diff --git a/nixos/configurations/Cape/default.nix b/nixos/configurations/Cape/default.nix index fd99b1e..78f6f69 100644 --- a/nixos/configurations/Cape/default.nix +++ b/nixos/configurations/Cape/default.nix @@ -10,6 +10,7 @@ ./hardware-configuration.nix ./users ./disko-config.nix + ./miniflux.nix ]; youthlic = { diff --git a/nixos/configurations/Cape/miniflux.nix b/nixos/configurations/Cape/miniflux.nix new file mode 100644 index 0000000..5828ac1 --- /dev/null +++ b/nixos/configurations/Cape/miniflux.nix @@ -0,0 +1,17 @@ +{ config, ... }: +{ + sops.secrets."miniflux" = { + }; + youthlic.containers.miniflux = { + enable = true; + interface = "ens3"; + adminCredentialsFile = config.sops.secrets."miniflux".path; + }; + services.caddy.virtualHosts = { + "miniflux.${config.youthlic.programs.caddy.baseDomain}" = { + extraConfig = '' + reverse_proxy 10.231.137.102:8485 + ''; + }; + }; +} diff --git a/nixos/modules/containers/default.nix b/nixos/modules/containers/default.nix index 88f8d6d..40ed077 100644 --- a/nixos/modules/containers/default.nix +++ b/nixos/modules/containers/default.nix @@ -2,5 +2,6 @@ { imports = [ ./forgejo.nix + ./miniflux.nix ]; } diff --git a/nixos/modules/containers/miniflux.nix b/nixos/modules/containers/miniflux.nix new file mode 100644 index 0000000..bf8b2ab --- /dev/null +++ b/nixos/modules/containers/miniflux.nix @@ -0,0 +1,107 @@ +{ config, lib, ... }: +let + cfg = config.youthlic.containers.miniflux; +in +{ + options = { + youthlic.containers.miniflux = { + enable = lib.mkEnableOption "miniflux container"; + adminCredentialsFile = lib.mkOption { + type = lib.types.nonEmptyStr; + }; + interface = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "ens3"; + }; + }; + }; + config = lib.mkIf cfg.enable { + networking.nat = { + enable = true; + internalInterfaces = [ "ve-+" ]; + externalInterface = cfg.interface; + enableIPv6 = true; + }; + containers."miniflux" = { + ephemeral = true; + autoStart = true; + privateNetwork = true; + hostAddress = "10.231.137.1"; + localAddress = "10.231.137.102"; + bindMounts = { + "/var/lib/miniflux" = { + hostPath = "/mnt/containers/miniflux/state"; + isReadOnly = false; + }; + "/var/lib/postgresql" = { + hostPath = "/mnt/containers/miniflux/database"; + isReadOnly = false; + }; + "${cfg.adminCredentialsFile}" = { + isReadOnly = true; + }; + }; + forwardPorts = [ + { + containerPort = 8485; + hostPort = 8485; + protocol = "tcp"; + } + { + containerPort = 8485; + hostPort = 8485; + protocol = "udp"; + } + ]; + + config = + { lib, ... }: + { + imports = [ + ./../programs/miniflux.nix + ./../programs/postgresql.nix + ]; + + systemd.tmpfiles.rules = [ + "d /var/lib/miniflux 770 miniflux miniflux -" + "d /var/lib/postgresql 770 postgres postgres -" + "d /run/secrets 770 root miniflux -" + ]; + + youthlic.programs = { + miniflux = { + enable = true; + database = { + user = "miniflux"; + }; + adminCredentialsFile = cfg.adminCredentialsFile; + }; + postgresql = { + enable = true; + database = "miniflux"; + auth_method = "peer"; + version = "17"; + }; + }; + + systemd.services.miniflux = { + wants = [ "postgresql.service" ]; + requires = [ "postgresql.service" ]; + after = [ "postgresql.service" ]; + wantedBy = [ "default.target" ]; + }; + + networking = { + firewall = { + enable = true; + allowedTCPPorts = [ 8485 ]; + allowedUDPPorts = [ 8485 ]; + }; + useHostResolvConf = lib.mkForce false; + }; + services.resolved.enable = true; + system.stateVersion = "24.11"; + }; + }; + }; +} diff --git a/nixos/modules/programs/default.nix b/nixos/modules/programs/default.nix index 98433b2..1a06f8c 100644 --- a/nixos/modules/programs/default.nix +++ b/nixos/modules/programs/default.nix @@ -19,5 +19,6 @@ ./conduwuit.nix ./nix-ld.nix ./juicity + ./miniflux.nix ]; } diff --git a/nixos/modules/programs/miniflux.nix b/nixos/modules/programs/miniflux.nix new file mode 100644 index 0000000..5dc701f --- /dev/null +++ b/nixos/modules/programs/miniflux.nix @@ -0,0 +1,48 @@ +{ lib, config, ... }: +let + cfg = config.youthlic.programs.miniflux; +in +{ + options = { + youthlic.programs.miniflux = { + enable = lib.mkEnableOption "miniflux"; + adminCredentialsFile = lib.mkOption { + type = lib.types.path; + }; + database = { + user = lib.mkOption { + type = lib.types.nonEmptyStr; + example = "miniflux"; + }; + socket = lib.mkOption { + type = lib.types.nonEmptyStr; + default = "/run/postgresql"; + }; + }; + }; + }; + config = lib.mkMerge [ + (lib.mkIf cfg.enable { + services.miniflux = { + enable = true; + config = { + LISTEN_ADDR = "0.0.0.0:8485"; + DATABASE_URL = "user=${cfg.database.user} host=${cfg.database.socket} dbname=miniflux"; + CREATE_ADMIN = 1; + WATCHDOG = 1; + }; + createDatabaseLocally = false; + adminCredentialsFile = cfg.adminCredentialsFile; + }; + }) + (lib.mkIf (cfg.enable && config.youthlic.programs.caddy.enable) { + services.caddy.virtualHosts = { + "miniflux.