From a393b97680c08428237a3f00cb190922d2326438 Mon Sep 17 00:00:00 2001
From: Hadi <112569860+anotherhadi@users.noreply.github.com>
Date: Mon, 16 Mar 2026 23:27:43 +0100
Subject: [PATCH] +umami

Signed-off-by: Hadi <112569860+anotherhadi@users.noreply.github.com>
---
 flake.lock                        |  6 +++---
 hosts/server/configuration.nix    |  1 +
 hosts/server/secrets/secrets.yaml |  7 ++++---
 server-modules/umami.nix          | 23 +++++++++++++++++++++++
 4 files changed, 31 insertions(+), 6 deletions(-)
 create mode 100644 server-modules/umami.nix

diff --git a/flake.lock b/flake.lock
index ecf5d82..6eeed05 100644
--- a/flake.lock
+++ b/flake.lock
@@ -224,11 +224,11 @@
         "nixpkgs": "nixpkgs"
       },
       "locked": {
-        "lastModified": 1772902568,
-        "narHash": "sha256-KUgFVKAul+zMGCZVABKcW81fkzjUpP7SifF6S1bpcss=",
+        "lastModified": 1773699848,
+        "narHash": "sha256-YHZ6kSyCfiPDkpVQcthGFPenkmCfdOrV6Yjc3UWjgBI=",
         "owner": "anotherhadi",
         "repo": "default-creds",
-        "rev": "9b8ce076bffa4fa2b0d77cef98609cbe74b7706e",
+        "rev": "5b4ca98f707cf623af5af13ea099980d8bf1b039",
         "type": "github"
       },
       "original": {
diff --git a/hosts/server/configuration.nix b/hosts/server/configuration.nix
index b76823d..e28e21a 100644
--- a/hosts/server/configuration.nix
+++ b/hosts/server/configuration.nix
@@ -25,6 +25,7 @@
     ../../server-modules/fail2ban.nix
     ../../server-modules/freshrss.nix
     ../../server-modules/default-creds.nix
+    ../../server-modules/umami.nix
 
