../common/lxc.nix ];
networking.hostName = "postgres"; networking.hostName = "postgres";
system.stateVersion = "21.11"; system.stateVersion = "21.11";
@ -17,13 +23,12 @@
host all all 10.0.0.0/8 trust host all all 10.0.0.0/8 trust
host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust host all all fd42:8db7:2e6b:8e9b:216:3eff::/96 trust
''; '';
ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" ]; ensureDatabases = [ "gitea" "vault" "vaultwarden" "authentik" "umami" ];
ensureUsers = [ ensureUsers = [
{ {
name = "gitea"; name = "gitea";
ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE \"gitea\"" = "ALL PRIVILEGES"; };
} }
{ {
name = "vault"; name = "vault";
ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE \"vault\"" = "ALL PRIVILEGES"; };
@ -36,6 +41,7 @@
name = "authentik"; name = "authentik";
ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; }; ensurePermissions = { "DATABASE \"authentik\"" = "ALL PRIVILEGES"; };
} }
(user "umami")
]; ];
enableTCPIP = true; enableTCPIP = true;

39
s3-policy.json Normal file
View file

@ -0,0 +1,39 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": [
"arn:aws:s3:::galerie"
]
},
{
"Effect": "Allow",
"Principal": {
"AWS": [
"*"
]
},
"Action": [
"s3:PutObject",
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts"
],
"Resource": [
"arn:aws:s3:::galerie/*"
]
}
]
}