even more backups of things

2025-10-28 16:11:45 -05:00 · 2025-10-28 16:11:45 -05:00 · 630f9b0074
commit 630f9b0074
parent b8d125d448
46 changed files with 1166 additions and 197 deletions
--- a/hosts/lithium/services/miniflux/default.nix
+++ b/hosts/lithium/services/miniflux/default.nix
@ -1,7 +1,8 @@
 { config, pkgs, ... }:
 let
-  svcDomain = "feeds.${config.networking.domain}";
-  svcPort = "8080";
+  homelabDomain = config.networking.domain;
+  svcDomain = "feeds.${homelabDomain}";
+  svcPort = "8081";  # Prevent a Conflict
 in
 {
  services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
@ -22,32 +23,57 @@ in
    group = "miniflux";
    restartUnits = [ "miniflux.service" ];
  };
-  services.kanidm.provision = {
-    groups = {};
-    systems.oauth2.miniflux = {
-      displayName = "Miniflux Feed Reader";
-      originUrl = "https://${fqdn}/callback";
-      public = true; # enforces PKCE
-      preferShortUsername = true;
-      scopeMaps.pages_users = ["openid" "email" "profile"];
-      claimMaps."${permissionsMap}".valuesByGroup.pages_admin = ["admin"];
-    };
+  sops.secrets."miniflux/oauth2_client_secret" = {
+    owner = "miniflux";
+    group = "kanidm";
+    mode = "0440";
+    restartUnits = [ "miniflux.service" "kanidm.service" ];
  };
+  #services.kanidm.provision = {
+    #groups = {};
+    #systems.oauth2.miniflux = {
+      #displayName = "Miniflux Feed Reader";
+      #originUrl = "https://${fqdn}/callback";
+      #public = true; # enforces PKCE
+      #preferShortUsername = true;
+      #scopeMaps.pages_users = ["openid" "email" "profile"];
+      #claimMaps."${permissionsMap}".valuesByGroup.pages_admin = ["admin"];
+    #};
+  #};
  # NOTE: Currently requires some web-interface configuration
  services.miniflux = {
    enable = true;
    adminCredentialsFile = config.sops.secrets.miniflux_env.path;
    config = {
      BASE_URL = "https://${svcDomain}";
-      CREATE_ADMIN = 0;
-      DISABLE_LOCAL_AUTH = 1;
+      #CREATE_ADMIN = 0;
+      #DISABLE_LOCAL_AUTH = 1;
      OAUTH2_PROVIDER = "oidc";
-      OAUTH2_OIDC_PROVIDER_NAME = "Kanidm";
-      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.${config.networking.domain}";
+      OAUTH2_CLIENT_ID = "miniflux";
+      OAUTH2_CLIENT_SECRET_FILE = config.sops.secrets."miniflux/oauth2_client_secret".path;
      OAUTH2_REDIRECT_URL = "https://${svcDomain}/oauth2/oidc/callback";
-      OAUTH2_USER_CREATION = 1;
+      OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.${homelabDomain}/oauth2/openid/miniflux";
+      #OAUTH2_USER_CREATION = 1;
      CLEANUP_FREQUENCY = 48;
      LISTEN_ADDR = "localhost:${svcPort}";
    };
  };
+
+  
+  services.kanidm.provision.systems.oauth2.miniflux = {
+    displayName = "miniflux";
+    originUrl = "https://${svcDomain}/oauth2/oidc/callback";
+    originLanding = "https://${svcDomain}/";
+    basicSecretFile = config.sops.secrets."miniflux/oauth2_client_secret".path;
+    scopeMaps."miniflux.users" = [
+      "openid"
+      "email"
+      "profile"
+      "groups"
+    ];
+    # WARNING: PKCE is currently not supported by gitea/forgejo,
+    # see https://github.com/go-gitea/gitea/issues/21376
+    allowInsecureClientDisablePkce = true;
+    preferShortUsername = true;
+  };
 }