jml/nixos-config
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
nixos-config/hosts/lithium/services/miniflux/default.nix
Jay Looney 630f9b0074 even more backups of things
2025-10-28 16:11:45 -05:00

79 lines
2.5 KiB
Nix
Raw Permalink Blame History

{ config, pkgs, ... }:
let
homelabDomain = config.networking.domain;
svcDomain = "feeds.${homelabDomain}";
svcPort = "8081"; # Prevent a Conflict
in
{
services.caddy.virtualHosts."${svcDomain}".extraConfig = ''
reverse_proxy :${svcPort}
'';
# NOTE: Ensure the user exists ahead of trying to give secret permissions to that user.
users.users.miniflux = {
isSystemUser = true;
group = "miniflux";
createHome = false;
};
users.groups.miniflux = {};
sops.secrets.miniflux_env = {
sopsFile = ../../secrets/miniflux_admin_credentials.env;
format = "dotenv";
mode = "0440";
owner = "miniflux";
group = "miniflux";
restartUnits = [ "miniflux.service" ];
};
sops.secrets."miniflux/oauth2_client_secret" = {
owner = "miniflux";
group = "kanidm";
mode = "0440";
restartUnits = [ "miniflux.service" "kanidm.service" ];
};
#services.kanidm.provision = {
#groups = {};
#systems.oauth2.miniflux = {
#displayName = "Miniflux Feed Reader";
#originUrl = "https://${fqdn}/callback";
#public = true; # enforces PKCE
#preferShortUsername = true;
#scopeMaps.pages_users = ["openid" "email" "profile"];
#claimMaps."${permissionsMap}".valuesByGroup.pages_admin = ["admin"];
#};
#};
# NOTE: Currently requires some web-interface configuration
services.miniflux = {
enable = true;
adminCredentialsFile = config.sops.secrets.miniflux_env.path;
config = {
BASE_URL = "https://${svcDomain}";
#CREATE_ADMIN = 0;
#DISABLE_LOCAL_AUTH = 1;
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET_FILE = config.sops.secrets."miniflux/oauth2_client_secret".path;
OAUTH2_REDIRECT_URL = "https://${svcDomain}/oauth2/oidc/callback";
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://id.${homelabDomain}/oauth2/openid/miniflux";
#OAUTH2_USER_CREATION = 1;
CLEANUP_FREQUENCY = 48;
LISTEN_ADDR = "localhost:${svcPort}";
};
};
services.kanidm.provision.systems.oauth2.miniflux = {
displayName = "miniflux";
originUrl = "https://${svcDomain}/oauth2/oidc/callback";
originLanding = "https://${svcDomain}/";
basicSecretFile = config.sops.secrets."miniflux/oauth2_client_secret".path;
scopeMaps."miniflux.users" = [
"openid"
"email"
"profile"
"groups"
];
# WARNING: PKCE is currently not supported by gitea/forgejo,
# see https://github.com/go-gitea/gitea/issues/21376
allowInsecureClientDisablePkce = true;
preferShortUsername = true;
};
}
Reference in a new issue View git blame Copy permalink