{ config, pkgs, lib, ... }: { age.secrets.kanidm-oauth2-miniflux = lib.mkSecret "kanidm"; services.kanidm.provision = { groups."miniflux.access" = {}; systems.oauth2.miniflux = { displayName = "miniflux"; originUrl = "https://rss.nothing.run/oauth2/oidc/callback"; originLanding = "https://rss.nothing.run/"; basicSecretFile = config.age.secrets.kanidm-oauth2-miniflux.path; scopeMaps."miniflux.access" = [ "openid" "email" "profile" ]; allowInsecureClientDisablePkce = true; preferShortUsername = true; }; }; age.secrets.miniflux-admin-credentials = { generator.script = _: '' echo "ADMIN_USERNAME = 'admin_fmA4ei32f'" echo "ADMIN_PASSWORD = '$(head -c 32 /dev/urandom | base64)'" ''; group = "kanidm"; mode = "444"; }; containers.miniflux = { autoStart = true; bindMounts = { "/run/postgresql" = { hostPath = "/nix/persist/services/miniflux"; isReadOnly = false; }; "/run/agenix" = { hostPath = "/run/agenix"; isReadOnly = false; }; }; hostAddress = "192.168.103.10"; localAddress = "192.168.103.11"; privateNetwork = true; config = { ... }: { imports = [ ../../modules/global/dnscrypt-proxy.nix ]; users.groups.kanidm = {}; users.users.postgres.extraGroups = [ "kanidm" ]; services.miniflux = { enable = true; createDatabaseLocally = true; adminCredentialsFile = config.age.secrets.miniflux-admin-credentials.path; config = { LISTEN_ADDR = "192.168.103.11:8080"; CREATE_ADMIN = 1; OAUTH2_PROVIDER = "oidc"; OAUTH2_CLIENT_ID = "miniflux"; OAUTH2_CLIENT_SECRET = config.age.secrets.kanidm-oauth2-miniflux.path; OAUTH2_REDIRECT_URL = "https://rss.nothing.run/oauth2/oidc/callback"; OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://idm.nothing.run/oauth2/openid/miniflux"; OAUTH2_USER_CREATION = 1; }; }; networking.firewall = { enable = true; allowedTCPPorts = [ 8080 ]; }; system.stateVersion = "25.05"; }; }; services.caddy.virtualHosts = { "rss.nothing.run".extraConfig = '' reverse_proxy http://192.168.103.11:8080 ''; }; }