${config.youthlic.programs.caddy.baseDomain}" = { + extraConfig = '' + reverse_proxy 127.0.0.1:8485 + ''; + }; + }; + }) + ]; +} diff --git a/secrets/general.yaml b/secrets/general.yaml index 688d698..3b0c6b7 100644 --- a/secrets/general.yaml +++ b/secrets/general.yaml @@ -1,6 +1,7 @@ rustypaste: auth: ENC[AES256_GCM,data:DORM12zY0wQQxqBNFYG3oYodhevUJXNjdqJcnyOnuPnZQIsUdEtm4TyNHokUKYoc30s8c6INOFoAB+7210y0dQE3hfg=,iv:Kms90lNPaL5fvQjD31+DZGJf+YQU/tTGLTxrqkvsbDY=,tag:5voNZlwGf2adVQoVqgyRqA==,type:str] delete: ENC[AES256_GCM,data:fbhJiJhh4YSMZQ6/dfquesJE0sNSn2PUkbjtJmisj5qHtsM=,iv:M1R7giNyLhbj98iiCPENQy44Ixqnie1PHlNcsVs5TLs=,tag:zdBbZ4NR7D4HxsxCizTliw==,type:str] +miniflux: ENC[AES256_GCM,data:8u9ElF2LAsIZmq7U8oZJM367y6EAy0si4ZXhpdisYa/PjV70SybUWhrahBft86QB71l8KtLUVuF3Ins=,iv:q7vJzxZICGNv/IaHKDpV50Pc9P4rIwcvfz2+uS1AnyI=,tag:ycwVU3RqfBoXRZQMv653xQ==,type:str] atuin-key: ENC[AES256_GCM,data:e3K7/7BaeXuR+vHJdtO79UQp3XRvROcD8ISkuCp3KGCSlBKUM3GuCwhIeFoIl0fOUqVYOzcCAcjsH2nBRqcXhtS8jhM=,iv:Mh3jsu6mdj0VOLSIoNz/0awyydVf7q3/E7iB7CJi+UA=,tag:xuHhUmK/J2stdjRrtbhQSw==,type:str] access-tokens: ENC[AES256_GCM,data:TBg9y2xdVmLNQV3JzGRSbYSrqtYQxakWNPF+OBShqCP6Z/M9H8of6zbgevOudfAPXUbcDv55tBo58U/Z2VIMJysYuUDbbmO9WoqEB2AQNjFgbxBbSwGOEVz8fwKItj01f15r3gAfQVQl0T8Vaf5+VIVXpzG1h7O7,iv:IQw7ddpTuj5vzT6MEvqUiHEsd/Sekl8wVe+A8uibsEw=,tag:I4oyeM1j2LJ++5omk4Ao2A==,type:str] matrix-telegram-bot: ENC[AES256_GCM,data:4G9JSR4l3043SM63gvJr0xBFuS11eoesi9rrobTxN9HpEGNklYDWHH/+Bm7P/2Bxnye3CiO/Z8KffvbjH8slRHLtbSpo8lRsfi9uRAbeMl7aXe/nTjpN078QSN3WXXc9XqYq0sxwNKPrnW3bmPQsHUiykZ3Go5A9Qw1iIPvPpXITyNbeD0gA+2CBB7PIURI7X0PIgSfUtMFZvl2J9znqCnlfC41bj6aC3sywsEkpuFJiMEojrwl+XmVS/u4eNMq8KiofVn9QlGx5gdGZ9LfZZdc+8E6u5GovqP2JTwwfaeZPzdwdZ2YsdoAvmgAusMfjCNZvHF7msLsOyNJW4592ZC7+fHhRbkKnVKc3OwA4ILWd9Jl0p0BoS0Ckn3V5nUQFgxVJ2O0yd/FLFaEqbeBLHNqC6u9CTYk82Uy23ilXQYKIc9h2wQkM329E6j9Mk0f9uavoYVPkpz6ahLzcni2W26FUkeaZ7PkrHmHWfJvvvi32GB4+q1m0phPmcd3cKVhXhbhLXiBcx2Rj7Q==,iv:Br0w0SiYajFr8p5CZEg47x3KpJ+AOleHthsEc3ho4YI=,tag:k+wptcSnNzfefF66Ug824Q==,type:str] @@ -54,8 +55,8 @@ sops: a1Y1NU9CK2h1SS83VW42bzBMa01yMXMKI1DBtgNlkNCrxUQvnD6a45mQKNfg5gM4 Zb5buo9Jofj4dn/HFwng3T3gxKTrP2Dh74CAH4L0M5yrF9fzk5TCcQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-02-25T05:46:18Z" - mac: ENC[AES256_GCM,data:QjSjc0QPNxOkKAIjLPdg5G/QQc+lcGbIhDHp4vWXLUrTrH9YRXVRSp6+qn8VJRAUuDz21A4VBLTq4Ar6CBxC8wlaoNLeYxXuY26rvajfSXTjY8Reg6j7hsbYnW26/zlrO3VwSQdTcxB+rJYr9pKSVwJvq+Q0gucw7qj1vGigui8=,iv:CEC2T6f9RsPJAbvAhxLpiF4SryhUvEJPVmOWZPBRl10=,tag:EgBhg7EU087pEvWdDGKF5w==,type:str] + lastmodified: "2025-03-04T06:22:13Z" + mac: ENC[AES256_GCM,data:nQ3ZmOL0MOxL3/dEY0TGsI0003O/ZNjqilSojikn0oN2OyR2chYcpbRDKpPtoZwoJ+QfMH+etnxt9lo+tPKr+hF8a4rQeWK4oErZTAemPoGPPsYgf9TLqjjQ7pUQI/wzLX0OaBJSbITNBiC4I1wUtA3NPyRPhGYNA0st7Mz2fP0=,iv:SkYgbhWrlyQAZer5ZeLExwMdOmnxRQ3mwxsdLtA7DYI=,tag:NAPlZ7UYRT0XXRLSigHfWA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.9.4