     # You should let those lines as is
     ./hardware-configuration.nix
diff --git a/hosts/server/secrets/secrets.yaml b/hosts/server/secrets/secrets.yaml
index f474101..d15cce8 100644
--- a/hosts/server/secrets/secrets.yaml
+++ b/hosts/server/secrets/secrets.yaml
@@ -1,4 +1,5 @@
 freshrss: ENC[AES256_GCM,data:xJzlm5cOQVl/bZA=,iv:DgZN6EInXfkA8nhPeIPH1T+x0z7X3WlHGcoRDF3dpI4=,tag:YqUhltbHAq2kmmdiffn4tQ==,type:str]
+umami-secret: ENC[AES256_GCM,data:tImpd4sD92Omf/YFB8YE4gxAu+g801wQNR+k5rhY6AbzIIYOzpVmQL4XGjfp9Teky3olii4s3XTcmTyuMoxMWg==,iv:QFAEzYnAnxOOtrHWiM2IkvSs0Aqk3s1T5X7j5WC+tO8=,tag:FIbgHLfRVMJ2qZ6dOJ8zLw==,type:str]
 sshconfig: ENC[AES256_GCM,data:R54HVxqAyj9yGO/AYL8p6cnXgYxkQKW9XveHlBMTnDXBJ7r/4HgnefdymprnXmdlbNWcWrRqmaLEuzJs/0BfixXfMvmGTUrmJ0ASVuDrz9k6rOLADAKFikQh0dib7NU4JmPgmUzMncXc2WuCd3BCG3kwBQ==,iv:Ro9FA+MzTAp+ERQMT88z8ioCox/dTj2vWcqCDOSLag4=,tag:5XiXIyz5/pjGFOB5ZjdOVg==,type:str]
 github-key: ENC[AES256_GCM,data:NRYhcBIwGJEV13+YECLR+2IErsn/7clbnkx0Mltr7dQajSb5WHZ3QDH0KQPylEHhplE5IVS0h4I0z+Pb1B0UteCxFmJ5wZq+2BKZkvE7G3dojqBpgHcVqJV2GLEJkRjlHfRgsbq/OBe8xcsPh20P1KUyP0WIwVbpt+9dFWGxEGYkp2uSyuBIJ98kElt0zuVgl7WcYoDO7v5WmGzZfla+yZwURvMk8zcM3gopo+4KL6YnYUs+UA3VlBBn6VK4Nvbqy6X0R0+ZA5HHAXg+OFgGmfWnENZmsyQJHXEchGGgEldzThkQ4r8yMkgN/ax+AGouLyzbITapGE4sE11FFgL6Hmp4pSXxl3UAGF+cvV5pIujbb28CXmSPRMyYpoNxI93PSYz/txAzE6Cr2dgwxR4zpMelv4i6IaGnY8NgpY8jp2Y6C0uuJxJCN0RtnjQw1rM2uRnm7vMGyU7XXz9DEVfGnYpTWnykXsEjHE5DVGy80ejYQlc6dtmf3vdTWpt+YYdCPw8/cd0PIx2D6geh1c28,iv:wl+RG24mXYMklD8CBGXVD36DMhlWT/7zh8ZMvr7vgOk=,tag:OJhqF8PoXotr7IsyFW6q1g==,type:str]
 adguard-pwd: ENC[AES256_GCM,data:QavwLWENAURnRrFwiLntkiM=,iv:bxdQfBxNL5rwUr7CEKbwXtv5mUUXZHhvyqQL2KoPwEY=,tag:T+cSyzbGeo7E5smSsuFlHw==,type:str]
@@ -18,7 +19,7 @@ sops:
             TEc5d01RaVFGNXc3dlljM0FTTHpENjQKOqwI+pl8UxVIVl43glnOYvW660/PsDGY
             yefODJGVtHrOm3yeXC2xlTi3sFW+c5wUl2yPqddbvcBt5Ud/yd4iXQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2026-02-16T21:21:02Z"
-    mac: ENC[AES256_GCM,data:TEDhaEvzVEB6KjdTeeA8/ZGx71hWJKmkpj7DiwcaOzhLsRSVFqv36zEJ6Xtb5HojGE0G0ALNl4K5+rav8u9fL4YCO6bPBYtZgbSNBOILbV2FldFZKRErMMGDIpnQd8oaUfB/48VYTSMmhT5AwRaqdRYDomnv8wKtY8grTFhzkoA=,iv:9MDb5CovWWqHmbDHejZA3tSSHeSTGkoPuZQGMnOtd9k=,tag:e/ZMvAFdu+ICGeQUSrJx8g==,type:str]
+    lastmodified: "2026-03-16T20:32:08Z"
+    mac: ENC[AES256_GCM,data:kREf/IsxZp74r/1r0ySwyrz+YGHbMZfR/1+CHLKOP7z/PjH3btjpAEU4lJ2kDSOYwA6gdNI2rpPzWKoXsCpLAeJJ39ezxzUuUnyUh3Nt4dbr94B9FZpv0RQPY3Q26FAIK1+6cW/2/3O1qHwOOG3ZI2MduQtZQ+XsAmhkJoFmkVY=,iv:vOEHu3QahSZQOrx/iCtLFqCzZP6+HX/I9zQHSDcb7Mg=,tag:YxXOFcL0E5VlWufg+YJCbQ==,type:str]
     unencrypted_suffix: _unencrypted
-    version: 3.11.0
+    version: 3.12.1
diff --git a/server-modules/umami.nix b/server-modules/umami.nix
new file mode 100644
index 0000000..80a1f4c
--- /dev/null
+++ b/server-modules/umami.nix
@@ -0,0 +1,23 @@
+{config, ...}: {
+  sops.secrets = {
+    umami-secret = {
+      mode = "0600";
+    };
+  };
+  services.umami = {
+    enable = true;
+    settings = {
+      PORT = 8097;
+      APP_SECRET_FILE = config.sops.secrets.umami-secret.path;
+      DISABLE_TELEMETRY = true;
+      DISABLE_BOT_CHECK = true;
+    };
+  };
+  services.cloudflared.tunnels."f7c8f777-a36c-4b9a-b6e3-6a112bd43e73".ingress."umami.hadi.diy" = "http://localhost:${toString config.services.umami.settings.PORT}";
+  systemd.services.default-creds.environment = {
+    PUBLIC_UMAMI_URL = "https://umami.hadi.diy";
+    PUBLIC_UMAMI_WEBSITE_ID = "7197484c-01ad-488e-9caa-5ab7b7595f08";
+    UMAMI_URL = "http://localhost:8097";
+    UMAMI_WEBSITE_ID = "7197484c-01ad-488e-9caa-5ab7b7595f08";
+  };
+}