87 lines
2.4 KiB
Nix
87 lines
2.4 KiB
Nix
{ pkgs, config, lib, ... }:
|
|
with lib;
|
|
let
|
|
user = "miniflux";
|
|
host = "rss.dtth.ch";
|
|
port = 10020;
|
|
|
|
secrets = config.sops.secrets;
|
|
|
|
configEnv = builtins.mapAttrs (name: value: toString value) {
|
|
DEBUG = "on";
|
|
DATABASE_URL = "user=${user} dbname=${user} sslmode=disable host=/run/postgresql";
|
|
RUN_MIGRATIONS = 1;
|
|
LISTEN_ADDR = "127.0.0.1:${toString port}";
|
|
BASE_URL = "https://${host}";
|
|
HTTPS = true;
|
|
|
|
OAUTH2_PROVIDER = "oidc";
|
|
OAUTH2_CLIENT_ID = "oYF8Y815kQNuuYYdACJmm3kD1hzniMe6fJIDRUfs";
|
|
OAUTH2_REDIRECT_URL = "https://${host}/oauth2/oidc/callback";
|
|
OAUTH2_OIDC_DISCOVERY_ENDPOINT = "https://auth.dtth.ch/application/o/rss/";
|
|
OAUTH2_USER_CREATION = 1;
|
|
|
|
LOG_DATE_TIME = true;
|
|
|
|
FETCH_YOUTUBE_WATCH_TIME = true;
|
|
};
|
|
|
|
package = pkgs.miniflux;
|
|
in
|
|
{
|
|
sops.secrets."miniflux/oidc-client-secret" = { };
|
|
sops.secrets."miniflux/pocket-consumer-key" = { };
|
|
sops.secrets."miniflux/admin-creds" = { };
|
|
|
|
cloud.postgresql.databases = [ user ];
|
|
|
|
cloud.traefik.hosts.miniflux = {
|
|
inherit port host;
|
|
};
|
|
|
|
systemd.services.miniflux = {
|
|
description = "Miniflux service";
|
|
wantedBy = [ "multi-user.target" ];
|
|
after = [ "network.target" "postgresql.service" ];
|
|
|
|
serviceConfig = {
|
|
ExecStart = "${package}/bin/miniflux";
|
|
User = user;
|
|
DynamicUser = true;
|
|
RuntimeDirectory = "miniflux";
|
|
RuntimeDirectoryMode = "0700";
|
|
EnvironmentFile = [
|
|
secrets."miniflux/admin-creds".path
|
|
secrets."miniflux/oidc-client-secret".path
|
|
secrets."miniflux/pocket-consumer-key".path
|
|
];
|
|
# Hardening
|
|
CapabilityBoundingSet = [ "" ];
|
|
DeviceAllow = [ "" ];
|
|
LockPersonality = true;
|
|
MemoryDenyWriteExecute = true;
|
|
PrivateDevices = true;
|
|
PrivateUsers = true;
|
|
ProcSubset = "pid";
|
|
ProtectClock = true;
|
|
ProtectControlGroups = true;
|
|
ProtectHome = true;
|
|
ProtectHostname = true;
|
|
ProtectKernelLogs = true;
|
|
ProtectKernelModules = true;
|
|
ProtectKernelTunables = true;
|
|
ProtectProc = "invisible";
|
|
RestrictAddressFamilies = [ "AF_INET" "AF_INET6" "AF_UNIX" ];
|
|
RestrictNamespaces = true;
|
|
RestrictRealtime = true;
|
|
RestrictSUIDSGID = true;
|
|
SystemCallArchitectures = "native";
|
|
SystemCallFilter = [ "@system-service" "~@privileged" ];
|
|
UMask = "0077";
|
|
};
|
|
|
|
environment = configEnv;
|
|
};
|
|
}
|
|
|