1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
{
config,
pkgs,
lib,
...
}: let
port = 8080;
user = "miniflux";
db = "miniflux";
in {
sops.secrets."miniflux/oidcSecret" = {
owner = user;
group = user;
};
networking.firewall.allowedTCPPorts = [port];
services.miniflux = {
enable = true;
adminCredentialsFile = pkgs.writeText "minifluxDummyAdminCredentialsFile" '''';
createDatabaseLocally = false;
config = {
DATABASE_URL = "host=/run/postgresql dbname=${db} sslmode=disable";
LISTEN_ADDR = "0.0.0.0:${toString port}";
BASE_URL = "https://rss.liljamo.com/";
DISABLE_LOCAL_AUTH = 1;
#METRICS_COLLECTOR = 1; # TODO: Metrics, disable /metrics path on haproxy like jellyfin.
OAUTH2_PROVIDER = "oidc";
OAUTH2_CLIENT_ID = "miniflux";
OAUTH2_CLIENT_SECRET_FILE = config.sops.secrets."miniflux/oidcSecret".path;
OAUTH2_REDIRECT_URL = "https://rss.liljamo.com/oauth2/oidc/callback";
# .well-known/openid-configuration is appended to this by the oidc library used by miniflux.
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.liljamo.com";
OAUTH2_USER_CREATION = 1;
RUN_MIGRATIONS = 1;
CREATE_ADMIN = lib.mkForce 0;
FORCE_REFRESH_INTERVAL = 5;
};
};
services.postgresql = {
ensureDatabases = [db];
ensureUsers = [
{
name = user;
ensureDBOwnership = true;
}
];
};
users.users.${user} = {
createHome = false;
group = user;
isSystemUser = true;
};
users.groups.${user} = {};
}