Initial commit

2025-08-20 18:24:02 +03:00
commit 2dec42d487
116 changed files with 6591 additions and 0 deletions
--- a/hosts/cepheus/miniflux.nix
+++ b/hosts/cepheus/miniflux.nix
@@ -0,0 +1,76 @@
+{ config, pkgs, lib, ... }: {
+  age.secrets.kanidm-oauth2-miniflux = lib.mkSecret "kanidm";
+  services.kanidm.provision = {
+    groups."miniflux.access" = {};
+    systems.oauth2.miniflux = {
+      displayName = "miniflux";
+      originUrl = "https://rss.nothing.run/oauth2/oidc/callback";
+      originLanding = "https://rss.nothing.run/";
+      basicSecretFile = config.age.secrets.kanidm-oauth2-miniflux.path;
+      scopeMaps."miniflux.access" = [
+        "openid"
+        "email"
+        "profile"
+      ];
+      allowInsecureClientDisablePkce = true;
+      preferShortUsername = true;
+    };
+  };
+
+  age.secrets.miniflux-admin-credentials = {
+    generator.script = _: ''
+      echo "ADMIN_USERNAME = 'admin_fmA4ei32f'"
+      echo "ADMIN_PASSWORD = '$(head -c 32 /dev/urandom | base64)'"
+    '';
+    group = "kanidm";
+    mode = "444";
+  };
+
+  containers.miniflux = {
+    autoStart = true;
+    bindMounts = {
+      "/run/postgresql" = { hostPath = "/nix/persist/services/miniflux"; isReadOnly = false; };
+      "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; };
+    };
+    hostAddress = "192.168.103.10";
+    localAddress = "192.168.103.11";
+    privateNetwork = true;
+
+    config = { ... }: {
+      imports = [ ../../modules/global/dnscrypt-proxy.nix ];
+
+      users.groups.kanidm = {};
+      users.users.postgres.extraGroups = [ "kanidm" ];
+
+      services.miniflux = {
+        enable = true;
+        createDatabaseLocally = true;
+        adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path;
+        config = {
+          LISTEN_ADDR = "192.168.103.11:8080";
+          CREATE_ADMIN = 1;
+
+          OAUTH2_PROVIDER = "oidc";
+          OAUTH2_CLIENT_ID = "miniflux";
+          OAUTH2_CLIENT_SECRET = config.age.secrets.kanidm-oauth2-miniflux.path;
+          OAUTH2_REDIRECT_URL = "https://rss.nothing.run/oauth2/oidc/callback";
+          OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.nothing.run/oauth2/openid/miniflux";
+          OAUTH2_USER_CREATION = 1;
+        };
+      };
+
+      networking.firewall = {
+        enable = true;
+        allowedTCPPorts = [ 8080 ];
+      };
+      system.stateVersion = "25.05";
+    };
+  };
+
+  services.caddy.virtualHosts = {
+    "rss.nothing.run".extraConfig = ''
+      reverse_proxy http://192.168.103.11:8080
+    '';
+  };
+
+}